沙特数据保护与合规应对(上)
2024-04-03 18:49
发布于:山西省
引言
Introduction
目前沙特颁布了两部保护数据的法律法规《个人信息保护法》和《个人信息保护暂行条例》。旨在确保个人数据的隐私,规范数据共享,防止个人数据的滥用,对国家的网络安全做出了重要贡献。许多中资企业在沙特投资设立企业并进行经营,会涉及到数据传输回国的相关规范,那么沙特的数据保护法规对此问题如何规定以及中资企业在经营过程中如何根据沙特法律进行数据合规,本文将为沙特数据合规问题做出详解。
KSA published law and Regulations on data protection, the Personal Data Protection Law(PDPL) and the Personal Personal Data Protection Interim Regulations(PDPIR). It aims to ensure the privacy of personal data, regulate data sharing, and prevent the misuse of personal data, which makes a prominent contribution to the country's cyber security. Many Chinese-invested enterprises in Saudi Arabia establish businesses and operate there, which involves data transmission back to China. What are the regulations of Saudi data protection law on this issue? And how should Chinese-funded enterprises comply with Saudi laws in their operations? The AIWON legal team will provide a detailed explanation on data compliance issues in Saudi Arabia.
一、沙特数据保护法律框架
Saudi data protection legal framework
沙特数据保护领域主要两部法律法规所规制,分别为《个人信息保护法》(简称“PDPL”)与沙特国家数据管理办公室(简称“NDMO”)所发布的《个人信息保护暂行条例》(简称“PDPIR”)。两者都具有域外效力,其适用效力并不局限于沙特境内。
The data protection landscape in the Kingdom of Saudi Arabia ("KSA") is primarily (but not exclusively) regulated by the following: Personal Data Protection Law ("PDPL") when it comes into effect; and Personal Data Protection Interim Regulations ("PDPIR") issued by the National Data Management Office ("NDMO"). Both the PDPIR and the PDPL have extra-territorial effect.
《个人信息保护暂行条例》PDPIR适用于所有沙特境内全部或部分处理个人信息数据的实体,以及沙特境外使用任何方式(包括在线个人信息处理)处理与居住在沙特的个人相关的个人信息数据的实体。
The PDPIR applies to all entities in KSA that process Personal Data in whole or in part, as well as entities outside of KSA that process Personal Data related to individuals residing in KSA using any means, including online Personal Data processing;
《个人信息保护法》PDPIR将被适用于在沙特以任何形式产生的个人信息数据,包括居住在沙特本地的和非本地的实体。
The PDPL applies to any processing of Personal Data related to individuals that takes place in KSA by any means, including the processing of Personal Data related to individuals residing in KSA by any means by any entity outside of KSA.
二、沙特数据保护相关法律概念阐释
Explanation of legal concepts related to data protection in Saudi Aradia
1、个人信息数据
Definition of personal data
什么是个人信息数据,根据沙特《个人信息保护法》的定义,个人信息数据是指可以直接或间接识别个人身份的任何来源或形式的信息数据包括,姓名、个人识别号码、地址、联系电话、执照号码、记录、个人财产、银行账户和信用卡号码、个人的静态或动态照片以及其它带有个人性质的数据。
Under the PDPL, Personal Data is defined as "Every data – of whatever source or form – that would lead to the identification of the individual specifically, or make it possible to identify him directly or indirectly, including: name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account and credit card numbers, fixed or moving pictures of the individual, and other data of personal nature."
而根据沙特《个人信息保护暂行条例》的规定,“个人信息数据”是指无论来源或形式的任何数据要素单独或与其他可用信息相结合后能够识别个人身份,包括但不限于:名字和姓氏、沙特国民身份证号码、地址、电话、号码、银行账号、信用卡号、健康数据、照片或视频。
Under the PDPIR, Personal Data is defined as "Any element of data, regardless of source or form whatsoever, which independently or when combined with other available information could lead to the identification of a person including but not limited to: first name and last name, Saudi national ID number, addresses, phone, number, bank account number, credit card number, health data, images or videos of that person."
