Comparing privacy laws:

GDPR v. PDPL
About the authors Table of contents
OneTrust DataGuidanceTM provides a suite of privacy solutions designed to help organisations
monitor regulatory developments, mitigate risk and achieve global compliance. Introduction 5
The OneTrust DataGuidanceTM platform includes focused guidance around core topics (i.e. GDPR, 1. Scope
data transfers, breach notification, among others), Cross-Border Charts which allow you to compare 1.1.
Personal scope 7
regulations across multiple jurisdictions at a glance, a daily customised news service and expert 1.2. Territorial scope 8
analysis. 1.3. Material scope 9
These tools, along with our in-house analyst service to help with your specific research questions,
2. Key definitions
provide a cost-effective and efficient solution to design and support your privacy programme.
2.1. Personal data 10
2.2. Pseudonymisation 11
2.3. Controller and processors 12
2.4. Children 13
2.5. Research 14

3. Legal basis 15
4. Controller and processor obligations
4.1. Data transfers 17
4.2. Data processing records 19
4.3. Data protection impact assessment 21
4.4. Data protection officer appointment 24
4.5. Data security and data breaches 25
4.6. Accountability 27

5. Individuals' rights
5.1. Right to erasure 28
5.2. Right to be informed 30
5.3. Right to object 32
Image production credits:
5.4. Right of access 33
Cover/p.5/p.51: Poligrafistka / Signature collection / istockphoto.com | MicroStockHub / Signature collection / istockphoto.com
Scale key p6-49: enisaksoy / Signature collection / istockphoto.com 5.5. Right not to be subject to discrimination 35
Icon p.33-40: AlexeyBlogoodf / Essentials collection / istockphoto.com
Icon p.47-51: cnythzl / Signature collection / istockphoto.com | MicroStockHub / Signature collection / istockphoto.com 5.6. Right to data portability 36

6. Enforcement
6.1. Monetary penalties 37
6.2. Supervisory authority 39
6.3. Civil remedies for individuals 42

2 3
 Introduction
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') came into effect on 25 May 2018, and governs the
protection of personal data in EU and EEA Member States. Saudi Arabia's first data protection law, namely the Personal Data Protection
Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No.98 dated 14 September 2021 ('PDPL') (only
available in Arabic here), was published in the Official Gazette on 24 September 2021 and take effect on 23 March 2022. Notably, the
implementing decree of the law provides for an 18-month transition period for data controllers to achieve compliance from the date
of its publication in the Official Gazette. However, this date may be delayed, as determined by the Saudi Data & Artificial Intelligence
Authority ('SDAIA'), for a period of up to five years for companies located outside the Kingdom of Saudi Arabia that process personal
data of Saudi Arabian residents.

The PDPL has many similarities with the GDPR and often uses the same general concepts as well as the same language on occasion,
particularly with regards to data processing principles and data subject rights. While these foundations are largely mirrored between
the two pieces of legislation, there are several key, nuanced differences. For instance, the PDPL provides less detailed information on
the exercise of data subject rights, more restrictive data transfer obligations, as well as registration obligations on controllers. Notably,
unlike the GDPR, the PDPL has less extensive principles and legal bases for processing personal data, with emphasis on consent as
requirement for lawful processing. Furthermore, the PDPL notes throughout that the 'executive regulations' shall add further detail to
various provisions of the PDPL.

Please note that the SDAIA issued, on 10 March 2022, in collaboration with the National Data Management Office ('NDMO'), the Draft
Executive Regulations for the PDPL, and launched a public consultation on the same which ends on 25 March 2022. Once finalised,
the executive regulations will be included within this comparison.

The overview organises provisions from the GDPR and the PDPL into key topics and sets them alongside each other to enable analysis
and comparison. Each section begins with a detailing of principal information and a general introduction, as well as consistency ratings
as measured against the GDPR.

4 5
 1. Scope
Introduction (cont'd)
1.1. Personal scope Fairly consistent

Structure and overview of the Guide The PDPL includes similar core concepts as the GDPR and refers to data controllers, data processors, and data subjects. Like the
This Guide provides a comparison of the two legislative frameworks on the following key provisions:
GDPR, the PDPL also includes public bodies within its scope. The GDPR and the PDPL differ, however, in that the latter does not
refer to the nationality or place of residence of data subjects and does not exclude the personal data of deceased persons from
1. Scope
its scope. Moreover, the definition of 'data subject' in the PDPL extends to the representative or legal guardian of the personal to
2. Key definitions
whom the personal data relates.
3. Legal basis
4. Controller and processor obligations
GDPR PDPL
5. Individuals' rights
6. Enforcement Data Controller Article 4(7): 'controller' means the natural or legal Article 1(18): 'controlling entity' means any public
person, public authority, agency or other body which, entity, and natural or legal person, that determines
alone or jointly with others, determines the purposes the purposes and means of the processing of
and means of the processing of personal data; personal data, whether it processes the personal
Each topic includes relevant provisions from the two legislative legal frameworks, a summary of the comparison, and a detailed
where the purposes and means of such processing data itself or by means of another processing entity.
analysis of the similarities and differences between the GDPR and PDPL. are determined by Union or Member State law, the
controller or the specific criteria for its nomination
may be provided for by Union or Member State law.

Data Processor Article 4(8): 'processor' means a natural or legal Article 1(19): 'processing entity' means any
Key for giving the consistency rate person, public authority, agency or other body which public entity, and natural or legal person, that
processes personal data on behalf of the controller. processes personal data for the benefit of,
  and on behalf of, the controlling entity.
Consistent: The GDPR and PDPL bear a high degree of similarity in the rationale,
Data Subject Article 4(1): 'personal data' means any information Article 1(16): 'personal data owner' means the
core, scope, and the application of the provision considered. relating to an identified or identifiable natural person individual to whom the personal data relates to,
('data subject'); an identifiable natural person is his/her representative, or his/her legal guardian.
one who can be identified, directly or indirectly, in
Fairly consistent: The GDPR and PDPL bear a high degree of similarity in the particular by reference to an identifier such as a name,
rationale, core, and the scope of the provision considered, however, the details an identification number, location data, an online
identifier or to one or more factors specific to the
governing its application differ. physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
Fairly inconsistent: The GDPR and PDPL bear several differences with regard to
Inconsistent Consistent Public Bodies Article 4(7): 'controller' means the natural or legal Article 1(71): Any ministry, department,
the scope and application of the provision considered, however, its rationale and person, public authority, agency or other body. public institution, public authority, or any
core presents some similarities. independent public entity in the kingdom,
or any of its affiliated entities.

Inconsistent: The GDPR and PDPL bear a high degree of difference with regard Nationality of Recital 14: The protection afforded by this Regulation Article 2(1): The PDPL applies to any processing of
should apply to natural persons, whatever their personal data related to individuals in the Kingdom
to the rationale, core, scope, and application of the provision considered. Data Subjects nationality or place of residence, in relation by any means, including processing personal data
to the processing of their personal data. related to individuals residing in the Kingdom by
any means from any party outside the Kingdom.

Place of See Recital 14 above. See Article 2(1) above.

Residence

Usage of the Guide Deceased Recital 27: This Regulation does not apply to the
personal data of deceased persons. Member States
Article 2(1) of the PDPL expressly notes that it is
applicable to the processing of personal data of a
This Guide is general and informational in nature, and is not intended to provide, and should not be relied on as a source of, legal Individuals may provide for rules regarding the processing deceased person, if that personal data identifies
of personal data of deceased persons. the deceased or a member of their family.
advice. The information and materials provided in the Guide may not be applicable in all (or any) situations and should not be acted
upon without specific legal advice based on particular circumstances.

6 7
 1.2. Territorial scope 1.3. Material scope
Fairly consistent Fairly consistent

The GDPR establishes specific extraterritorial application for certain processing activities, while the PDPL establishes the same for The PDPL is generally similar to the GDPR in its material scope, and both apply to comparable concepts of personal data, data

entities processing personal data that relates to residents of Saudi Arabia. processing, special categories of data, and processing by automated or non-automated means. They are also both aligned in that
they exempt the processing of personal data for personal use from their scope.

