Saudi Arabia PDPL: Personal Data Protection Compliance

Saudi Arabia's Personal Data Protection Law (PDPL), enacted by Royal Decree M/19 on September 16, 2021 and entered into force on September 17, 2023, represents the Kingdom's first comprehensive data protection legislation. Administered by the Saudi Data and Artificial Intelligence Authority (SDAIA), the PDPL applies to organisations processing personal data of Saudi residents and has significant implications for businesses operating in or serving the Saudi market.

The PDPL was accompanied by its Implementing Regulations (issued by SDAIA in March 2023), which provide detailed requirements on technical and organisational measures, data subject rights processes, and cross-border data transfer conditions. Non-compliance can result in fines of up to SAR 5 million ($1.33 million USD) and one year of imprisonment for criminal violations.

Key Takeaways

• Saudi PDPL applies to any processing of personal data of individuals in Saudi Arabia, regardless of where the processing entity is located
• Eight legal bases for processing exist; consent must be explicit, specific, informed, and verifiable
• Sensitive data (health, genetic, credit, criminal records, biometric, sexual orientation) requires explicit consent or specific legal exceptions
• Cross-border transfers require SDAIA approval or specific safeguards — data localisation is a significant compliance challenge
• Data subject rights include access, correction, deletion, portability, and objection — with 30-day response timelines
• DPO appointment is mandatory for certain organisations processing sensitive data at scale
• SDAIA can impose fines up to SAR 5 million and regulatory powers include data processing suspension
• The PDPL applies alongside sector-specific regulations from the Saudi Central Bank (SAMA) and other regulators

---

PDPL Scope and Applicability

Who Must Comply

The Saudi PDPL (Royal Decree M/19 of 1443 AH / 2021) applies to:

1. Processing in Saudi Arabia: Any entity processing personal data within Saudi territory
2. Processing of Saudi residents' data: Entities outside Saudi Arabia that process personal data of individuals residing in Saudi Arabia
3. Processing for Saudi-based purposes: Processing related to offering goods or services to individuals in Saudi Arabia

This extraterritorial scope means international businesses serving Saudi customers — including eCommerce platforms, SaaS providers, and digital services — must comply with the PDPL.

Key definitions:

• Personal data: Any data that leads to the identification of an individual specifically, or makes it possible to identify them, including name, personal identification number, address, contact numbers, and any other data that identifies the individual
• Sensitive personal data: Health data, genetic data, credit and financial data, data related to individuals with special needs, criminal records, biometric data, data revealing racial or ethnic origins, religious beliefs, and data relating to private life including sexual orientation

Exemptions

The PDPL does not apply to:

• Personal data held by government authorities for security or judicial purposes
• Deceased persons' data (no next of kin rights provisions)
• Personal data processed for personal or family purposes
• Data anonymised in a manner that makes re-identification impossible

---

Legal Bases for Processing

The PDPL Implementing Regulations establish legal bases for processing personal data. Controllers must document the applicable legal basis for each processing activity:

Consent requirements under PDPL:

• Must be explicit and specific to the processing purpose
• Cannot be bundled with other consents
• Must be in plain language, without technical jargon
• Withdrawal must be as easy as providing consent
• Record of consent must be maintained
• Marketing and advertising require separate, explicit consent

Sensitive data: Processing requires explicit consent or falls under one of the following: legal obligation, protection of the data subject's or others' vital interests, medical necessity with healthcare confidentiality obligations, processing in connection with legal proceedings, or scientific research with appropriate safeguards.

---

Data Subject Rights

The PDPL grants the following rights to data subjects, with a general 30-day response period (extendable to 30 additional days with notification):

Right to be informed: Data subjects must be informed of processing activities before or at the time of data collection. Controllers must disclose: identity and contact details, purposes, legal basis, categories of data, retention period, data subject rights, cross-border transfer information.

Right of access: Data subjects can request confirmation of whether their data is being processed and obtain a copy. Response must be provided within 30 days; one free copy per 12 months (fees permissible for additional copies).

Right to correction: Data subjects can request correction of inaccurate or outdated personal data.

Right to erasure: Data subjects can request deletion where: purpose has been fulfilled, consent withdrawn (with no other legal basis), data collected unlawfully, or legal obligation requires deletion. Exceptions include legal obligation to retain, exercise of legal rights, and public interest research.

Right to portability: Data subjects can request their data in a structured, machine-readable format for transmission to another controller.

Right to object: Data subjects can object to processing based on legitimate interests (controller must demonstrate compelling legitimate grounds overriding the data subject's interests).

Right to restrict automated decision-making: Data subjects can request human review of significant automated decisions.