2、个人敏感数据
Definition of sensitive personal data
在沙特,“个人信息数据”并不直接等同于“个人敏感数据”,在沙特《个人信息保护法》有明确规定,“个人敏感数据”是指涉及个人的族裔或部落起源、宗教、知识分子与政治信仰,或表明其在非政府组织协会或机构中的成员资格,以及犯罪和安全数据、生物识别数据、遗传数据、信用数据、健康数据、位置数据以及表明个人父母双方或其中一方的个人数据。
Under the PDPL, Sensitive Data is defined as "Every Personal Data that includes a reference to an individual's ethnic or tribal origin, or religious, intellectual or political belief, or indicates his membership in nongovernmental associations or institutions, as well as criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that both parents of an individual or one of them is unknown."
在沙特《个人信息保护暂行条例》中也有对“个人敏感数据”进行定义,但是相比于《个人信息保护法》较为简单,指可能对国家利益或政府项目的施行,或个人享有的隐私权产生不利影响的信息数据丢失、信息数据滥用、未经授权的访问或修改。
Under the PDPIR, Sensitive Data is defined as "Data, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of government programs, or the privacy to which individuals are entitled."
3、沙特国家数据管理局
与沙特数据和人工智能局
National Data Management Office and The Saudi Data and Artificial Intelligence Authority
沙特数据和人工智能局(Saudi Data and Artificial Intelligence Authority,简称“SDAIA”)成立于2019年,致力于建立和维护国家数据管理框架,并确保数据的有效利用和保护。SDAIA旨在通过研究和开发人工智能技术,促进创新并在健康、教育、交通和能源等多个领域做出提升。
The Saudi Data and Artificial Intelligence Authority (SDAIA), established in 2019, is dedicated to establishing and maintaining a national data management framework to ensure the effective use and protection of data. Through researching and developing artificial intelligence technologies, SDAIA aims to foster innovation and improve various sectors, such as health, education, transportation, and energy.
沙特国家数据管理局(National Data Management Office,简称“NDMO”)负责管理和监督国家级的数据管理政策和标准,通常与SDAIA紧密相关。NDMO与SDAIA共同致力于确保数据的有效管理和利用。NDMO的主要职责包括:制定和实施国家数据管理策略和政策、支持各个部门和机构在数据管理和治理、促进数据共享和利用以顺应国家发展目标。
The National Data Management Office (NDMO) of Saudi Arabia is responsible for managing and overseeing national data management policies and standards. It often works closely with the Saudi Data and Artificial Intelligence Authority (SDAIA) to ensure the effective management and utilization of data. The main responsibilities of NDMO may include developing and implementing national data management strategies and policies, supporting various departments and institutions in data management and governance, and facilitating data sharing and utilization to support national development goals.
4、数据登记与注册
REGISTRATION
根据沙特的《个人信息保护法》,数据控制者必须向沙特数据和人工智能局注册。同时,作为数据控制者的私人实体需支付一笔未在《个人信息保护法执行条例》中公布的固定费用。此外,根据《个人信息保护法》,数据控制者需要在沙特数据和人工智能局注册处理活动记录(即,Records of Processing Activities,简称“ROPA”),除此之外,该处理活动记录还必须记录在沙特数据和人工智能局中。《个人信息保护暂行条例》中没有数据注册要求。
As per the PDPL, Data Controllers must register with SDAIA. There will be a fixed fee for private entities that are Data Controllers, which is yet to be published in the Executive Regulations of the PDPL. In addition, under the PDPL, records of processing activities ("ROPA") need to be registered with SDAIA. Like other data protection laws, the PDPL appears to require that the Data Controller prepares a ROPA. However, unlike other data protection laws, the PDPL indicates that the ROPA must also recorded with SDAIA.The PDPIR does not impose registration requirements.
