Shari'a principles (that is, Islamic principles derived from the Holy Quran and the Sunnah, the latter being the witnesses' sayings of the Prophet Mohammed), which although not codified, are the primary source of law in the Kingdom of Saudi Arabia (KSA). In addition to Shari'a principles, the law in the KSA consists of secular regulations passed by the government.
At this time, there is no specific data protection legislation in place in the KSA (although we understand that a new freedom of information and protection of private data law is under review by the formal advisory body of KSA, the Shura Council). Shari'a principles generally protect the privacy and personal data of individuals.
That said, there are certain secular regulations passed by government, which, although not dedicated as a whole to data privacy/protection, contain specific provisions governing the right to privacy and data protection in certain contexts.
There may also be specific regulations applicable to certain industries, for example, in banking, which is regulated by the Saudi Arabian Monetary Authority (SAMA).
Definition of personal data
In the absence of specific data protection legislation, there is no definition of personal data.
Definition of sensitive personal data
In the absence of specific data protection legislation, there is no definition of sensitive personal data.
There is no national data protection authority in the KSA.
In the absence of a national data protection authority, there are no data protection registration requirements in the KSA.
There is no requirement in the KSA for organizations to appoint a data protection officer.
There is no concept of data controller or data processor in the KSA.
There is no specific data protection legislation in place in the KSA.
In certain contexts or sectors, specific approvals may be required—for example, in a banking context, approval from SAMA.
There is currently no dedicated date protection legislation imposing specific security requirements.
There is no dedicated data protection regulation imposing a mandatory requirement to report data security breaches. However, notification obligations may be triggered in specific contexts / sectors – for example, cloud services providers may be required to report security breaches to the Communications and Information Technology Commission depending upon the circumstances.
At this time, there is no clear designated authority responsible for the enforcement of data protection and privacy equivalent to, say, the Information Commissioner in the United Kingdom. That said, specific authorities are tasked with enforcing breaches of other legislation that is in place in the KSA.
Electronic marketing is regulated by the Communications and Information Technology Commission, and is subject to various requirements. Additional requirements may also apply in specific contexts – for example, in the context of e-commerce activity.