GDPR PDPL GDPR PDPL

Establishment Article 3: This Regulation applies to the processing Article 2(1): The PDPL applies to any processing Personal Data/ Article 4(1): 'personal data' means any information Article 1(4): 'personal data' means any information
of personal data in the context of the activities of of personal data related to individuals in the relating to an identified or identifiable natural person through which an individual may be directly
in Jurisdiction an establishment of a controller or a processor in Kingdom by any means, including processing
Personal ('data subject'); an identifiable natural person is or indirectly identified, including name, social
the Union, regardless of whether the processing personal data related to individuals residing Information one who can be identified, directly or indirectly, in security number, numbers, addresses, bank
takes place in the Union or not. Recital 22: in the Kingdom by any means from any party particular by reference to an identifier such as a name, account and credit card details, and pictures.
Establishment implies the effective and real outside the Kingdom, inclusive of personal data an identification number, location data, an online Article 2(1): 'personal data' includes the data of a
exercise of activity through stable arrangements. of deceased persons, if such data is capable of identifier or to one or more factors specific to the deceased person, if such data would lead to his/
identifying him/her or a member of their family. physical, physiological, genetic, mental, economic, her identification or a family member's identification
cultural or social identity of that natural person.
Extraterritorial See Recital 22 above. See Article 2(1) above. Data Processing Article 4(2): 'processing' means any operation or set Article 1(5): 'processing' means any operation
of operations which is performed on personal data or which is performed on personal data, whether
Goods & Recital 23: In order to ensure that natural persons The PDPL does not explicitly refer to on sets of personal data, whether or not by automated manual or automated, including, collection,
are not deprived of the protection to which they goods and services from abroad. means, such as collection, recording, organisation, recording, keeping, indexing, arranging, formatting,
Services from are entitled under this Regulation, the processing structuring, storage, adaptation or alteration, retrieval, storage, modification, updating, merging,
Abroad of personal data of data subjects who are in the consultation, use, disclosure by transmission, retrieval, use, disclosure, transfer, publishing,
Union by a controller or a processor not established dissemination or otherwise making available, alignment sharing, blocking, erasure, or destruction.
in the Union should be subject to this Regulation or combination, restriction, erasure or destruction.
where the processing activities are related to
Special Article 9(1): Processing of personal data revealing Article 1(11): Personal data relating to a person's
offering goods or services to such data subjects racial or ethnic origin, political opinions, religious or ethnic or tribal origin, or religious, intellectual, or
irrespective of whether connected to a payment. Categories philosophical beliefs, or trade union membership, and political belief, or indicates his/her membership
of Data the processing of genetic data, biometric data for the in non-governmental associations or institutions,
Monitoring Recital 24: The processing of personal data of data The PDPL does not explicitly refer purpose of uniquely identifying a natural person, data as well as criminal and security data, biometric
subjects who are in the Union by a controller or to monitoring from abroad. concerning health or data concerning a natural person's data, genetic data, credit data, health data,
from Abroad processor not established in the Union should also sex life or sexual orientation shall be prohibited. location data, and data that indicates a
be subject to this Regulation when it is related to the person's parent or parents are unknown.
monitoring of the behaviour of such data subjects in so
far as their behaviour takes place within the Union. Anonymised Recital 26: The principles of data protection should The PDPL does not explicitly
not apply to anonymous information, namely refer to anonymised data.
Data information which does not relate to an identified
or identifiable natural person or to personal data
rendered anonymous in such a manner that the
data subject is not or no longer identifiable.
Pseudonymised Article 4(5): 'pseudonymisation' means the processing The PDPL does not explicitly refer
of personal data in such a manner that the personal data to pseudonymised data.
Data can no longer be attributed to a specific data subject
without the use of additional information, provided
that such additional information is kept separately and
is subject to technical and organisational measures
to ensure that the personal data are not attributed
to an identified or identifiable natural person.
Automated Article 2(1): This Regulation applies to the processing Article 1(5): 'processing' means any operation
of personal data wholly or partly by automated means which is performed on personal data, whether
Processing and to the processing other than by automated means manual or automated, including, collection,
of personal data which form part of a filing system recording, keeping, indexing, arranging, formatting,
or are intended to form part of a filing system. storage, modification, updating, merging,
retrieval, use, disclosure, transfer, publishing,
sharing, blocking, erasure, or destruction.
General Article 2(2): This Regulation does not apply to the Article 2(2): This law does not apply to the
processing of personal data: (a) in the course of processing of personal data for personal or
Exemptions an activity which falls outside the scope of Union family use, as long as it is not shared and
law; (b) by the Member States when carrying out disclosed to others. [Note: Article 2(2) further
activities which fall within the scope of Chapter 2 of provides that the meaning of 'personal use'
Title V of the Treaty on European Union; or (c) by a and 'family use' shall be determined by the
natural person in the course of a purely personal or executive regulations to the PDPL.]
household activity. [See also Recital 26, above]

8 9
 2. Key definitions 2.2. Pseudonymisation
Inconsistent
2.1. Personal data
Fairly consistent
Unlike the GDPR, the PDPL does not make explicit reference to either anonymisation or pseudonymisation.

Definitions under the PDPL are in close alignment with the those of the GDPR, however there are minor differences, particularly GDPR PDPL
in relation to special categories of data e.g. the PDPL's reference to tribal origins, credit data, and data indicating whether an
Anonymisation Recital 26: 'anonymous information' is information The PDPL does not explicitly
individual's parents are unknown. which does not relate to an identified or refer to anonymised data.
identifiable natural person or to personal data
rendered anonymous in such a manner that the
GDPR PDPL
data subject is not or no longer identifiable.
Personal Data/ Article 4(1): 'personal data' means any information Article 1(4): 'personal data' means any information
relating to an identified or identifiable natural person through which an individual may be directly Pseudonymisation Article 4(5): 'pseudonymisation' means the processing The PDPL does not explicitly refer to
Personal ('data subject'); an identifiable natural person is or indirectly identified, including name, social of personal data in such a manner that the personal data pseudonymised data, however Article 18(1) provides
Information one who can be identified, directly or indirectly, in security number, numbers, addresses, bank can no longer be attributed to a specific data subject that: the controlling entity shall erase the personal
particular by reference to an identifier such as a name, account and credit card details, and pictures. without the use of additional information, provided data it possesses as soon as the purpose of its
an identification number, location data, an online that such additional information is kept separately and processing terminates, unless the personal data
identifier or to one or more factors specific to the is subject to technical and organisational measures is kept in an anonymised form ensuring that data
physical, physiological, genetic, mental, economic, to ensure that the personal data are not attributed subjects cannot be identified in accordance with
cultural or social identity of that natural person. to an identified or identifiable natural person. the controls specified by the Regulations.
Special Article 9(1): Processing of personal data revealing Article 1(11): Personal data relating to a person's
racial or ethnic origin, political opinions, religious or ethnic or tribal origin, or religious, intellectual, or
Categories philosophical beliefs, or trade union membership, and political belief, or indicates his/her membership
of Data the processing of genetic data, biometric data for the in non-governmental associations or institutions,
purpose of uniquely identifying a natural person, data as well as criminal and security data, biometric
concerning health or data concerning a natural person's data, genetic data, credit data, health data,
sex life or sexual orientation shall be prohibited. location data, and data that indicates a
person's parent or parents are unknown.

Online Recital 30: Natural persons may be associated The PDPL does not explicitly
with online identifiers provided by their devices, refer to online identifiers.
Identifiers applications, tools and protocols, such as internet
protocol addresses, cookie identifiers or other
identifiers such as radio frequency identification
tags. This may leave traces which, in particular when
combined with unique identifiers and other information
received by the servers, may be used to create
profiles of the natural persons and identify them.

10 11
 2.3. Controllers and processors 2.4. Children
Fairly consistent Inconsistent
The definitions within the PDPL closely mirror those of the GDPR for data controllers, processors, Data Protection Impact Assessments
Unlike the GDPR, the PDPL does not refer to the offering of information society services directly to a child nor does it or provide an
('DPIA'), and data protection officers ('DPO'), however the GDPR provides more details on requirements regarding controller and
age threshold for processing data without the consent of the holder of parental responsibility.
processor contracts.

GDPR PDPL GDPR PDPL

Data Controller Article 4(7): 'controller' means the natural or legal Article 1(18): 'controlling entity' means any public Children's The GDPR does not specifically define 'child'. However, The PDPL does not explicitly address children's data.
person, public authority, agency or other body which, entity, and natural or legal person, that determines Article 8(1) provides: Where point (a) of Article 6(1)
alone or jointly with others, determines the purposes the purposes and means of the processing of
Definition applies, in relation to the offer of information society
and means of the processing of personal data; personal data, whether it processes the personal services directly to a child, the processing of the
where the purposes and means of such processing data itself or by means of another processing entity. personal data of a child shall be lawful where the
are determined by Union or Member State law, the child is at least 16 years old. Where the child is
controller or the specific criteria for its nomination below the age of 16 years, such processing shall
may be provided for by Union or Member State law. be lawful only if and to the extent that consent
is given or authorised by the holder of parental
Data Processor Article 4(8): 'processor' means a natural or legal Article 1(19): 'processing entity' means any responsibility over the child. Member States may
person, public authority, agency or other body which public entity, and natural or legal person, that provide by law for a lower age for those purposes
processes personal data on behalf of the controller. processes personal data for the benefit of, provided that such lower age is not below 13 years.
and on behalf of, the controlling entity.
Consent for Article 8(2): The controller shall make reasonable The PDPL does not explicitly provide for consent
efforts to verify in such cases that consent is given or in relation to children's personal data, however
Controller and Article 28(3): Processing by a processor shall be Article 8: Taking into account what the law and Processing authorised by the holder of parental responsibility over Article 5 provides that: Except as stipulated by the
governed by a contract or other legal act under Union or regulations stipulate regarding the disclosure
Processor Member State law, that is binding on the processor with of personal data, the controlling entity, when
Children's Data the child, taking into consideration available technology. law, personal data should not be processed, or
the purposes of its processing changed, unless
Contracts regard to the controller and that sets out the subject- choosing a processing entity, must be committed
consent is obtained by its owner. The regulations
matter and duration of the processing, the nature and to choose an entity that provides appropriate
shall set out the conditions of consent, when it must
purpose of the processing, the type of personal data guarantees for the implementation of the provisions
be in writing, and the terms and conditions related
and categories of data subjects and the obligations and of the law and its executive regulations, and must
to obtaining the consent of a legal guardian, if the
rights of the controller. [Article 28 goes on to stipulate continuously review the relevant entity's compliance
data subject does not have the capacity to do so.
necessary information to be included in such a contract.] with its instructions on all matters related to the
protection of personal data, in a manner that Privacy Notice Recital 58: Given that children merit specific protection, Article 12: The controlling entity must put in
does not conflict with the provisions of the law any information and communication, where processing place a personal data privacy policy and make
and the regulations, and without prejudice to its is addressed to a child, should be in such a clear and it available to data subjects to review before
responsibilities towards the personal data owner plain language that the child can easily understand. collecting their data. The policy shall include
or competent authority, as the case may be. the purpose of its collection, the categories of
personal data collected, the means of collection,
The regulations shall set out the necessary means of storage, processing, erasure, as well as
provisions for this, including provisions data subject rights and how to exercise them.
relating to any subsequent contracts
made by the processing entity.
Data Protection DPIA is not specifically defined, however DPIA is not specifically defined, however
Article 35 sets out requirements for DPIAs Article 22 sets out a requirement for DPIAs
Impact (see section 4.3. for further information). (see section 4.3. for further information).
Assessment
('DPIA')
Data Protection DPO is not specifically defined, however Article DPO is not specifically defined, however Article
37 sets out requirements related to DPOs 30 sets out requirements for related to DPOs
Officer (see section 4.4. for further information). (see section 4.4. for further information).
('DPO')

12 13
 2.5. Research Fairly inconsistent
3. Legal basis Fairly consistent

Both the GDPR and the PDPL provide for processing of personal data for research purposes, however each sets its own requirements
and allowances with regards to processing personal data. In particular, the GDPR requires appropriate safeguards to be implemented While the GDPR provides for six legal grounds for processing personal data, the PDPL recognises consent as the main legal basis for

for processing to take place while the PDPL provides for certain circumstances where personal data may be processed without the data processing and provides for exceptions to consent in certain circumstances. In addition, the PDPL specifies several conditions

consent of the data subject. for lawful processing of personal data that are in close alignment to those of the GDPR.