5、数据保护官
DATA PROTECTION OFFICERS
根据《个人信息保护法》的规定,外国数据控制者必须任命一名沙特代表,以获得数据保护主管当局的许可(主管当局的任命将由内阁决定)。数据控制者须履行《个人信息保护法》和《个人信息保护法执行条例》规定的义务。针对组织的数据保护官任命,《个人信息保护暂行条例》尚无具体要求。
As per the PDPL, foreign Data Controllers must appoint a representative in KSA to be licensed by the "competent authority" (as per the PDPL, this is to be determined by a decision of the Cabinet) to perform the Data Controller’s obligations stipulated under the provisions of the PDPL and the Executive Regulations (once issued). There is no specific requirement under the PDPIR for organisations to appoint a data protection officer.
此任命不影响该外国数据控制者对数据主体或沙特数据和人工智能局的责任。《个人信息保护法执行条例》将规定与许可相关的条款,并限制该代表以及该代表所代表的沙特阿拉伯以外的数据控制者的关系。
This appointment does not prejudice the responsibilities of this foreign Data Controller towards the Data Subject or SDAIA. The Executive Regulations are to set out the provisions related to licensing and the limits of the representative’s relationship with the Data Controller outside KSA, which he represents.
三、数据收集和处理
COLLECTION & PROCESSING
根据《个人信息保护法》的规定,可以进行数据处理的主要依据和前提是数据主体对于数据收集和处理的知情和同意,《个人信息保护法执行条例》中概述了种种“以书面形式表示同意的情况”。这表明,在某些情况下,可以通过非书面的方式获得数据主体的许可。
As per the PDPL, the primary basis for processing is consent of the Data Subject. The Executive Regulations will outline the "cases in which the consent must be in writing". This indicates that there may be cases in which consent can be collected by means other than in writing.
根据《个人信息保护暂行条例》的规定,未经数据主体的明确同意,不得收集或处理个人数据。“同意” 在本条例中的定义为 “数据主体知晓并以口头或书面方式自愿、清晰和明确地表示对于处理个人数据一事的允许。”
As per the PDPIR, Personal Data may not be collected or processed without the Data Subject’s express consent. "Consent" is defined as "a knowing, voluntary, clear, and specific, expression of consent, whether oral or written, from the Data Subject signifying agreement to the processing of personal data."
然而,《个人信息保护法》并未采取以与《数据通用保护条例》相同,或其他地区所允许的数据保护方式提及对“数据主体的合法利益”进行数据处理的概念。相反,《个人信息保护法》规定在符合数据主体“明确利益”(尚未定义),并且很难或不能联系到数据主体的情况下,可以不基于数据主体的同意,对数据进行处理。
However the PDPL itself does not refer to a concept of processing for "legitimate interests" in the same manner as the GDPR, and indeed as other data protection frameworks in the region allow for. Rather, the PDPL allows for processing other than on the basis of consent if: he processing achieves a "definite interest" (not defined) of the Data Subject and it is impossible or difficult to contact the Data Subject;
若数据处理根据其他法律或数据主体先前的协议进行时,或者公共组织作为数据管理者,出于满足安全目的或司法要求目的之需要来进行处理时,也可以不基于数据主体的同意。
If the processing is in accordance with another law, or in the implementation of an earlier agreement to which the Data Subject is a party; and if the Data Controller is a public entity and such processing is required for security purposes or to meet judicial requirements.
本文下一篇将继续探讨企业如何在沙特境内进行数据合规。
未完待续
金静雯 律师
点击头像
查看更多讯息
业务领域:
国际仲裁/海关进出口/中东投资与贸易
另感谢沙特Ahmed Mukhtar律师
对本文提供的支持
文章投稿:金静雯律师
责 编:佟瑶
注:本文及其内容仅代表作者观点,不视为北京盈科(上海)律师事务所正式法律意见或建议。如需转载或引用请注明出处。返回搜狐,查看更多
责任编辑:
