The Kingdom of Saudi Arabia's Personal Data Protection Law was enacted by Royal Decree M/19 in September 2021, amended by Royal Decree M/148 in March 2023, and became fully enforceable on 14 September 2024. Since then, SDAIA has continued layering Implementing Regulations, Transfer Regulations, Standard Contractual Clauses and a growing library of operational guidelines. This page is the working brief for organisations operating in or into the Kingdom — the law as it stands, and the work it actually requires.
KSA's data protection regime is not a single instrument — it is a stack. The PDPL sits at the centre, with the Implementing Regulations giving operational detail, the Transfer Regulations governing the cross-border layer, the SCCs providing the contractual mechanism, and a growing portfolio of SDAIA guidelines clarifying specific operational areas. A defensible compliance posture has to address all five layers, not just the headline law.
The foundational statute. Defines personal data, controllers, processors, data subject rights, sensitive data, lawful processing bases, breach notification, cross-border restrictions and the penalty regime. The reference point for everything else.
Operational regulations issued by SDAIA. Flesh out DSR mechanics (30-day response, extension rules), DPO appointment circumstances, DPIA triggers, RoPA contents, breach notification protocol, consent specifics, sensitive-data handling.
Standalone regulation governing cross-border transfers under Article 29. Adequacy-style country assessments, conditions for permitted transfer, risk-assessment requirements for sensitive-data and continuous transfers. Significantly amended September 2024.
SDAIA-issued template clauses for use in transfers to non-adequate jurisdictions. Modelled on the EU SCC architecture but adapted for the KSA regime — controller-to-controller and controller-to-processor versions.
Growing portfolio of operational guidance — DPO appointment rules, privacy policy guidelines, anonymisation & pseudonymisation, data destruction, data disclosure cases, self-assessment framework. Non-binding in form, but the practical baseline SDAIA expects on inspection.
The PDPL applies to any processing of personal data within the Kingdom and reaches outside the Kingdom where the processing relates to data subjects in KSA. The regime distinguishes Data Controllers (primary obligation-bearers) and Data Processors, with extra-territorial application similar in shape to GDPR Article 3 — and notably extends to deceased individuals' data where it could identify the deceased or a family member.
Any natural or legal person who, alone or jointly, determines the purpose and means of processing personal data. Carries the substantive compliance load — registration with SDAIA, DPO appointment where triggered, DSR response, breach notification, security obligations, cross-border governance.
PDPL Article 1 · Article 31 obligationsAny party processing personal data on behalf of a Data Controller. Bound by the controller's documented instructions and by direct security obligations under the IR. Subject to liability where processing exceeds the scope of instructions.
IR Article 6 · Controller-Processor relationshipForeign entities processing personal data of individuals in KSA — typically where they offer goods or services to those individuals, or monitor their behaviour. Scope mirrors GDPR Article 3(2) but is read against KSA-resident-individual focus rather than data-subject-in-Union.
PDPL Article 2 · Extra-territorial reachDistinctively, the PDPL extends to data of deceased individuals where that data could lead to identifying the deceased or one of their family members. Practitioners with HR data, healthcare records or financial-services legacy data should verify retention and processing posture against this extended scope.
PDPL Article 2 · Distinctive scopeThe compliance load distills to six core obligation areas. Each is defined at PDPL level and operationalised in the Implementing Regulations. The list below maps obligations to article and IR references — the working reference points for any DPO operating in the KSA regime.
Processing must rest on consent, contract performance, legitimate interest (narrowly defined), legal obligation or other defined basis. Consent must be explicit, specific, freely given, with documented withdrawal mechanism. No reliance on pre-ticked boxes or implied consent.
Concise, accessible privacy policy covering purpose, legal basis, data categories, retention, recipients, transfer destinations and DPO contact. Recent SDAIA guidance directs Arabic-language availability — practitioners should treat bilingual notice as the working baseline.
Rights to be informed, access, copy, correction, completion, destruction and consent withdrawal. 30-day response window — extendable by an additional 30 days in defined circumstances. Operational mechanism must be accessible via channels the data subject can actually use.
Restricted under Article 29. Transfer permitted to adequate jurisdictions or under approved safeguards — SCCs, BCRs, certificates of accreditation. Risk assessment required for sensitive-data transfers and continuous or widespread transfers under appropriate-safeguard mechanism.
Organisational, administrative and technical safeguards proportional to risk — encryption, anonymisation/pseudonymisation, access controls, access logs, intrusion detection, secure transmission. SDAIA's anonymisation and pseudonymisation guidelines define the baseline.
Notification to SDAIA within 72 hours of becoming aware. Affected individuals to be notified promptly where the breach poses serious risk. Notification via the National Data Governance Platform, in the SDAIA-prescribed format.
Unlike GDPR's three-trigger DPO regime, KSA PDPL has its own — set out in the Rules for Appointing a Data Protection Officer. Any one of three circumstances triggers the appointment obligation. Once triggered, the DPO must meet specific qualification standards, can be employee or external contractor, and must be registered on the National Data Governance Platform.
If any one applies, DPO appointment is mandatory. The DPO can be in-house or contracted externally, and details must be registered on the National Data Governance Platform alongside the controller registration.
Controller is a public entity providing large-scale services involving personal data processing.
Core activities of the controller involve regular and systematic monitoring of data subjects on a large scale.
Core activities involve processing sensitive personal data — religious, ethnic, criminal, health, biometric, financial.
Appropriate academic qualifications, demonstrable experience in data protection, knowledge of risk management, no convictions for dishonesty or breach of trust.
Employee or external contractor — both permitted. The regime does not require the DPO to be a full-time hire.
DPO details registered on the National Data Governance Platform alongside the controller registration. Five-year certificate validity.
The PDPL's penalty regime is distinctive — it carries both civil monetary penalties imposed by SDAIA and a criminal penalty track for sensitive-data violations. The maximum monetary exposure is SAR 5 million per violation, with repeat-offence doubling. Sensitive-data disclosure with intent to harm or for personal gain triggers imprisonment exposure on top of fines. SDAIA can also order suspension of processing activities.
| Penalty | Triggering violation | Practical scope |
|---|---|---|
| SAR 3 million+ up to 2 years prison Criminal | Disclosing or publishing sensitive personal data in violation of the PDPL — with intent to harm the data subject or for personal gain. | The most serious exposure. Targets intentional misuse of religious, ethnic, criminal, health, biometric or financial data. Imprisonment up to two years on top of the fine. Court may double the fine for repeat offences. PDPL Article 35 |
| SAR 5 millionOr 2% of annual revenue Top tier | General violation of the PDPL or its Implementing Regulations by any natural or legal person. | The headline civil penalty. Some commentary indicates SDAIA can apply 2% of annual revenue where higher than SAR 5 million — practitioners should treat the higher of the two as the working ceiling. Repeat offences may double. PDPL Article 36 · IR detail |
| Warning+ corrective action Lighter touch | Less severe violations where SDAIA judges a warning sufficient to obtain compliance. | SDAIA retains discretion to issue warnings instead of fines for less serious or first-time procedural breaches — typically with documented corrective-action timeline. Failure to remediate elevates to fine track. SDAIA enforcement discretion |
| Activity suspensionTemporary or permanent Operational | Material non-compliance where continued processing poses ongoing risk to data subjects. | SDAIA has the power to order suspension of data processing activities — temporary or permanent, depending on severity. The operational impact often exceeds the monetary penalty for businesses whose primary activity is data-intensive. SDAIA enforcement powers |
Aggravating factors increase the penalty within the ceiling. SDAIA considers nature, gravity and duration of the violation, type of personal data affected, intent or negligence, mitigating action and cooperation during inquiry. The criminal track for sensitive-data violations is a separate enforcement path through the courts — practitioners with healthcare, financial-services or biometric-data exposure should treat this as a board-level risk item.