GDPR PDPL GDPR PDPL

Scientific/ Recital 159: Where personal data are processed While the PDPL does not specifical define Legal Grounds Article 6(1): Processing shall be lawful only if and to the Article 5(1): Except for the cases stipulated in the
for scientific research purposes, this Regulation what is meant by scientific/historical research, extent that at least one of the following applies: (a) the PDPL, personal data may not be processed or
Historical should also apply to that processing. For the Article 27 provides that: Personal data may data subject has given consent to the processing of his the purpose of its processing changed without
Research purposes of this Regulation, the processing of be collected or processed for scientific, or her personal data for one or more specific purposes; the consent of its owner. The regulations shall
personal data for scientific research purposes research, or statistical purposes, without the (b) processing is necessary for the performance of a set out the conditions for consent, the conditions
Definition contract to which the data subject is party or in order in which the consent must be in writing, and
should be interpreted in a broad manner including consent of its owner, in the following cases:
for example technological development and • if the personal data does not specifically to take steps at the request of the data subject prior the terms and conditions for obtaining consent
demonstration, fundamental research, applied indicate the identity of the data subject; to entering into a contract; (c) processing is necessary from the legal guardian if the personal data
research and privately funded research. • if everything indicating the identity of the data for compliance with a legal obligation to which the owner is incompetent or incompetent.
subject specifically will be destroyed during its controller is subject; (d) processing is necessary
Recital 160: Where personal data are processed processing, and before disclosing it to any other in order to protect the vital interests of the data Article 6: The processing of personal data is not
for historical research purposes, this Regulation party, and such data is not sensitive data; or subject or of another natural person; (e) processing subject to the consent in the following cases: (1)
should also apply to that processing. This should • if the collection or processing of personal data is necessary for the performance of a task carried When the processing achieves a real interest for the
also include historical research and research for for these purposes is required by another law out in the public interest or in the exercise of official data subject and contact with them is impossible
genealogical purposes, bearing in mind that this or in implementation of an earlier agreement authority vested in the controller; or (f) processing or difficult to achieve; (2)When the processing is
Regulation should not apply to deceased persons. to which the data subject is a party. is necessary for the purposes of the legitimate under another system or in implementation of a
interests pursued by the controller or by a third party, previous agreement to which the owner of the
Compatibility Article 5(1)(b): Personal data shall be collected See Article 27 above.
except where such interests are overridden by the personal data is a party; and (3)If the controller is
for specified, explicit and legitimate purposes
with and not further processed in a manner that Article 5 provides that: Except as stipulated by
interests or fundamental rights and freedoms of the a public entity, and such processing is required for
data subject which require protection of personal security purposes or to satisfy judicial requirements.
Original is incompatible with those purposes; further the law, personal data should not be processed,
data, in particular where the data subject is a child.
processing for archiving purposes in the public or the purposes of its processing changed,
Purpose of Article 10: The controlling entity may collect
interest, scientific or historical research purposes unless consent is obtained by its owner […].
personal data from its owner directly and that such
Collection or statistical purposes shall, in accordance with
data may only be processed to achieve the purpose
Article 89(1), not be considered to be incompatible Furthermore, Article 10 provides for specific
for which it was collected. The controlling entity
with the initial purposes ('purpose limitation'). circumstances where the controlling entity
may however collect personal data from sources
may collect personal data from other than
other than the data subject or process personal
its owner or process it for a purpose other
data for purposes other than those for which it
than that for which it is collected.
was collected for in the following circumstances:
• if the data subject agrees to this, in
Article 11(1) provides that: the purpose of collecting
accordance with the provisions of the law;
personal data must be directly related to the
• if the personal data is publicly available, or if it
stated purposes of the controlling entity and
was collected from a publicly available source;
must not conflict with any provision of the law.
• if the controlling entity is a public entity, and the
Appropriate Article 89(1): Processing for archiving purposes in the The PDPL does not expressly address collection of personal data from other than its
public interest, scientific or historical research purposes safeguards in relation to processing for owner directly, or processing it for a purpose other
Safeguards or statistical purposes, shall be subject to appropriate scientific or historical research purposes. than that for which it is collected, is required for
safeguards, in accordance with this Regulation, for security purposes, to implement another law, or to
the rights and freedoms of the data subject. Those meet judicial requirements in accordance with the
safeguards shall ensure that technical and organisational provisions set out by the regulations; if compliance
measures are in place in particular in order to ensure with this prohibition may harm the data subject
respect for the principle of data minimisation. Those or affect his vital interests, in accordance with
measures may include pseudonymisation provided the provisions set out by the regulations;
that those purposes can be fulfilled in that manner. • if the collection or processing of personal data
Data Subject Under Article 17(3), the right to erasure may not The PDPL does not expressly address is necessary to protect public health or safety,
apply in cases of scientific or historical research. processing for research purposes in relation or to protect the life or health of particular
Rights Article 21(6), however, provides that data subjects to particular data subject rights. individual(s). The regulations set out the
(Research) may exercise the right to object to data processing controls and procedures related thereof; and
for scientific or historical research purposes. In • if the personal data will not be recorded or kept in
addition, Article 89 provides that Member States may a form that makes it possible to identify or know
derogate from the GDPR in regard to data subject its owner directly or indirectly. The regulations set
rights and data processing for research purposes. out the controls and procedures related thereto.

Article 11 further outlines conditions for

lawful processing of personal data.

14 15
 GDPR PDPL
Sensitive
Data (Legal
There are specific requirements for processing
special categories of data, see Article 9
The PDPL does not provide for specific requirements
for processing special categories of data 4. Controller and processor
obligations
of the GDPR for further information.
Basis)
Conditions Article 7(3): The data subject shall have the right Article 5(1): Except as provided for in the PDPL,
to withdraw his or her consent at any time. The personal data may not be processed, or the
for Consent withdrawal of consent shall not affect the lawfulness purposes changed, unless the consent of the
of processing based on consent before its withdrawal. concerned data subject is obtained. (2) In all cases,
Prior to giving consent, the data subject shall be
informed thereof. It shall be as easy to withdraw as
the data subject may withdraw his/her consent
referred to in Article 5(1) at any time, and the
4.1. Data transfers Fairly inconsistent
to give consent. Article 4(11): 'consent' of the data regulations shall specify the relevant provisions
subject means any freely given, specific, informed thereof. Article 7: The consent referred to in
The GDPR and PDPL differ in their data transfer requirements, with the PDPL adopting a restrictive starting point, prohibiting transfers
and unambiguous indication of the data subject's Article 5(1) of the law may not be a condition for
wishes by which he or she, by a statement or by a the provision of a service or benefit, unless the of personal data outside Saudi Arabia. Notably, the supplementary regulations to the PDPL shall set out other purposes for which
clear affirmative action, signifies agreement to the processing of personal data for which the consent the transfer of personal data outside the Kingdom may be permitted, which may bring the law in closer alignment with the GDPR.
processing of personal data relating to him or her. is obtained is related to the service or benefit.
Journalism/ Article 85(1): Member States shall by law reconcile The PDPL does not expressly address
the right to the protection of personal data pursuant journalism/artistic purposes. GDPR PDPL
Artistic to this Regulation with the right to freedom of
Purposes expression and information, including processing Adequate Article 45(1): A transfer of personal data to a third Article 29: Except in cases of extreme necessity
for journalistic purposes and the purposes of country or an international organisation may relating to a threat to the life of the data
Protection take place where the Commission has decided subject, controllers may not transfer personal
academic, artistic or literary expression.
that the third country, a territory or one or more data outside the Kingdom unless the transfer
specified sectors within that third country, or the is required to comply with an agreement to
international organisation in question ensures which the Kingdom is party, to serve Saudi
an adequate level of protection. Such a transfer interests, or for other purposes set out in
shall not require any specific authorisation. the Regulations, provided that the following
conditions set in Articles 29(1) to (4) are met:
• the data transfer must not prejudice national
security or the Kingdom's vital interests;
• the transferring entity must provide adequate
guarantees for protecting the personal data that
will be transferred or disclosed and maintain
its confidentiality, so that the data protection
standards are not less than the standards
stipulated in the PDPL and executive regulations;
• the transfer must be restricted to
the minimum personal data that is
necessary for its purpose; and
• the competent authority must approve the transfer.

[Note: Article 29 further notes that except for the

condition of Article 29(1), the competent authority
can excuse a controller, on a case-by-case basis,
from compliance with any of the other conditions
in Article 29, if the competent authority itself or
in cooperation with other bodies, assesses that
the personal data will be accorded with sufficient
safeguards outside the Kingdom and so long
as no sensitive personal data is included.]
Other Article 46(1): In the absence of a decision pursuant to The PDPL does not explicitly refer to any
Article 45(3), a controller or processor may transfer other data transfer mechanisms. [Note: Article
Mechanisms for personal data to a third country or an international 29 provides that the regulations may set out
Data Transfers organisation only if the controller or processor has further purposes for which data transfers
provided appropriate safeguards, and on condition outside the Kingdom may be permitted.]
that enforceable data subject rights and effective
legal remedies for data subjects are available. (2)
The appropriate safeguards referred to in paragraph
1 may be provided for, without requiring any specific
authorisation from a supervisory authority, by: (a) a
legally binding and enforceable instrument between
public authorities or bodies; (b) binding corporate rules in
accordance with Article 47; (c) standard data protection
clauses adopted by the Commission in accordance
with the examination procedure referred to in

