Zscaler and Saudi Arabia Data Protection Law

Introduction

The Saudi Arabian Personal Data Protection Law (PDPL), introduced in 2021, governs the processing of personal data by Saudi entities performing processing activities in the Kingdom of Saudi Arabia (KSA) or non-Saudi entities processing data of individuals residing in the KSA. The Saudi Data & Artificial Intelligence Authority (SDAIA) is the current competent authority of the PDPL.

Below, you can find key provisions and how Zscaler complies with the PDPL.

What is personal data under the PDPL?

Under the PDPL, personal data is defined as any data through which a person can be identified either directly or indirectly, which includes but is not limited to name, ID number, and contact numbers.

Zscaler ensures compliance with the PDPL’s definition by considering as personal data any information that directly or indirectly identifies a person.

How does Zscaler comply with the PDPL?

The PDPL establishes principles for lawful processing, including purpose limitation, security, data minimization, storage limitation, and accuracy according to Article 11 of the PDPL.

Legal basis: Zscaler ensures compliance with the PDPL by processing data according to the specific applicable legal basis, including by requiring its customers to obtain all necessary consents and only processing personal data for the purpose of providing its services and products to the customer.

Purpose limitation: Zscaler ensures that personal data is processed for legitimate, specific, and explicit purposes, with no possibility of subsequent processing that is incompatible with these purposes. For that, Zscaler identifies and documents its purposes for collecting personal data and explains those purposes to its customers.

Security: Zscaler has developed and implemented security policies to protect all personal information against loss, theft, or any unauthorized access, disclosure, copying, use or modification, considering the sensitivity of the information and other factors. Zscaler reviews its security safeguards regularly to ensure they are up to date and addresses any vulnerabilities through regular security audits and/or testing. Further, Zscaler ensures that its employees are aware of the importance of maintaining the security and confidentiality of personal information, and Zscaler conducts regular staff training on security safeguards. 

Data minimization and accuracy: Zscaler only processes the personal data that is necessary to provide our products and services. This means that Zscaler only processes data that is accurate, relevant, proportional, and non-excessive in relation to the purposes of the data processing.

Storage limitation: Zscaler retains personal data to the extent necessary to achieve the purposes of its collection.

Breach notification: If there is a breach of security involving a customer’s personal data, Zscaler will promptly notify the customer.

International transfers: Zscaler commits to international transfer requirements in its End User Subscription Agreement and Data Protection Agreement. In the case of any Zscaler customer that meets the requirements for the standard contractual clauses (SCCs) released by the SDAIA and requests the execution of them, Zscaler will cooperate and enter into SCCs to permit lawful transfer of personal data.

Zscaler will carefully monitor developments of the PDPL to ensure Zscaler remains compliant with Saudi Arabia’s privacy requirements.