EU General Data Protection Regulation (GDPR)

The Six Processing Principles (Art 5)

Lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Every processing activity must comply with all six simultaneously. The accountability principle means the controller must be able to demonstrate compliance — not merely assert it.

Six Lawful Bases (Art 6)

Consent; contractual necessity; legal obligation; vital interests; public task; legitimate interests. Controllers must identify the correct basis before processing begins. Consent requires a freely given, specific, informed, unambiguous act. Legitimate interests requires a balancing test — particularly relevant for Saudi B2B firms that cannot easily obtain consent from EU counterparty employees.

Special Categories & Sensitive Data (Art 9)

Health, genetic, biometric, racial/ethnic origin, political opinions, religious beliefs, trade union membership, and criminal conviction data are subject to a higher standard. Processing requires explicit consent or one of a narrow set of derogations. Saudi companies handling EU customer health data (e.g. medtech, insurance, HR) face heightened scrutiny.

Access, Rectification & Erasure

Right of access (Art 15) lets individuals obtain a copy of their data and a full account of how it is used. Right to rectification (Art 16) requires prompt correction of inaccurate data. Right to erasure — the 'right to be forgotten' (Art 17) — applies when data is no longer necessary, consent is withdrawn, or processing is unlawful. Controllers must propagate erasure to downstream processors.

Portability, Restriction & Objection

Data portability (Art 20) applies where processing is consent-based or contractual and automated — the controller must provide data in a machine-readable format. Restriction (Art 18) freezes processing while accuracy or lawfulness is contested. The right to object (Art 21) is absolute for direct marketing and conditional elsewhere, requiring a compelling-interest balancing exercise.

Automated Decision-Making & Response Timelines

Article 22 gives individuals the right not to be subject to solely automated decisions (including profiling) that produce legal or similarly significant effects. Human review must be available on request. All rights requests must receive a substantive response within one month. The clock starts on receipt — not on verification of identity. Saudi companies must embed this into their CRM and data workflows.

Records of Processing Activities & Design Obligations

Article 30 requires a written Record of Processing Activities (RoPA) — a registry of every processing purpose, lawful basis, data category, data subject category, retention period, third-party sharing arrangement, and transfer mechanism. Article 25 (data protection by design and default) means privacy controls must be embedded in systems architecture from the start, not bolted on after deployment.

Security of Processing & DPIA (Art 32, 35)

Article 32 requires technical and organisational measures appropriate to the risk — pseudonymisation, encryption, access controls, resilience, and regular testing. Article 35 mandates a Data Protection Impact Assessment (DPIA) before any processing likely to result in high risk to individuals — including systematic profiling, large-scale sensitive data processing, or systematic public area monitoring.

Breach Notification — 72-Hour Clock (Art 33–34)

Personal data breaches must be notified to the competent supervisory authority within 72 hours of the controller becoming aware — unless the breach is unlikely to result in a risk to individuals. Where the risk to individuals is high, affected data subjects must also be notified without undue delay. Internal breach response procedures, logs, and a DPA-ready notification template are essential preparation.

Adequacy Decisions & SCCs

The EU Commission has issued adequacy decisions for a small number of countries — Saudi Arabia does not currently hold one. In the absence of adequacy, Standard Contractual Clauses (SCCs) — the 2021 modular SCCs — are the most commonly used mechanism. They impose contractual obligations on both the EU exporter and the Saudi importer, and since the Schrems II ruling require a Transfer Impact Assessment (TIA) to verify local law does not undermine the SCCs.

Binding Corporate Rules & Derogations

Multinational groups with EU parents and Saudi subsidiaries may use Binding Corporate Rules (BCRs), approved by a lead DPA, as an intra-group transfer mechanism. Derogations under Article 49 — such as explicit consent, contractual necessity, or important reasons of public interest — are available but must be non-repetitive and strictly necessary. Derogations cannot be used to justify routine transfers.