16 17
 GDPR PDPL
Other Article 93(2); (d) standard data protection clauses
4.2. Data processing records
adopted by a supervisory authority and approved Fairly consistent
Mechanisms for by the Commission pursuant to the examination
The GDPR requires both controllers and processors to maintain data processing records, whereas the PDPL only explicitly outlines
Data Transfers procedure referred to in Article 93(2); (e) an approved
code of conduct pursuant to Article 40 together this obligation in relation to controllers. The GDPR also outlines more extensive requirements in relation to the information that
(cont'd)
with binding and enforceable commitments of the should be included in processing records.
controller or processor in the third country to apply
the appropriate safeguards, including as regards
data subjects' rights; or (f) an approved certification GDPR PDPL
mechanism pursuant to Article 42 together with binding
Data Controller Article 30(1): Each controller and, where applicable, Article 31: the controlling entity is required to keep
and enforceable commitments of the controller or
the controller's representative, shall maintain a record records of its processing activities for a period
processor in the third country to apply the appropriate Obligation of processing activities under its responsibility. That determined by the Regulations depending on the
safeguards, including as regards data subjects' rights.
record shall contain all of the following information: nature of the processing activity, and available
(3) Subject to the authorisation from the competent
(a) the name and contact details of the controller upon request by the competent authority, and
supervisory authority, the appropriate safeguards
and, where applicable, the joint controller, the shall as a minimum include the following:
referred to in paragraph 1 may also be provided for,
controller's representative and the data protection • contact details of the controlling entity;
in particular, by: (a) contractual clauses between the
officer; (b) the purposes of the processing; (c) a • the purpose of processing personal data;
controller or processor and the controller, processor
description of the categories of data subjects and of • a description of the categories of data subjects;
or the recipient of the personal data in the third
the categories of personal data; (d) the categories • any party to which personal data
country or international organisation; or (b) provisions
of recipients to whom the personal data have been has been, or will be, disclosed;
to be inserted into administrative arrangements
or will be disclosed including recipients in third • whether personal data has been, or will be,
between public authorities or bodies which include
countries or international organisations; (e) where transferred outside the Kingdom or disclosed
enforceable and effective data subject rights.
applicable, transfers of personal data to a third to a party outside the Kingdom; and
Data Not applicable. The PDPL does not explicitly refer to data country or an international organisation, including • the period of time expected for
localisation, however Article 29 provides for a the identification of that third country or international keeping personal data.
Localisation restrictive approach to transferring data abroad. organisation and, in the case of transfers referred
to in the second subparagraph of Article 49(1), the
documentation of suitable safeguards; (f) where
possible, the envisaged time limits for erasure of the
different categories of data; and (g) where possible, a
general description of the technical and organisational
security measures referred to in Article 32(1)
Data Processor Article 30(2): Each processor and, where applicable, The PDPL does not explicitly reference
the processor's representative shall maintain a record processing entities with regards to
Obligation of all categories of processing activities carried out the record keeping obligation.
on behalf of a controller, containing: (a) the name and
contact details of the processor or processors and of
each controller on behalf of which the processor is
acting, and, where applicable, of the controller's or the
processor's representative, and the data protection
officer; (b) the categories of processing carried out
on behalf of each controller; (c) where applicable,
transfers of personal data to a third country or an
international organisation, including the identification
of that third country or international organisation
and, in the case of transfers referred to in the second
subparagraph of Article 49(1), the documentation
of suitable safeguards; and (d) where possible, a
general description of the technical and organisational
security measures referred to in Article 32(1).
Records Format Article 30(3): The records referred to in paragraphs 1 The PDPL does not explicitly refer
and 2 shall be in writing, including in electronic form. to the format of records.

However, Article 32(3) provides that: A special

record shall be allocated in the portal for each
controlling entity in which the records referred
to in Article 31 of the law and other necessary
documents or information related to the
processing of personal data shall be recorded.
Required Article 30(4): The controller or the processor and, Article 31: the controlling entity shall make
where applicable, the controller's or the processor's personal data processing records available to
to Make representative, shall make the record available the competent authority when requested.
Available to the supervisory authority on request.

18 19
 GDPR PDPL
4.3. D
 ata protection impact
Exemptions Article 30(5): The obligations referred to in paragraphs The PDPL does not explicitly refer to any exemptions
1 and 2 shall not apply to an enterprise or an
organisation employing fewer than 250 persons
in relation to record of personal data activities. assessment Fairly consistent
unless the processing it carries out is likely to result
in a risk to the rights and freedoms of data subjects, The DPIA requirements under the GDPR are similar to those of the PDPL, although the former is more detailed in relation to the
the processing is not occasional, or the processing
includes special categories of data as referred to content and manner of carrying out DPIAs. However, further details in relation to the PDPL may be provided by the executive
in Article 9(1) or personal data relating to criminal regulations once issued.
convictions and offences referred to in Article 10.
General Data Not applicable. Article 32(1): The competent authority shall GDPR PDPL
establish an electronic portal for the purpose
Processing of building a national record of controlling When is a DPIA Article 35(1): Where a type of processing in particular Article 22: The controlling entity shall conduct an
Notification entities, which aims to monitor and follow up using new technologies, and taking into account assessment of the consequences of processing
Required the nature, scope, context and purposes of the personal data for their processing activities
on the compliance of these entities with the
('DPN') processing, is likely to result in a high risk to the rights according to the nature of the controlling entity's
provisions of the law and the regulations, […]. (2)
All controlling entities are required to register and freedoms of natural persons, the controller shall, processing activity, and the Regulations shall
in the portal referred to in Article 32(1), and the prior to the processing, carry out an assessment of specify the necessary provisions thereof
competent authority shall collect a fixed annual the impact of the envisaged processing operations
fee, not exceeding SAR 100,000 (approx. €22,800) on the protection of personal data. A single
for registration of controlling entities […]. assessment may address a set of similar processing
operations that present similar high risks. […] (3) A
data protection impact assessment referred to in
paragraph 1 shall in particular be required in the
case of: (a) a systematic and extensive evaluation
of personal aspects relating to natural persons
which is based on automated processing, including
profiling, and on which decisions are based that
produce legal effects concerning the natural person
or similarly significantly affect the natural person; (b)
processing on a large scale of special categories
of data referred to in Article 9(1), or of personal
data relating to criminal convictions and offences
referred to in Article 10; or (c) a systematic monitoring
of a publicly accessible area on a large scale.
DPIA Content Article 35(7): The assessment shall contain at least: (a) The PDPL does not explicitly refer to any
a systematic description of the envisaged processing content requirements, however Article 22
Requirements operations and the purposes of the processing, provides that the regulations shall specify the
including, where applicable, the legitimate interest necessary provisions relating to the obligation.
pursued by the controller; (b) an assessment of the
necessity and proportionality of the processing
operations in relation to the purposes; (c) an
assessment of the risks to the rights and freedoms of
data subjects referred to in paragraph 1; and (d) the
measures envisaged to address the risks, including
safeguards, security measures and mechanisms
to ensure the protection of personal data and to
demonstrate compliance with this Regulation taking
into account the rights and legitimate interests of
data subjects and other persons concerned.
Consultation Article 36(1): The controller shall consult the supervisory The PDPL does not explicitly require
authority prior to processing where a data protection consultation with the competent authority.
with impact assessment under Article 35 indicates
Authority that the processing would result in a high risk in
the absence of measures taken by the controller
to mitigate the risk. [Article 36 goes on to detail
requirements related to such prior consultation].

20 21
Global Regulatory Build a global privacy program by
comparing key legal frameworks
Research Software against the GDPR

40 In-House Legal Researchers, 500 Lawyers CCPA | Russia | Thailand | Brazil | Japan | China
Across 300 Jurisdictions and 20+ other global laws & frameworks
Monitor regulatory developments, mitigate risk,
and achieve global compliance Understand and compare key provisions of the GDPR
with relivant data protection laws from around the globe

The GDPR Benchmarking tool provides comparison of the

various pieces of legislation on the following key provisions

Scope Rights

Definitions and legal basis Enforcement

• Employ topic specific guidance to develop your

compliance activities

• Monitor news and access written opinion pieces on

the most recent developments

Start your free trial at

www.dataguidance.com
 4.4. D
 ata protection officer 4.5. Data security and data
appointment breaches
Fairly consistent Fairly consistent

The DPO requirements under the GDPR are similar to those of the PDPL, although the GDPR is more detailed and sets out a list of While there are several similarities between the PDPL and the GDPR, the PDPL does not clarify exceptions from breach notification
tasks to be undertaken by the DPO as well as notification requirements. Further details in relation to the PDPL may be provided by requirements or processor notification requirements, is less clear in its definitions of security measures, and seems to provide for a
the executive regulations once issued. shorter timeframe for breach notifications.

