Saudi Arabia’s Authority for Data and Artificial Intelligence has published the Implementing Regulations to the Data Protection Law (Saudi Arabia Cabinet Decision No. 98/1443). Saudi Arabia Administrative Decision No. 1516/1445 will come into force on 14 September 2023.

The published regulations have omitted the definition of secondary use but not the concept of secondary processing and its having special requirements. They have also omitted the legal basis requirement for exercising rights.

In addition, they have omitted Article 33 on the transfer or disclosure of data to an entity outside of the Kingdom and Article 3 on the legal basis for processing. Finally, pseudonymisation will now be known as coding.

They will be published in the Official Gazette.

They have also published Regulations on cross-border transfers. Under Saudi Arabia Administrative Decision No. 1517/1445, controllers should check and ensure there are appropriate conditions that allow the transfer or disclosure outside Saudi Arabia and provide adequate protection to the personal data and the data subject’s rights.

They must limit the transfer or disclosure of personal data outside Saudi Arabia to the minimum necessary to achieve the transfer or disclosure purpose. This will be determined using data maps which indicate the need to transfer or disclose each piece of data and link it to each processing purpose outside the country. The requirements also apply to metadata, operational data, backup data, monitoring systems data, support data and data derived from personal data which directly or indirectly identifies a data subject.

For more news and content, try Lexis Middle East. Click on lexis.ae/demo to begin your free trial of Lexis® Middle East platform.

You can also explore the legal landscape by subscribing to our Weekly Newsletter.

Want to learn more about Lexis® Middle East? Visit, https://www.lexis.ae/lexis-middle-east-law/.