In this article
What the PDPL Covers
Saudi Arabia's Personal Data Protection Law is the Kingdom's first comprehensive data protection statute, modelled on global standards including the GDPR but with distinctly Saudi modifications. It captures any processing of personal data — collection, storage, use, disclosure — by any entity operating in or directed at the Kingdom.
The law came into full effect on 14 September 2023 after a one-year transition period. Companies operating in Saudi Arabia faced an extensive compliance scramble during the transition, and enforcement has been active since the effective date. The law affects every business that handles customer, employee, or contact data in any meaningful volume.
The Statute — Royal Decree M/19
The Personal Data Protection Law was issued by Royal Decree No. M/19, dated 9/2/1443H. Implementing regulations were issued in 2023 with detailed compliance specifications. The framework applies to any entity that processes personal data of individuals in the Kingdom regardless of where the entity is established — meaning foreign companies with Saudi customers are within scope.
The PDPL works in coordination with sector-specific data rules: the Saudi Central Bank's framework for financial institutions, the Ministry of Health's rules for healthcare data, and the Communications and Information Technology Commission's rules for telecommunications data.
SDAIA — The Regulator
The Saudi Data and Artificial Intelligence Authority (SDAIA) is the primary regulator under the PDPL. SDAIA is responsible for: issuing implementing regulations, conducting compliance reviews, investigating complaints, imposing administrative penalties, and coordinating international cooperation with foreign data-protection authorities.
SDAIA operates through the National Data Management Office for the regulatory function and has built a substantial enforcement capability since 2022. Compliance reviews focus on documented governance frameworks, data subject request handling, breach notification procedures, and cross-border transfer mechanisms.
Data Subject Rights
The PDPL grants data subjects (individuals whose data is processed) a defined set of rights:
- Right to be informed — about what data is collected, the purpose, and the legal basis
- Right of access — to obtain a copy of personal data held about them
- Right to rectification — to correct inaccurate data
- Right to deletion — to have data deleted when the purpose ends or consent is withdrawn (subject to legal-retention requirements)
- Right to withdraw consent — for processing based on consent
- Right to object — to processing for direct marketing or automated decision-making
- Right of complaint — to SDAIA for unresolved disputes with the controller
Controllers are required to respond to data subject requests within 30 days (extendable to 60 days for complex requests). Failure to respond is itself a violation.
Controller and Processor Obligations
The PDPL distinguishes controllers (entities that determine the purposes and means of processing) from processors (entities that process on behalf of controllers). Both face obligations, with controllers carrying the primary compliance burden.
Controller obligations include: maintaining a record of processing activities; implementing appropriate technical and organisational security measures; conducting Data Protection Impact Assessments for high-risk processing; appointing a Data Protection Officer for organisations meeting threshold criteria; notifying SDAIA and affected data subjects of breaches within defined timeframes; and ensuring lawful basis for each processing activity.
Processor obligations include: processing only on documented instructions from the controller; implementing security measures appropriate to the risk; cooperating with the controller in fulfilling data subject requests; and notifying the controller of breaches without delay.
Cross-Border Data Transfers
The PDPL restricts transfers of personal data outside the Kingdom. Permitted transfers require one of: SDAIA approval, an adequacy decision for the destination jurisdiction, appropriate safeguards (standard contractual clauses or binding corporate rules), specific consent from the data subject for the transfer, or one of the defined exception grounds (vital interests, public-task performance, legal claims).
The cross-border framework was the single biggest compliance challenge during the PDPL transition. Many businesses' data infrastructure routed processing through US or European cloud services without explicit Saudi-jurisdiction protections. SDAIA has been pragmatic in enforcement during the first phase but is expected to tighten as compliance maturity improves.
Penalties and Enforcement
PDPL violations carry both administrative penalties (imposed by SDAIA) and criminal penalties (for serious or repeated violations, prosecuted through the Public Prosecution).
Administrative penalties scale to the violation: warnings, mandatory corrective action, and financial penalties up to five million SAR for most categories. Criminal penalties apply to violations involving sensitive data, intentional unlawful disclosure, or repeated administrative violations — penalties reach two years' imprisonment and three million SAR.
SDAIA also publishes warnings against named entities for repeated non-compliance, which carries substantial reputational consequences for the affected businesses.
Frequently Asked Questions
Does the PDPL apply to small businesses? Yes — the PDPL applies to any entity processing personal data, regardless of size. The compliance requirements scale with the volume and sensitivity of data processed, but no business is exempt from the basic obligations.
How do I handle a data subject request? The request must be acknowledged within a reasonable time and substantively responded to within 30 days. Most controllers maintain a dedicated process for handling requests, with clear escalation procedures for complex cases.
What constitutes a data breach for notification purposes? A breach is any incident leading to unauthorised access, disclosure, alteration, or loss of personal data. Notification to SDAIA and affected data subjects is required for breaches likely to cause harm — within 72 hours for the SDAIA notification.
Can I transfer Saudi customer data to my company's overseas headquarters? Yes, but only with appropriate safeguards. The most common mechanisms are standard contractual clauses approved by SDAIA, explicit consent from data subjects for the specific transfer, or processing necessary for performing a contract with the data subject. Each mechanism requires documented compliance.
When You Need Counsel
PDPL compliance is increasingly a specialist field requiring lawyers with both data-protection expertise and Saudi regulatory experience. The compliance program design, the cross-border transfer mechanism selection, the DPO appointment decision, and the breach-response playbook all benefit from counsel who has seen multiple compliance reviews.
For commercial implications and contract drafting for data-processing arrangements, see Commercial Legal Services. For related cybercrime issues — data breaches often have criminal as well as regulatory dimensions — see the Anti-Cyber Crime Law explainer.