GDPR PDPL GDPR PDPL

DPO Tasks Article 39(1): The data protection officer shall have at The PDPL does not make express reference to Security Article 32(1): Taking into account the state of the art, Article 19: The controlling entity shall take the
least the following tasks: (a) to inform and advise the DPO tasks, however Article 30(2) provides that the costs of implementation and the nature, scope, necessary organisational, administrative, and
controller or the processor and the employees who the Regulations shall set out further provisions
Measures context and purposes of processing as well as the technical measures and means to ensure the
carry out processing of their obligations pursuant to relating to the appointment of a DPO. Defined risk of varying likelihood and severity for the rights preservation of personal data, including when it
this Regulation and to other Union or Member State and freedoms of natural persons, the controller and is transferred, in accordance with the provisions
data protection provisions; (b) to monitor compliance the processor shall implement appropriate technical and controls specific by the regulations. [Note: the
with this Regulation, with other Union or Member and organisational measures to ensure a level implementing decree to the PDPL notes that the
State data protection provisions and with the policies of security appropriate to the risk, including inter competent authority, when preparing the regulations
of the controller or processor in relation to the alia as appropriate: (a) the pseudonymisation and supplementing the PDPL, should consider
protection of personal data, including the assignment encryption of personal data; (b) the ability to ensure establishing provisions and conditions relating to
of responsibilities, awareness-raising and training the ongoing confidentiality, integrity, availability the technical and organisational measures attached
of staff involved in processing operations, and the and resilience of processing systems and services; to how personal data is kept by controllers, which
related audits; (c) to provide advice where requested (c) the ability to restore the availability and access should include the measures to safeguard personal
as regards the data protection impact assessment and to personal data in a timely manner in the event data depending on its nature and sensitivity.]
monitor its performance pursuant to Article 35; (d) to of a physical or technical incident; (d) a process
cooperate with the supervisory authority; and (e) to for regularly testing, assessing and evaluating
act as the contact point for the supervisory authority the effectiveness of technical and organisational
on issues relating to processing, including the prior measures for ensuring the security of the processing.
consultation referred to in Article 36, and to consult,
Data Breach Article 33(1): In the case of a personal data breach, Article 20(1): The controlling entity shall
where appropriate, with regard to any other matter. the controller shall without undue delay and, where notify the competent authority as soon as it
Notification
When is a DPO Article 37(1): The controller and the processor shall Article 30(2): The controlling entity shall appoint or feasible, not later than 72 hours after having become becomes aware of a data security breach.
designate a data protection officer in any case where: designate one or more persons to be responsible to Authority aware of it, notify the personal data breach to the
Required (a) the processing is carried out by a public authority for implementing the provisions of the law and supervisory authority competent in accordance
or body, except for courts acting in their judicial the Regulations. The Regulations shall set out the with Article 55, unless the personal data breach is
capacity; (b) the core activities of the controller or the provisions thereof. Notably, Article 33(2) provides unlikely to result in a risk to the rights and freedoms
processor consist of processing operations which, by that controlling entities that operate outside the of natural persons. Where the notification to the
virtue of their nature, their scope and/or their purposes, Kingdom and process personal data of Saudi supervisory authority is not made within 72 hours,
require regular and systematic monitoring of data citizens must appoint a representative in the it shall be accompanied by reasons for the delay.
subjects on a large scale; or (c) the core activities of Kingdom that the competent authority can resort
Timeframe See Article 33(1) above. See Article 20(1) above.
the controller or the processor consist of processing to regarding compliance with the applicable laws.
on a large scale of special categories of data pursuant for Breach
to Article 9 and personal data relating to criminal
Notification
convictions and offences referred to in Article 10.
Notifying Data Article 34(1): When the personal data breach is likely to Article 20(2): The regulations shall determine
Group Article 37(2): A group of undertakings may The PDPL does not explicitly
result in a high risk to the rights and freedoms of natural in which circumstances controllers must
appoint a single data protection officer reference group appointments. Subjects of persons, the controller shall communicate the personal inform data subjects of a security breach of
Appointments provided that a data protection officer is easily
Data Breach data breach to the data subject without undue delay. their personal data. However, where such
accessible from each establishment.
a breach may cause serious harm to the
Notification Article 37(7): The controller or the processor shall The PDPL does not explicitly provide individual or their personal data, controllers
publish the contact details of the data protection officer for notification of DPOs. must inform them immediately of the breach.
of DPO and communicate them to the supervisory authority.
Data Processor Article 33(2): The processor shall notify the The PDPL does not provide for processor
Qualifications Article 37(5): The data protection officer shall The PDPL does not specify DPO qualifications. controller without undue delay after becoming notification of data breaches.
be designated on the basis of professional Notification aware of a personal data breach.
qualities and, in particular, expert knowledge of of Data
data protection law and practices and the ability
to fulfil the tasks referred to in Article 39.
Breach
Exceptions Article 34(3): The communication to the data subject The PDPL does not specify exceptions to
referred to in paragraph 1 shall not be required if any of the breach notification requirement.
the following conditions are met: (a) the controller has
implemented appropriate technical and organisational
protection measures, and those measures were applied
to the personal data affected by the personal data
breach, in particular those that render the personal
data unintelligible to any person who is not authorised
to access it, such as encryption; (b) the controller has
taken subsequent measures which ensure that

24 25
 GDPR PDPL 4.6. Accountability
Exemptions the high risk to the rights and freedoms of data Fairly inconsistent
subjects referred to in paragraph 1 is no longer likely
(cont'd) to materialise; (c) it would involve disproportionate The GDPR specifically provides for the principle of accountability and detailed obligations regarding the liability of controllers and
effort. In such a case, there shall instead be a public
communication or similar measure whereby the data processors, while the PDPL does not.
subjects are informed in an equally effective manner.
GDPR PDPL
Principle of Article 5(2): The controller shall be responsible The PDPL does not explicitly provide for
for, and be able to demonstrate compliance with, the principle of accountability, however, the
Accountability paragraph 1 ('accountability'). [Paragraph 1 details implementing decree to the PDPL provides
principles of: lawfulness, fairness and transparency, that controlling entities shall take the
purpose limitation, data minimisation, accuracy, necessary measures to hold work sessions
storage limitation, integrity and confidentiality.] and the like for its employees or workers, to
introduce the terms and principles contained
in the law after its entry into force […].
Liability of Data Article 82 (2): Any controller involved in processing shall Article 40: Without prejudice to the imposition
be liable for the damage caused by processing which of penalties stipulated in the law, damages
Controllers infringes this Regulation. A processor shall be liable for are available to data subjects for material and
and Data the damage caused by processing only where it has not non-material loss in relation to breaches of any
complied with obligations of this Regulation specifically provisions of the law and/or the Regulations.
Processors
directed to processors or where it has acted outside
or contrary to lawful instructions of the controller.

26 27
 GDPR PDPL

5. Rights Fairly consistent

Response
Timeframe
data subject of any such extension within one month
of receipt of the request, together with the reasons
for the delay. Where the data subject makes the

5.1. Right to erasure

(cont'd) request by electronic form means, the information
shall be provided by electronic means where possible,
unless otherwise requested by the data subject.

Both the GDPR and the PDPL provide for the right to erasure. However, the GDPR provides additional legal grounds for exercising Format of Article 12(1): The information shall be provided in writing, See Article 21 above.
or by other means, including, where appropriate, by
the right, as well as additional exceptions. The GDPR also provides more detail than the PDPL in relation to fees, timeframes, and Response electronic means. When requested by the data subject,
the information may be provided orally, provided that the
the format of the response.
identity of the data subject is proven by other means.
GDPR PDPL Publicly Article 17(2): Where the controller has made the The PDPL does not explicitly refer
personal data public and is obliged pursuant to to publicly available data.
Grounds for Article 17(1): The data subject shall have the right to Article 4: Data subjects, subject to the provisions Available Data paragraph 1 to erase the personal data, the controller,
obtain from the controller the erasure of personal of the law, have the following rights: […](4) the taking account of available technology and the cost of
Erasure data concerning him or her without undue delay right to request the erasure personal data in implementation, shall take reasonable steps, including
and the controller shall have the obligation to erase possession of the controlling entity once the technical measures, to inform controllers which are
personal data without undue delay where one of the purposes for collecting the data have been processing the personal data that the data subject has
following grounds applies: (a) the personal data are exhausted and without prejudice to Article 18. requested the erasure by such controllers of any links
no longer necessary in relation to the purposes for to, or copy or replication of, those personal data.
which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the Exceptions Article 17(3): Paragraphs 1 and 2 shall not apply to the Article 4(4) provides that the right to erasure
extent that processing is necessary: (a) for exercising applies without prejudice to Article 18.
processing is based according to point (a) of Article
the right of freedom of expression and information; (b)
6(1), or point (a) of Article 9(2), and where there is no
for compliance with a legal obligation which requires Article 18(1): The controlling entity shall erase the
other legal ground for the processing; (c) the data
processing by Union or Member State law to which personal data it possesses as soon as the purpose
subject objects to the processing pursuant to Article
the controller is subject or for the performance of a of its processing terminates, unless the personal
21(1) and there are no overriding legitimate grounds
task carried out in the public interest or in the exercise data is kept in an anonymised form ensuring that
for the processing, or the data subject objects to
of official authority vested in the controller; (c) for data subjects cannot be identified in accordance
the processing pursuant to Article 21(2); (d) the
reasons of public interest in the area of public health in with the controls specified by the Regulations.
personal data have been unlawfully processed; (e)
accordance with points (h) and (i) of Article 9(2) as well
the personal data have to be erased for compliance
as Article 9(3); (d) for archiving purposes in the public Article 18(2): The controlling entity shall keep
with a legal obligation in Union or Member State law
interest, scientific or historical research purposes or the personal data even after the purpose of its
to which the controller is subject; (f) the personal
statistical purposes in accordance with Article 89(1) in collection has ceased in the following cases:
data have been collected in relation to the offer of
so far as the right referred to in paragraph 1 is likely to • if there is a legal justification that requires keeping
information society services referred to in Article 8(1).
render impossible or seriously impair the achievement it for a specific period, and in this case it shall
Inform Data Article 12(1): The controller shall take appropriate Article 12: The controlling entity must put in of the objectives of that processing; or (e) for the be erased after the end of this period, or the
measures to provide any information referred to in place a personal data privacy policy and make establishment, exercise or defence of legal claims. purpose of its collection, whichever is longer; or
Subject of Articles 13 and 14 and any communication under it available to data subjects to review before • if the personal data is closely related to a case
Right Articles 15 to 22 and 34 relating to processing to the collecting their data. The policy shall include Article 12(5): Information provided under Articles 13 pending before a judicial authority, and it is
data subject in a concise, transparent, intelligible and the purpose of its collection, the categories of and 14 and any communication and any actions taken required to be kept for this purpose, and in this
easily accessible form, using clear and plain language, personal data collected, the means of collection, under Articles 15 to 22 and 34 shall be provided case it shall be destroyed after completion of
in particular for any information addressed specifically means of storage, processing, erasure, as well as free of charge. Where requests from a data subject the judicial procedures related to the case.
to a child. The information shall be provided in writing, data subject rights and how to exercise them. are manifestly unfounded or excessive, in particular
or by other means, including, where appropriate, by because of their repetitive character, the controller may
electronic means. When requested by the data subject, either: (a) charge a reasonable fee taking into account
the information may be provided orally, provided that the the administrative costs of providing the information
identity of the data subject is proven by other means. or communication or taking the action requested; or
Fees Article 12(5): Information provided under Articles 13 Article 21: The controlling entity shall respond to (b) refuse to act on the request. The controller shall
and 14 and any communication and any actions taken the requests of data subjects regarding their rights bear the burden of demonstrating the manifestly
under Articles 15 to 22 and 34 shall be provided under the law within the period determined, and unfounded or excessive character of the request.
free of charge. Where requests from a data subject through the means set out, by the regulations.
are manifestly unfounded or excessive, in particular
because of their repetitive character, the controller may
either: (a) charge a reasonable fee taking into account
the administrative costs of providing the information
or communication or taking the action requested; or
(b) refuse to act on the request. The controller shall
bear the burden of demonstrating the manifestly
unfounded or excessive character of the request.
Response Article 12(3): The controller shall provide information See Article 21 above.
on action taken on a request under Articles 15 to 22
Timeframe to the data subject without undue delay and in any
event within one month of receipt of the request. That
period may be extended by two further months where
necessary, taking into account the complexity and
number of the requests. The controller shall inform the