Saudi Arabia Transfer Context

Saudi organisations receiving EU personal data must operate under a signed SCC or other approved mechanism. The SCC importer must not be subject to local laws or practices that prevent it from honouring its SCC obligations — a TIA must assess Saudi data localisation law, intelligence access laws, and PDPL cross-border transfer controls. A dual-DPA approach (GDPR SCCs + PDPL-compliant transfer agreement) is best practice.

Lead Supervisory Authority & One-Stop-Shop

Controllers with a main establishment in the EU interact primarily with the DPA in that member state — the lead supervisory authority. Cross-border complaints trigger the consistency mechanism: the lead DPA coordinates with concerned DPAs. Saudi companies without an EU establishment must appoint an EU representative (Article 27) in a member state where data subjects are located, who acts as contact point for the relevant DPA.

Administrative Fines — Two Tiers (Art 83)

The lower tier applies to infringements of controllers' and processors' obligations, children's consent requirements, and pseudonymisation duties: up to €10 million or 2% of global annual turnover. The upper tier covers infringements of the basic processing principles, data subject rights, international transfer rules, and supervisory orders: up to €20 million or 4% of global annual turnover — whichever is higher. The 4% cap is calculated on total worldwide turnover, making this material for any significant business.

Complaints, Investigations & Judicial Remedies

Any data subject may lodge a complaint with a DPA free of charge (Art 77). DPAs have investigative powers including audits, access to premises, data, and staff. Data subjects may also pursue judicial remedies independently of a DPA complaint (Art 79). Compensation claims for material or non-material damage resulting from GDPR infringements may be brought against both controllers and processors (Art 82).

When a DPO is Mandatory (Art 37)

A DPO is mandatory for: (1) public authorities or bodies; (2) controllers or processors whose core activities require large-scale, regular and systematic monitoring of data subjects; or (3) controllers or processors whose core activities involve large-scale processing of special category or criminal conviction data. Saudi companies operating EU-facing healthcare platforms, large-scale behavioural analytics, or biometric systems are likely in scope.

DPO Tasks & Independence

The DPO must: inform and advise the controller and processors on GDPR obligations; monitor compliance; manage the DPIA process; cooperate with the supervisory authority; and act as the contact point for data subjects and DPAs. The DPO must be operationally independent — they may not receive instructions on their tasks, must report to the highest management level, and cannot be penalised for performing their duties. Conflict of interest is prohibited.

Accountability Documentation

Accountability under Article 5(2) requires documentary evidence of compliance. This includes: a maintained RoPA; records of all DPIAs conducted; consent records and withdrawal logs; breach notification records; staff training records; processor contracts and SCC evidence; and DPO contact registration with the relevant DPA. During an investigation, the absence of documentation is itself an aggravating factor in penalty calculation.

Any Saudi online retailer, marketplace, or SaaS platform that actively targets EU residents — offering goods in EUR pricing, EU-language interfaces, or EU delivery options — falls under GDPR's targeting criterion (Art 3(2)(b)). Processing includes checkout data, browsing profiles, and marketing preferences.

IT outsourcing, managed services, cybersecurity firms, and professional service providers that process personal data on behalf of EU-based controllers act as GDPR data processors. They must sign EU SCCs as the data importer and comply with controller instructions on retention, deletion, and breach notification.

Saudi entities that form part of an EU corporate group processing EU personal data share the group's GDPR accountability. Intra-group transfers from the EU parent to the Saudi subsidiary require SCCs or BCRs. Group-level RoPA must include the Saudi entity's processing activities.

Data centre operators and cloud providers in Saudi Arabia that store or process personal data originating in the EU are processors under GDPR Article 4(8). They must operate under a DPA/SCC agreement, implement Article 32 security measures, and support the controller's breach notification obligations.

Research organisations, marketing analytics firms, credit bureaux, and data brokers that profile EU residents — even without a direct relationship — fall in scope if the processing monitors behaviour in the EU (Art 3(2)(b)). Consent or legitimate interests must be established for each use case.

If a Saudi company's website uses cookies, analytics trackers, or advertising pixels that collect data from EU visitors, those activities are in scope — particularly for targeted advertising. Cookie consent banners must meet GDPR standards: prior consent, granular choice, no pre-ticked boxes, and equal ease of refusal.