Practitioner-grade reference for the PDPL's structure. Useful for orienting where a specific obligation, right or remedy lives — and for cross-referencing against the Implementing Regulations and Transfer Regulations during diligence work or audit response.
What an organisation operating in or into KSA actually has to do to be defensibly PDPL-compliant. Each workstream below maps to an obligation area or an SDAIA expectation. The list is the practical picture; the engagement options at the bottom of the page show how this work gets delivered.
Diagnostic against the PDPL, IR, Transfer Regulations and SDAIA guidelines. Gap report against current state, prioritised remediation map, board-ready findings register. The starting point.
Controller registration on the National Data Governance Platform — required for public entities, sensitive-data processors, primary-activity data processors, and processing extending beyond personal/family use. Five-year certificate.
Trigger assessment against the three SDAIA criteria. DPO recruitment, qualification verification, NDGP registration. For organisations using fractional DPO via DPOaaS — full integration with internal governance.
Plain-language privacy policies, mapped to processing purposes — bilingual Arabic-English in line with SDAIA expectations. Versioned, accessible, and traceable to consent collection events.
Consent flow design meeting the explicit-affirmative-action standard. Granular consent capture for purposes, withdrawal-symmetry, sensitive-data explicit consent. Consent register infrastructure with audit trail.
Operational mechanism to receive, process and respond within the 30-day window (with documented extension where applicable). Workflow ownership, response templates, escalation path to SDAIA.
Records of Processing Activities mapped to PDPL categories. Sensitive-data flagging, processor-relationship documentation, retention schedules, cross-border flow visibility.
DPIA methodology aligned to IR triggers — sensitive data, large-scale automated processing, new technologies, automated decision-making, vulnerable groups. DPIA library with sign-off governance.
Inventory of cross-border flows. Adequacy assessment per destination. SDAIA SCC implementation for non-adequate jurisdictions. Risk assessments for sensitive-data transfers and continuous-flow arrangements.
Organisational, administrative and technical safeguards mapped to risk profile. Anonymisation/pseudonymisation per SDAIA guidelines. Access controls, encryption, audit logging, retention management.
72-hour SDAIA notification protocol via NDGP. Severity rating, individual notification scoping, regulator-facing drafting templates, post-incident lessons-learned. Coordinated with broader incident response.
PDPL work is delivered through one of three engagement shapes — depending on whether the program needs building, operating or specialist input. The right shape depends on whether your organisation has a triggered DPO appointment, the maturity of existing privacy capability, and the timeline pressure from board, audit or regulator.
For organisations needing the PDPL program built from zero — readiness assessment, NDGP registration, DPO appointment, privacy notices, consent architecture, DSR machinery, breach playbook. Finite scope, fixed-fee, milestone-billed against an SOW.
For organisations triggered into mandatory DPO appointment under the SDAIA Rules — public entity, regular monitoring or sensitive-data processing — without justifying a full-time hire. Named DPO carried, SDAIA-registered, regulator-facing.
For organisations with an in-house privacy function who need senior backup on harder PDPL questions — cross-border DTA work, sensitive-data DPIA peer review, novel sectoral overlay, regulator escalation. Block-hour retainer.
Common questions on PDPL — particularly from organisations that completed first-pass compliance during the 2023 — 2024 grace period and are now confronting the reality of inspection-readiness, ongoing SDAIA guidance and the 2024 transfer-mechanism layer.
Most organisations completed a basic compliance pass during the 2023 — 2024 grace period. The work for 2026 — 2027 is harder: ongoing inspection readiness, the 2024 transfer-mechanism layer, the maturing SDAIA guidance, and the operational discipline that survives audit. A 30-minute scoping call costs nothing — we will tell you honestly where you sit and what the right next step looks like.
Schedule a call