28 29
 GDPR PDPL

5.2. Right to be informed When Data is

from Third
In addition to the information required under Article
13, Article 14(2) replaces the requirement that data
The PDPL does not explicitly address situations
where data is obtained from a third party.
Fairly consistent subjects are provided with information on the
Party legitimate interests pursued by the controller or by a
Both the GDPR and the PDPL provide for the right to be informed. However, the GDPR provides additional requirements as to what third party, with an obligation to inform data subjects
information needs to be provided to data subjects and makes a distinction between personal data obtained directly from the data of the categories of personal data. Furthermore,
paragraph (e) of Article 13(2) is replaced with a
subject and personal data obtained from a third party. The GDPR also provides additional requirements on intelligibility, and format requirement to inform data subjects of the source from
requirements, as well as exceptions. which the personal data originate, and if applicable,
whether it came from publicly accessible sources.
GDPR PDPL
Intelligibility Article 12(1): The controller shall take appropriate Article 21: The controlling entity shall respond to
Informed Article 13(1): Where personal data relating to a data Article 4: Data subjects, subject to the provisions measures to provide any information referred to in the requests of data subjects regarding their rights
Requirements Articles 13 and 14 and any communication under under the law within the period determined, and
subject are collected from the data subject, the of the law, have the following rights: (1) the right to
Prior to/at controller shall, at the time when personal data are be informed, and that includes informing the data Articles 15 to 22 and 34 relating to processing to the through the means set out, by the regulations.
Collection obtained, provide the data subject with all of the subject of the legal or practical justification for the data subject in a concise, transparent, intelligible and
following information: (a) the identity and the contact collection of the data, the purpose thereof, and easily accessible form, using clear and plain language,
details of the controller and, where applicable, of the that the data should not be processed at a later in particular for any information addressed specifically
controller's representative; (b) the contact details of date in a manner inconsistent with the purposes to a child. The information shall be provided in writing,
the data protection officer, where applicable; (c) the for which it was collected or in a manner otherwise or by other means, including, where appropriate, by
purposes of the processing for which the personal than as stipulated in Article 10 of the law. electronic means. When requested by the data subject,
data are intended as well as the legal basis for the the information may be provided orally, provided that the
processing; (d) where the processing is based on identity of the data subject is proven by other means.
point (f) of Article 6(1), the legitimate interests pursued Format See Article 12(1) above. See Article 21 above.
by the controller or by a third party; (e) the recipients
or categories of recipients of the personal data, if Exceptions The requirements of Article 13 do not apply where The PDPL does not explicitly refer to any
any; (f) where applicable, the fact that the controller the data subject already has the information. The exceptions to the right to be informed.
intends to transfer personal data to a third country or requirements of Article 14 do not apply where: (a) the
international organisation and the existence or absence data subject already has the information; (b) the provision
of an adequacy decision by the Commission, or in the of such information proves impossible or would involve
case of transfers referred to in Article 46 or 47, or the a disproportionate effort, in particular for processing
second subparagraph of Article 49(1), reference to the for archiving purposes in the public interest, scientific
appropriate or suitable safeguards and the means by or historical research purposes or statistical purposes,
which to obtain a copy of them or where they have subject to the conditions and safeguards referred to in
been made available. (2) In addition to the information Article 89(1) or in so far as the obligation referred to in
referred to in paragraph 1, the controller shall, at the paragraph 1 of this Article is likely to render impossible
time when personal data are obtained, provide the or seriously impair the achievement of the objectives
data subject with the following further information of that processing. In such cases the controller shall
necessary to ensure fair and transparent processing: (a) take appropriate measures to protect the data subject's
the period for which the personal data will be stored, rights and freedoms and legitimate interests, including
or if that is not possible, the criteria used to determine making the information publicly available; (c) obtaining or
that period; (b) the existence of the right to request from disclosure is expressly laid down by Union or Member
the controller access to and rectification or erasure of State law to which the controller is subject and which
personal data or restriction of processing concerning provides appropriate measures to protect the data
the data subject or to object to processing as well as subject's legitimate interests; or (d) where the personal
the right to data portability; (c) where the processing data must remain confidential subject to an obligation
is based on point (a) of Article 6(1) or point (a) of Article of professional secrecy regulated by Union or Member
9(2), the existence of the right to withdraw consent at State law, including a statutory obligation of secrecy.
any time, without affecting the lawfulness of processing
based on consent before its withdrawal; (d) the right
to lodge a complaint with a supervisory authority; (e)
whether the provision of personal data is a statutory
or contractual requirement, or a requirement necessary
to enter into a contract, as well as whether the data
subject is obliged to provide the personal data and
of the possible consequences of failure to provide
such data; (f) the existence of automated decision-
making, including profiling, referred to in Article
22(1) and (4) and, at least in those cases, meaningful
information about the logic involved, as well as
the significance and the envisaged consequences
of such processing for the data subject.
What See Article 13(1) and (2) above. See Article 4(1) above.
Information
is to be
Provided

30 31
 5.3. Right to object Inconsistent 5.4. Right of access Fairly consistent

Unlike the GDPR, the PDPL does not provide for the right to object to processing of personal data. Both the GDPR and the PDPL provide for the right of access to personal data. However the PDPL provides less detail with regards
to the information to be provide to data subjects in connection with exercising their right to access.
GDPR PDPL
Grounds for Article 21(1): The data subject shall have the right to The PDPL does not explicitly provide for the right GDPR PDPL
object, on grounds relating to his or her particular to object to the processing of personal data.
Right to situation, at any time to processing of personal Grounds for Article 15(1): The data subject shall have the Article 4: Data subjects, subject to the provisions
Object/Opt Out data concerning him or her which is based on point right to obtain from the controller confirmation of the law, have the following rights:
Right of Access as to whether or not personal data concerning
(e) or (f) of Article 6(1), including profiling based on
those provisions. The controller shall no longer him or her are being processed. […](2) The right to access to his/her personal
process the personal data unless the controller data that the controlling entity possesses, which
demonstrates compelling legitimate grounds includes accessing it, and obtaining a copy
for the processing which override the interests, thereof, in a clear format that is identical to the
rights and freedoms of the data subject or for the content of the records and free of charge, as
establishment, exercise or defence of legal claims. determined by the Regulations, without prejudice
to the stipulations of the Credit Information
Withdraw Article 7(3): The data subject shall have the right to Article 5(2): In all cases, the data subject may Law regarding financial consideration, and
withdraw his or her consent at any time. The withdrawal withdraw the consent referred to in Article 5(1) without prejudice to Article 9 of the PDPL.
Consent of consent shall not affect the lawfulness of processing of the PDPL at any time, and the regulations
based on consent before its withdrawal. Prior to giving specify the appropriate procedure thereof. Information Article 15(1): The data subject shall have the right to See Article 4(2) above.
consent, the data subject shall be informed thereof. obtain from the controller confirmation as to whether
to be or not personal data concerning him or her are being
It shall be as easy to withdraw as to give consent.
Accessed processed, and, where that is the case, access to
Restrict Article 18(1): The data subject shall have the right to The PDPL does not explicitly provide for the the personal data and the following information: (a)
obtain from the controller restriction of processing right to restrict processing of personal data. the purposes of the processing; (b) the categories
Processing where one of the following applies: (a) the accuracy of of personal data concerned; (c) the recipients or
the personal data is contested by the data subject, for categories of recipient to whom the personal data
a period enabling the controller to verify the accuracy have been or will be disclosed, in particular recipients
of the personal data; (b) the processing is unlawful and in third countries or international organisations; (d)
the data subject opposes the erasure of the personal where possible, the envisaged period for which the
data and requests the restriction of their use instead; personal data will be stored, or, if not possible, the
(c) the controller no longer needs the personal data for criteria used to determine that period; (e) the existence
the purposes of the processing, but they are required of the right to request from the controller rectification
by the data subject for the establishment, exercise or erasure of personal data or restriction of processing
or defence of legal claims; (d) the data subject has of personal data concerning the data subject or to
objected to processing pursuant to Article 21(1) pending object to such processing; (f) the right to lodge a
the verification whether the legitimate grounds of complaint with a supervisory authority; (g) where the
the controller override those of the data subject. personal data are not collected from the data subject,
Object to Direct Article 21(3): Where the data subject objects to The PDPL does not provide for the right any available information as to their source; and (h) the
processing for direct marketing purposes, the personal to object to direct marketing. existence of automated decision-making, including
Marketing data shall no longer be processed for such purposes. profiling, referred to in Article 22(1) and (4) and, at least
in those cases, meaningful information about the logic
Inform Data See Article 12(1) in section 5.1. above. In addition, The PDPL does not explicitly provide for the right
involved, as well as the significance and the envisaged
Subject of Article 21(4) provides: At the latest at the time of the first to object to the processing of personal data.
consequences of such processing for the data subject.
Right communication with the data subject, the right referred
to in paragraphs 1 and 2 shall be explicitly brought to Inform Data See Article 12(1) in section 5.1. Article 12: The controlling entity must put in
the attention of the data subject and shall be presented place a personal data privacy policy and make
Subject of it available to data subjects to review before
clearly and separately from any other information.
Fees See Article 12(5) in section 5.1. above. The PDPL does not explicitly provide for the right Right collecting their data. The policy shall include
the purpose of its collection, the categories of
to object to the processing of personal data.
personal data collected, the means of collection,
means of storage, processing, erasure, as well as
Response See Article 12(3) in section 5.1. above. The PDPL does not explicitly provide for the right data subject rights and how to exercise them.
Timeframe to object to the processing of personal data.
Fees See Article 12(5) in section 5.1. above. See Article 4(2) above.