---

Controller and Processor Obligations

Privacy Notice Requirements

Controllers must provide a clear, accessible privacy notice covering:

• Entity name and contact information
• Categories of personal data collected
• Purposes and legal bases for processing
• How data is used, disclosed, and transferred
• Data retention periods
• Data subject rights and how to exercise them
• Information about any cross-border transfers
• Contact information for the DPO (if appointed)

Privacy notices must be in Arabic for Saudi-based operations (translation requirement applies to businesses serving Saudi consumers).

Data Protection Officer (DPO)

Under the PDPL Implementing Regulations, appointing a DPO is mandatory for:

• Controllers processing sensitive personal data on a large scale
• Controllers carrying out large-scale systematic monitoring of data subjects
• Public authorities (with exceptions)

The DPO must:

• Have expert knowledge of data protection and information security
• Report directly to senior management
• Act as the contact point for SDAIA and data subjects
• Monitor compliance with the PDPL
• Provide advice on DPIAs

The DPO's contact details must be disclosed in the privacy notice.

Data Protection Impact Assessments (DPIAs)

The Implementing Regulations require DPIAs before processing activities that may result in high risk to data subjects, including:

• Large-scale processing of sensitive data
• Systematic profiling of data subjects
• Processing involving novel technologies
• Processing of children's data at scale

DPIA documentation must be retained and made available to SDAIA on request.

Security Requirements

Controllers must implement technical and organisational measures commensurate with the sensitivity of the data and the risks of processing, including:

• Data encryption in storage and transmission
• Access controls with principle of least privilege
• Audit logging for access to personal data
• Regular security testing and vulnerability assessments
• Incident response procedures
• Business continuity and disaster recovery for personal data systems
• Vendor security assessment and contractual requirements

---

Cross-Border Data Transfers

Article 29 of the PDPL imposes significant restrictions on transferring personal data outside Saudi Arabia. This is one of the most operationally challenging aspects of PDPL compliance.

Permitted transfer mechanisms:

1. SDAIA approval: Transfer subject to SDAIA's prior approval and conditions it specifies
2. Adequate protection: Transfer to a country with an adequate level of data protection (SDAIA maintains an approved list)
3. Contractual safeguards: Transfer under contracts providing adequate protection and meeting SDAIA requirements
4. Binding corporate rules: Intragroup transfers under approved binding corporate rules
5. Consent: Explicit, informed consent of the data subject
6. Contract necessity: Transfer necessary for contract performance with the data subject
7. Vital interests: Transfer necessary to protect vital interests where consent cannot be obtained
8. Public interest: Transfer required for public interest with appropriate safeguards

Data localisation considerations: Sector-specific regulations from SAMA (Saudi Arabian Monetary Authority), the Communications, Space and Technology Commission (CST), and the Ministry of Health impose data localisation requirements for financial, telecom, and health data. Cloud providers must maintain data centres within Saudi Arabia for certain regulated data categories.

Practical impact: Many multinational companies with Saudi operations have implemented data residency solutions — using Saudi Arabia-based cloud regions (available from AWS, Azure, and Google Cloud) — to avoid complex cross-border transfer compliance.

---

Breach Notification

Article 20 of the PDPL requires controllers to notify SDAIA of personal data breaches within 72 hours of discovering a breach that poses risk to data subjects' rights or interests.

Required breach notification content:

• Nature and circumstances of the breach
• Categories and approximate number of affected data subjects
• Categories and approximate number of affected records
• Name and contact details of the DPO or other contact
• Likely consequences of the breach
• Measures taken or planned to address the breach

Notification to data subjects: Required without undue delay when the breach is likely to result in high risk to data subjects' rights or freedoms. Notification must include: what happened, what data was affected, steps data subjects can take to protect themselves, and contact information for further inquiries.

---

SDAIA Enforcement and Penalties

Regulatory Powers

SDAIA has broad regulatory powers under the PDPL:

• Issuing guidance and regulations
• Investigating complaints from data subjects
• Conducting audits of data controllers
• Imposing administrative sanctions
• Suspending processing activities that violate the PDPL
• Referring criminal violations to the Public Prosecution

Penalties

Administrative penalties:

• Fine of up to SAR 1 million ($267,000 USD) for violations of data subject rights or controller obligations
• Fine of up to SAR 5 million ($1.33 million USD) for violations involving sensitive personal data
• Fine of up to SAR 5 million for cross-border transfer violations
• Fines can be doubled for repeat violations within two years

Criminal penalties:

• Disclosing or publishing sensitive data without authorisation: imprisonment up to two years and/or fine up to SAR 3 million
• Transferring data outside Saudi Arabia to damage national interests: imprisonment up to one year and/or fine up to SAR 1 million

Public disclosure: SDAIA may publish information about violations and sanctions, with significant reputational implications in Saudi Arabia's concentrated business market.

