DLA Piper Intelligence

Data Protection
Laws of the World

Electronic Marketing

Electronic marketing is regulated by the Communications and Information Technology Commission, and is subject to various requirements. Generally, it is advisable to obtain prior consent before sending electronic marketing messages to individuals in KSA.

Last modified 25 Jan 2019
Law
Saudi Arabia

Shari'a principles (that is, Islamic principles derived from the Holy Quran and the Sunnah, the latter being the witnesses' sayings of the Prophet Mohammed), which although not codified, are the primary source of law in the Kingdom of Saudi Arabia (KSA). In addition to Shari'a principles, the law in the KSA consists of secular regulations passed by the government.

At this time, there is no specific data protection legislation in place in the KSA (although we understand that a new freedom of information and protection of private data law is under review by the formal advisory body of KSA, the Shura Council). Shari'a principles generally protect the privacy and personal data of individuals.

That said, there are certain secular regulations passed by government, which, although not dedicated as a whole to data privacy/protection, contain specific provisions governing the right to privacy and data protection in certain contexts. 

There may also be specific regulations applicable to certain industries, for example, in banking, which is regulated by the Saudi Arabian Monetary Authority (SAMA).

Last modified 25 Jan 2019
Definitions

Definition of personal data

In the absence of specific data protection legislation, there is no definition of personal data.

Definition of sensitive personal data

In the absence of specific data protection legislation, there is no definition of sensitive personal data.

Last modified 25 Jan 2019
Authority

There is no national data protection authority in the KSA.

Last modified 25 Jan 2019
Registration

In the absence of a national data protection authority, there are no data protection registration requirements in the KSA.

Last modified 25 Jan 2019
Data Protection Officers

There is no requirement in the KSA for organizations to appoint a data protection officer.

Last modified 25 Jan 2019
Collection & Processing

There is no concept of data controller or data processor in the KSA.

Last modified 25 Jan 2019
Transfer

There is no specific data protection legislation in place in the KSA.

In certain contexts or sectors, specific approvals may be required—for example, in a banking context, approval from SAMA.

Last modified 25 Jan 2019
Security

There is currently no dedicated date protection legislation imposing specific security requirements.

Last modified 25 Jan 2019
Breach Notification

There are no dedicated data protection regulations imposing a mandatory requirement to report data security breaches.

Last modified 25 Jan 2019
Enforcement

At this time, there is no clear designated authority responsible for the enforcement of data protection and privacy equivalent to, say, the Information Commissioner in the United Kingdom. That said, specific authorities are tasked with enforcing breaches of other legislation that is in place in the KSA.

Last modified 25 Jan 2019
Electronic Marketing

Electronic marketing is regulated by the Communications and Information Technology Commission, and is subject to various requirements. Generally, it is advisable to obtain prior consent before sending electronic marketing messages to individuals in KSA.

Last modified 25 Jan 2019
Online Privacy

There is no specific legislation in the KSA that expressly regulates the use of cookies.

Last modified 25 Jan 2019
Contacts
Mohamed Moussallati
Mohamed Moussallati
Senior Legal Consultant
T +966 11 201 8900
Last modified 25 Jan 2019