Format of See Article 12(1) in section 5.1. above. The PDPL does not explicitly provide for the right
Response to object to the processing of personal data.
Verify Data Recital 64: The controller should use all reasonable The PDPL does not explicitly refer to
Subject measures to verify the identity of a data subject verification of data subject requests.
Exceptions See Article 12(5) in section 5.1. above. The PDPL does not explicitly provide for the right who requests access, in particular in the context of
to object to the processing of personal data.
Request
online services and online identifiers. A controller
should not retain personal data for the sole purpose
of being able to react to potential requests.

32 33
33
 GDPR PDPL
Response See Article 12(3) in section 5.1. above. Article 21: The controlling entity shall respond to 5.5. Right not to be subject to Fairly inconsistent
Timeframe the requests of data subjects regarding their rights
under the law within the period determined, and discrimination
through the means set out, by the Regulations.
Format of See Article 12(1) in section 5.1. above. See Articles 4(2) and 21 above. Neither the GDPR, or the PDPL explicitly outline a right not to be subject to discrimination. However, the GDPR does provide for the
Response right not to be subject to a decision based solely on automated processing.
Exceptions See Article 12(5) in section 5.1. above. The PDPL does not explicitly refer to any
exceptions to the right of access. GDPR PDPL
Definition The GDPR only implies this right and does The PDPL does not explicitly provide for the
not provide an explicit definition for it. right not to be subject to discrimination.
of Right

Automated Article 22(1): The data subject shall have the right The PDPL does not explicitly refer to data subject
not to be subject to a decision based solely on rights in relation to automated processing.
Processing automated processing, including profiling, which
produces legal effects concerning him or her or
similarly significantly affects him or her. [Article 22
goes on to detail this right, including exceptions]

34 35
 5.6. Right to data portability Inconsistent
6. Enforcement Fairly inconsistent
Unlike the GDPR, PDPL does not refer to a right to data portability.
6.1. Monetary penalties
GDPR PDPL
Despite both the GDPR and the PDPL providing for monetary penalties, the PDPL provides a maximum penalty of SAR 5 million
Grounds for Article 20(1): The data subject shall have the right to The PDPL does not explicitly provide
receive the personal data concerning him or her, which for the right to data portability. (approx. €1,211,390), where the GDPR adopts a two-tier approach with regard to percentages of annual turnover or a fine of up to
Portability he or she has provided to a controller, in a structured, €20 million, whichever if higher. Notably, the PDPL sets out that the relevant court may also order confiscation of funds gained as a
commonly used and machine-readable format and
have the right to transmit those data to another result of violations of the law and/or require publication of the judgment at the offender's expense.
controller without hindrance from the controller to
which the personal data have been provided, where: GDPR PDPL
(a) the processing is based on consent pursuant to
point (a) of Article 6(1) or point (a) of Article 9(2) or on
Provides for The GDPR provides for monetary penalties. The PDPL provides for monetary penalties.
a contract pursuant to point (b) of Article 6(1); and (b) Monetary
the processing is carried out by automated means.
Penalties
Inform Data See Article 12(1) in section 5.1. The PDPL does not explicitly provide
for the right to data portability. Issued by Article 58(2) Each supervisory authority shall have all Article 35(2): The Public Prosecution is responsible
Subject of of the following corrective powers: […] (i): to impose an for investigating and prosecuting before the
Right administrative fine pursuant to Article 83, in addition competent court for the violations stipulated
to, or instead of measures referred to in this paragraph, in this Article. (3) The competent court shall
Fees See Article 12(5) in section 5.1. The PDPL does not explicitly provide depending on the circumstances of each individual case. hear cases arising from the application of this
for the right to data portability. Article and impose the prescribed penalties.
Response See Article 12(3) in section 5.1. The PDPL does not explicitly provide
for the right to data portability. Article 36(2): The chairman of the competent
Timeframe authority shall form one or more committee(s) with
no less than three members, one of whom shall
Format See Article 20(1) in section 5.1. The PDPL does not explicitly provide be designated as the leader, and one as a legal
for the right to data portability. or regulatory advisor, to take over inspection of
violations and impose the relevant penalty warning
Controller to Article 20(2): In exercising his or her right to data The PDPL does not explicitly provide or fine in accordance with Article 36(1) of the PDPL,
Controller portability pursuant to paragraph 1, the data for the right to data portability. according to the type of violation committed, its
subject shall have the right to have the personal seriousness, and the extent of its consequences […].
data transmitted directly from one controller Fine Maximum Article 83(5): infringements of the following provisions Article 35(1): Without prejudice to a more severe
to another, where technically feasible. shall, in accordance with paragraph 2, be subject to penalty in another law, the penalty for committing
Technically See Article 12(3) in section 5.1. above. The PDPL does not explicitly provide administrative fines up to €20 million, or in the case of the following violations shall be stated opposite
Feasible for the right to data portability. an undertaking, up to 4 % of the total worldwide annual to them: (a) the penalty in relation to disclosure or
turnover of the preceding financial year, whichever is publication of sensitive personal data may include
higher: (a) the basic principles for processing, including imprisonment for up to two years and/or a fine not
Exceptions See Article 12(5) in section 5.1. above. The PDPL does not explicitly provide
conditions for consent, pursuant to Articles 5, 6, 7 and exceeding SAR 3 million (approx. €726,000); and
for the right to data portability.
9; (b) the data subjects' rights pursuant to Articles 12 to (b) The penalty in relation to violations of the data
22; (c) the transfers of personal data to a recipient in a transfer provision in Article 29 of the PDPL may
third country or an international organisation pursuant to result in imprisonment for up to one year and/or a
Articles 44 to 49; (d) any obligations pursuant to Member fine not exceeding SAR 1 million (approx. €242,000).
State law adopted under Chapter IX; (e) non-compliance Article 36(1): […] For violations of other provisions of
with an order or a temporary or definitive limitation the PDPL, penalties are limited to a warning notice
on processing or the suspension of data flows by the or a fine not exceeding SAR 5 million (approx.
supervisory authority pursuant to Article 58(2) or failure €1,211,390). [Note: Fines may be increased to up to
to provide access in violation of Article 58(1). (6) Non- double the stated maximums for repeat offences.]
compliance with an order by the supervisory authority
as referred to in Article 58(2) shall, in accordance with
paragraph 2 of this Article, be subject to administrative
fines up to €20 million, or in the case of an undertaking,
up to 4 % of the total worldwide annual turnover of
the preceding financial year, whichever is higher.
Percentage Under Article 83(4), (5), and (6), fines may be issued Not applicable.
that equate to 2% or 4% of the total worldwide
of Turnover annual turnover of the preceding financial year.
Mitigating Article 83(2): When deciding whether to impose an The PDPL does not explicitly
Factors administrative fine and deciding on the amount of provide for mitigating factors.
the administrative fine in each individual case due
regard shall be given to the following: (a) the nature,
gravity and duration of the infringement taking into

36 37
 GDPR PDPL
Mitigating account the nature scope or purpose of the processing
concerned as well as the number of data subjects
6.2. Supervisory authority
Factors (cont'd) Fairly consistent
affected and the level of damage suffered by them; (b)
the intentional or negligent character of the infringement; Both the GDPR and the PDPL provide for a data protection authority to give effect to the respective data protection laws, however
(c) any action taken by the controller or processor to
the GDPR provides more detail and specifies the powers and tasks thereof.
mitigate the damage suffered by data subjects; (d) the
degree of responsibility of the controller or processor
taking into account technical and organisational
Notably, the implementing decree includes specific provisions regarding the data protection authority's cooperation and coordination
measures implemented by them pursuant to Articles 25
and 32; (e) any relevant previous infringements by the with other authorities such as the Communications Information Technology Commission and the Saudi Central Bank, calling for the
controller or processor; (f) the degree of cooperation preparation of memorandums of understanding to regulate coordination between the authorities.
with the supervisory authority, in order to remedy the
infringement and mitigate the possible adverse effects
of the infringement; (g) the categories of personal data GDPR PDPL
affected by the infringement; (h) the manner in which
the infringement became known to the supervisory Provides Article 51(1): Each Member State shall provide for The implementing decree to the PDPL provides that
authority, in particular whether, and if so to what extent, one or more independent public authorities to be the SDAIA shall be the competent authority, for a
for Data responsible for monitoring the application of this period of two years, during which consideration shall
the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have Protection Regulation, in order to protect the fundamental be given, in light of the results of the application of
previously been ordered against the controller or rights and freedoms of natural persons in relation to the provisions of the PDPL and its regulations and
Authority
processor concerned with regard to the same subject- processing and to facilitate the free flow of personal in light of the level of maturity in the data sector,
matter, compliance with those measures; (j) adherence data within the Union ('supervisory authority'). to transfer the supervisory role to the NDMO.
to approved codes of conduct pursuant to Article 40 or Investigatory Article 58(1): Each supervisory authority shall have all The PDPL does not explicitly refer to investigatory
approved certification mechanisms pursuant to Article of the following investigative powers: (a) to order the powers of the supervisory authority.
42; and (k) any other aggravating or mitigating factor Powers controller and the processor, and, where applicable,
applicable to the circumstances of the case, such as the controller's or the processor's representative to
financial benefits gained, or losses avoided, directly or provide any information it requires for the performance
indirectly, from the infringement. of its tasks; (b) to carry out investigations in the form
Imprisonment Not applicable. See Articles 35 and 36 above. of data protection audits; (c) to carry out a review on
certifications issued pursuant to Article 42(7); (d) to
notify the controller or the processor of an alleged
infringement of this Regulation; (e) to obtain, from the
DPO Liability Not applicable. Not applicable. controller and the processor, access to all personal data
and to all information necessary for the performance
of its tasks; (f) to obtain access to any premises of the
controller and the processor, including to any data
processing equipment and means, in accordance
with Union or Member State procedural law.
Corrective Article 58(2): Each supervisory authority shall have all The PDPL does not explicitly refer to corrective
of the following corrective powers: (a) to issue warnings powers of the supervisory authority.
Powers to a controller or processor that intended processing
operations are likely to infringe provisions of this
Regulation; (b) to issue reprimands to a controller or a
processor where processing operations have infringed
provisions of this Regulation; (c) to order the controller
or the processor to comply with the data subject's
requests to exercise his or her rights pursuant to this
Regulation; (d) to order the controller or processor to
bring processing operations into compliance with the
provisions of this Regulation, where appropriate, in a
specified manner and within a specified period; (e) to
order the controller to communicate a personal data
breach to the data subject; (f) to impose a temporary
or definitive limitation including a ban on processing;
(g) to order the rectification or erasure of personal data
or restriction of processing pursuant to Articles 16, 17
and 18 and the notification of such actions to recipients
to whom the personal data have been disclosed
pursuant to Article 17(2) and Article 19; (h) to withdraw
a certification or to order the certification body to
withdraw a certification issued pursuant to Articles 42
and 43, or to order the certification body not to issue
certification if the requirements for the certification are
not or are no longer met; (i) to impose an administrative
fine pursuant to Article 83, in addition to, or instead of
measures referred to in this paragraph, depending