---

Interaction with Other Saudi Regulations

SAMA Cybersecurity Framework

The Saudi Central Bank (SAMA) has its own Cybersecurity Framework (SAMACF) applicable to all SAMA-regulated entities (banks, insurance companies, financing companies). The framework includes:

• Data classification and protection requirements aligned with PDPL
• Incident response and notification requirements
• Third-party risk management obligations
• Cloud service provider assessment requirements

SAMA-regulated entities must comply with both SAMACF and the PDPL, with the stricter requirement prevailing.

CST Personal Data Protection Regulations (Telecoms)

The Communications, Space and Technology Commission has issued telecom-specific data protection requirements including subscriber data protection, location data restrictions, and data localisation for telecom operators.

Health Sector Regulations

The Ministry of Health and Saudi Health Council have issued healthcare data protection requirements mandating: patient consent for data sharing, data localisation for health records, specific security standards for health information systems, and restrictions on using health data for commercial purposes.

---

Saudi PDPL Compliance Checklist

• PDPL applicability analysis completed (including extraterritorial scope)
• Personal data and sensitive data inventory completed
• Legal basis documented for every processing activity
• Separate explicit consent obtained for sensitive data processing
• Privacy notice published in Arabic (for Saudi users) with all required disclosures
• DPO appointed where required; contact information in privacy notice
• Data subject rights procedures documented with 30-day response mechanism
• Processor agreements updated with PDPL requirements
• Cross-border transfer assessment completed — SDAIA-approved mechanisms in place
• Data localisation assessment for regulated sectors (finance, health, telecom)
• DPIA conducted for high-risk processing activities
• Security measures implemented proportional to data sensitivity
• 72-hour breach notification procedure documented and tested
• Retention schedules documented and automated deletion configured
• Employee training on PDPL obligations completed

---

Frequently Asked Questions

When did Saudi Arabia's PDPL become enforceable?

The PDPL was enacted by Royal Decree M/19 in September 2021 and its Implementing Regulations were issued in March 2023. Enforcement began on September 17, 2023 — two years after the law's enactment. SDAIA initially indicated a grace period for compliance preparation, but enforcement is now active. Businesses that have not yet begun compliance programmes face real regulatory risk.

Does the Saudi PDPL apply to my business outside Saudi Arabia?

Yes, if you process personal data of individuals residing in Saudi Arabia. The extraterritorial scope is similar to GDPR's approach: if you offer goods or services to Saudi residents, or process data of Saudi residents for any purpose, the PDPL applies. This includes eCommerce businesses, SaaS providers, digital services, and any company with Saudi employees (for their employment data).

What are the data localisation requirements in Saudi Arabia?

The PDPL itself does not impose blanket data localisation — it permits cross-border transfers through approved mechanisms. However, sector-specific regulations create significant localisation requirements: SAMA-regulated financial institutions must keep customer financial data within Saudi Arabia; health data must be stored within Saudi Arabia for regulated health entities; telecom subscriber data has specific residency requirements. Cloud providers AWS, Microsoft Azure, and Google Cloud have all established Saudi Arabia cloud regions to address these requirements.

How does PDPL interact with GDPR for multinational companies?

Multinational companies subject to both GDPR and Saudi PDPL must satisfy both frameworks simultaneously. They share similar principles but differ in specifics — PDPL consent requirements, cross-border transfer mechanisms, and breach notification timelines have Saudi-specific requirements. The main practical challenge is cross-border data flows: data flowing from Saudi Arabia to EU countries is not automatically compliant with Saudi PDPL just because GDPR applies at the destination. Each transfer must be assessed under PDPL's mechanisms.

What is SDAIA and what authority does it have?

SDAIA (Saudi Data and Artificial Intelligence Authority) is the government body responsible for overseeing data and AI in Saudi Arabia. Established in 2019, SDAIA administers the PDPL and has broad regulatory, investigative, and enforcement powers. It issues guidance and regulations, investigates complaints, conducts audits, imposes administrative fines, and refers criminal violations to the Public Prosecution. SDAIA also manages the National Data Governance Framework and oversees Saudi Arabia's data economy development.

---

Next Steps

Saudi Arabia's growing digital economy and Vision 2030 transformation are creating significant business opportunities alongside increasingly stringent regulatory requirements. PDPL compliance is becoming a prerequisite for doing business with Saudi government entities, banks, healthcare organisations, and enterprise customers.

ECOSIRE helps organisations navigate Saudi PDPL compliance alongside other regional data protection requirements. Our services include compliance gap assessments, privacy programme design, technical implementation, and ongoing compliance management.

Learn more: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Saudi PDPL requirements are evolving through SDAIA guidance and enforcement decisions. Consult qualified Saudi legal counsel for advice specific to your organisation.