38 39
 GDPR PDPL GDPR PDPL
Corrective on the circumstances of each individual case; (j) to Tasks of the drawing up of codes of conduct pursuant to Article proposing any necessary amendments, within
order the suspension of data flows to a recipient in 40(1) and provide an opinion and approve such codes of five years from the date of its entry into force,
Powers (cont'd) a third country or to an international organisation.
Authority conduct which provide sufficient safeguards, pursuant and submitting the necessary recommendations
(cont'd) to Article 40(5); (n) encourage the establishment of for completing the required actions.
Authorisation/ Article 58(3): Each supervisory authority shall have all The implementing decree to the PDPL provides
of the following authorisation and advisory powers: (a) that the competent authority shall, in coordination data protection certification mechanisms and of data
Advisory to advise the controller in accordance with the prior with such authorities it deems appropriate, protection seals and marks pursuant to Article 42(1), Eleventh: The competent authority shall, within a
and approve the criteria of certification pursuant to period not exceeding one year from the date of
Powers consultation procedure referred to in Article 36; (b) to conduct a continuous awareness campaign
issue, on its own initiative or on request, opinions to for personal data owners, as well as for the Article 42(5); (o) where applicable, carry out a periodic entry into force of the Law, and in coordination
the national parliament, the Member State government employees of the controlling entities or their review of certifications issued in accordance with Article such relevant authorities as it deems appropriate,
or, in accordance with Member State law, to other employees, to clarify the rights and obligations 42(7); (p) draft and publish the criteria for accreditation review the provisions of the relevant laws, decisions,
institutions and bodies as well as to the public on any contained in the PDPL after its entry into force. of a body for monitoring codes of conduct pursuant and regulations that deal with provisions related
issue related to the protection of personal data; (c) to Article 41 and of a certification body pursuant to to the protection of personal data of individuals,
to authorise processing referred to in Article 36(5), Article 43; (q) conduct the accreditation of a body for propose amendments thereto in accordance
if the law of the Member State requires such prior monitoring codes of conduct pursuant to Article 41 with the provisions of the Law, and submit
authorisation; (d) to issue an opinion and approve and of a certification body pursuant to Article 43; (r) recommendations on aspects regarding which
draft codes of conduct pursuant to Article 40(5); (e) to authorise contractual clauses and provisions referred legal actions are required to be completed.
accredit certification bodies pursuant to Article 43; (f) to to in Article 46(3); (s) approve binding corporate
issue certifications and approve criteria of certification rules pursuant to Article 47; (t) contribute to the Twelfth: The competent authority shall, when
in accordance with Article 42(5); (g) to adopt standard activities of the Board; (u) keep internal records of preparing the Regulations of the Law, take into
data protection clauses referred to in Article 28(8) infringements of this Regulation and of measures taken account the development of provisions and controls
and in point (d) of Article 46(2); (h) to authorise in accordance with Article 58(2); and (v) fulfil any other related to the organisational, administrative, and
contractual clauses referred to in point (a) of Article tasks related to the protection of personal data. technical procedures and means related to storing
46(3); (i) to authorise administrative arrangements personal data with the controlling entities in a
referred to in point (b) of Article 46(3); (j) to approve manner that ensures the preservation of personal
binding corporate rules pursuant to Article 47. data according to its nature and degree of sensitivity,
based on the provisions of Article 19 of the Law.
Tasks of Article 57(1): Without prejudice to other tasks set out The implementing decree to the PDPL provides
under this Regulation, each supervisory authority shall that:[…] Sixth: The competent authority shall Annual Report Article 59: Each supervisory authority shall draw up The PDPL does not make explicit
Authority on its territory: (a) monitor and enforce the application coordinate with the Saudi Central Bank to prepare a an annual report on its activities, which may include reference to annual reports.
of this Regulation; (b) promote public awareness and Memorandum of Understanding to regulate aspects a list of types of infringement notified and types of
understanding of the risks, rules, safeguards and related to the application of the provisions of the measures taken in accordance with Article 58(2). Those
rights in relation to processing. Activities addressed Law and its Regulations in the entities subject to the reports shall be transmitted to the national parliament,
specifically to children shall receive specific attention; regulatory supervision of the Saudi Central Bank, to the government and other authorities as designated
(c) advise, in accordance with Member State law, determine the role of each, so that competencies by Member State law. They shall be made available
the national parliament, the government, and other do not overlap, and to maintain the independence to the public, to the Commission and to the Board.
institutions and bodies on legislative and administrative of the Saudi Central Bank […], and the preparation of
measures relating to the protection of natural persons' the memorandum should be completed and signed
rights and freedoms with regard to processing; (d) concurrently with the entry into force of the Law.
promote the awareness of controllers and processors of
their obligations under this Regulation; (e) upon request, Seventh: the competent authority shall cooperate
provide information to any data subject concerning with the Communications and Information
the exercise of their rights under this Regulation and, if Technology Commission to prepare a Memorandum
appropriate, cooperate with the supervisory authorities of Understanding to regulate some aspects related
in other Member States to that end; (f) handle complaints to the application of the provisions of the Law
lodged by a data subject, or by a body, organisation and its Regulations in the entities subject to the
or association in accordance with Article 80, and Regulation of the Communications and Information
investigate, to the extent appropriate, the subject Technology Commission, and to prevent any
matter of the complaint and inform the complainant impact on the Communications and Information
of the progress and the outcome of the investigation Technology Commission's role as an independent
within a reasonable period, in particular if further regulatory authority that supervises sensitive
investigation or coordination with another supervisory sectors related to the personal transactions of
authority is necessary; (g) cooperate with, including individuals, and to enhance the stability and
sharing information and provide mutual assistance to, growth of the sectors it supervises, and the
other supervisory authorities with a view to ensuring memorandum should be completed and signed
the consistency of application and enforcement of this concurrently with the entry into force of the Law.
Regulation; (h) conduct investigations on the application
of this Regulation, including on the basis of information Eighth: The competent authority shall, in
received from another supervisory authority or other coordination with such authorities it deems
public authority; (i) monitor relevant developments, appropriate, conduct a continuous awareness
insofar as they have an impact on the protection campaign for personal data owners, as well as for
of personal data, in particular the development of the employees of the controlling entities, or their
information and communication technologies and employees, to clarify the rights and obligations
commercial practices; (j) adopt standard contractual contained in the Law after its entry into force.
clauses referred to in Article 28(8) and in point (d) of
Article 46(2); (k) establish and maintain a list in relation to Tenth: The competent authority shall, in coordination
the requirement for data protection impact assessment with the relevant authorities it deems appropriate,
pursuant to Article 35(4); (l) give advice on the processing evaluate the results of the application of the
operations referred to in Article 36(2); (m) encourage Law and provide relevant feedback, including

40 41
 6.3. Civil remedies for individuals
Fairly consistent

Both the GDPR and the PDPL provide civil remedies for data subjects, however the GDPR additional provisions on data subject
representation for lodging complaints, processor liability, and exceptions to liability.

GDPR PDPL
Provides for Article 79: Without prejudice to any available Article 34: The data subject may file any
administrative or non-judicial remedy, including complaint arising from the application of the
Claims/Cause the right to lodge a complaint with a supervisory Law and the Regulations with the competent
of Action authority pursuant to Article 77, each data subject authority. The Regulations specify the controls
shall have the right to an effective judicial remedy for the competent authority's handling of
where he or she considers that his or her rights complaints filed by data subjects.
under this Regulation have been infringed as a
result of the processing of his or her personal
data in non-compliance with this Regulation.
Material Article 82(1): Any person who has suffered Article 40: Without prejudice to the imposition
material or non-material damage as a result of of penalties stipulated in the law, damages
and Non- an infringement of this Regulation shall have the are available to data subjects for material and
Material right to receive compensation from the controller non-material loss in relation to breaches of any
or processor for the damage suffered. provisions of the law and/or the Regulations.
Damage
Mandate for Article 80(1): The data subject shall have the right The PDPL does not explicitly refer to representation.
to mandate a not-for-profit body, organisation or
Representation association which has been properly constituted
in accordance with the law of a Member State, has
statutory objectives which are in the public interest, and
is active in the field of the protection of data subjects'
rights and freedoms with regard to the protection of
their personal data to lodge the complaint on his or her
behalf, to exercise the rights referred to in Articles 77,
78 and 79 on his or her behalf, and to exercise the right
to receive compensation referred to in Article 82 on his
or her behalf where provided for by Member State law.
Specifies Not applicable. Not applicable.
Amount for
Damages
Processor Article 82(2): Any controller involved in processing shall The PDPL does not explicitly
Liability be liable for the damage caused by processing which mention processor liability.
infringes this Regulation. A processor shall be liable for
the damage caused by processing only where it has not
complied with obligations of this Regulation specifically
directed to processors or where it has acted outside
or contrary to lawful instructions of the controller.
Exceptions Article 82(3): A controller or processor shall The PDPL does not explicitly refer
be exempt from liability under paragraph 2 if to exceptions from liability.
it proves that it is not in any way responsible
for the event giving rise to the damage.

42