Lawful Basis and Fairness
Data must be processed lawfully, fairly, and in a transparent manner. Organizations must obtain consent or fall within a permitted exception (e.g., legal obligation, contractual necessity, etc).
Guide to Saudi Arabia’s
Personal Data Protection Law (KSA PDPL)
Navigating Personal Data Protection Law (PDPL), Implementing Regulations & Guidelines for Personal Data Protection Compliance enforced by SDAIA.
Introduction: Personal Data Protection Law (PDPL)
The Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL), enacted by Royal Decree No. (M/19) on 16/09/2021 and amended by Royal Decree No. (M/148) on 27/03/2023, is the Kingdom’s first comprehensive data protection legislation.
Enacted in line with Saudi Vision 2030’s push for technological innovation and a thriving digital economy, the PDPL aims to:
- Protect individuals’ privacy rights.
- Regulate how organizations collect, process, disclose, and retain personal data.
- Impose penalties for noncompliance.
Initially, the Saudi Data & Artificial Intelligence Authority (SDAIA) will oversee PDPL enforcement for 2 years. Afterward, supervision may shift to the National Data Management Office (NDMO).
The Personal Data Protection Law (PDPL) and its Implementing Regulations came into force on 14 September 2023, with a one-year grace period that ended on 14 September 2024.
As this date has now passed, all organizations handling personal data are expected to be fully compliant with PDPL regulatory requirements.
Personal Data Protection Law (KSA PDPL) Enforcement
SDAIA
SDAIA (Saudi Data & Artificial Intelligence Authority) will oversee PDPL enforcement for the
first two years.
first two years.
NDMO
National Data Management Office (NDMO) may take over from SDAIA thereafter.
Public Prosecution Office
Public Prosecution handles criminal investigations & prosecutions related
to severe violations (e.g. unlawful disclosure of sensitive data)
to severe violations (e.g. unlawful disclosure of sensitive data)
Personal Data Protection Law (KSA PDPL) Scope & Applicability
Material Scope
Covered
The PDPL applies to the processing of personal data and sensitive personal data related to individuals residing in Saudi Arabia, including data of the deceased if it could identify them or their family members.
Exemption
Personal data processed purely for household or personal (non-business) purposes is excluded.
Territorial Scope
Inside Saudi Arabia
Public or private organizations (data controllers) that process personal data within the Kingdom.
Outside Saudi Arabia
Foreign organizations that process the personal data of individuals residing in Saudi Arabia, regardless of where the actual processing takes place.
Key Definitions of Personal Data Protection Law (KSA PDPL)
Important definitions under the PDPL (mirroring typical terminology from global data protection laws):
Personal Data
Any information that can directly or indirectly identify an individual (e.g., name, driver’s license number, phone number, email address). This includes data about deceased persons if it identifies them or their family.
Sensitive Personal Data
Information that could cause harm if misused, such as ethnic or tribal origin, religious or political beliefs, health or biometric data, genetic data, financial data, location data, or information about criminal records.
Data Controller
The entity (public or private) that determines the purposes and means of processing personal data.
Data Processor
Any third party or vendor that processes personal data on behalf of and at the direction of the data controller.
Data Subject
An individual whose personal data is processed, i.e., the residents of Saudi Arabia.
Core Principles of Personal Data Protection Law (KSA PDPL)
The PDPL imposes several key principles to ensure organizations handle personal data lawfully and responsibly:
01
Purpose Limitation
Collect personal data only for a clear, specific, and legitimate purpose. Do not use or share it for purposes beyond what was originally stated unless new consent is obtained (or another lawful basis applies).
02
Data Minimization
Collect and process the minimum amount of personal data needed to fulfill the stated purpose. Organizations should also periodically review and delete any personal data that is no longer necessary to achieve the intended purpose.
03
Accuracy
Keep personal data accurate, complete, and up-to-date; incorrect or incomplete data must be corrected. Organizations must ensure data subjects can easily request corrections or updates, and promptly respond to such requests to maintain data accuracy.
04
Storage Limitation
Retain data only as long as necessary to fulfill the original purpose or per legal requirements. Once no longer needed, data must be securely destroyed or anonymized.
05
Security
Implement technical and organizational measures (encryption, access controls, secure servers, etc.) to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction.
06
Accountability
Organizations (data controllers) must be responsible for PDPL compliance and be able to demonstrate adherence to PDPL requirements (e.g., through documentation, policies, and record-keeping).
07
Data Subjects’ Rights (DSR)
The Personal Data Protection Law (PDPL) gives individuals a.k.a Data Subjects, specific rights over their personal data.
Organizations must provide channels to exercise these rights and respond promptly and transparently (typically within 30 days).
In certain circumstances, an extension beyond 30 days is permissible, provided the data subject is informed and the delay is justified.
The Data Subject Rights (DSR) include:
Right to be Informed
Individuals have the right to be informed about how their personal data is collected, the legal basis for its collection and processing, how the data is processed, stored, and destroyed, and to whom it will be disclosed.
Right to Access to Your Personal Data
Individuals have the right to access their personal data held by the Data Controller through means that allow automatic access without needing to file a formal request.
Right to Request Access to Your Personal Data
Individuals have the right to request access to their personal data at any time and obtain a copy of it in a clear, readable format.
Right to Correct Personal Data
If any personal data held by the Data Controller is inaccurate, incomplete, or outdated, individuals have the right to request correction or update of their personal data.
Right to Request Destruction of Personal Data
Individuals have the right to request the destruction of their personal data when it is no longer necessary for the purposes for which it was originally collected.
The Data Controller must consider such requests and act in accordance with applicable legal and regulatory requirements.
Right to Withdraw Consent
Individuals have the right to withdraw their consent for data processing at any time, unless there is an overriding legal basis that requires continued processing.
Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Right to File a Complaint
If an individual believes the Data Controller has not complied with the PDPL, they have the right to file a complaint with the organization.
If the individual is dissatisfied with the outcome, they may escalate the complaint to the Saudi Data & Artificial Intelligence Authority (SDAIA).
Right to Claim Compensation
Individuals have the right to claim compensation for any material or moral damage arising from a breach of the PDPL or its Implementing Regulations.
Key Compliance Steps for Personal Data Protection Law (KSA PDPL)
The PDPL places several obligations on data controllers (and, by extension, data processors):
Determine Legal Bases of Processing
Obtain Valid Consent
Freely Given:
Consent must be explicit and not a condition for receiving services unless it is strictly required for that specific service.
Granular
Separate consent for each processing purpose.
Withdrawable:
Data subjects can withdraw consent at any time; the withdrawal process must be as easy as giving consent. Exceptions:
Consent is not needed if processing:
When relying on “Legitimate Interests,” a Legitimate Interest Assessment (LIA) must be performed in accordance with PDPL Implementing Regulations to confirm its appropriateness.
Freely Given:
Consent must be explicit and not a condition for receiving services unless it is strictly required for that specific service.
Granular
Separate consent for each processing purpose.
Withdrawable:
Data subjects can withdraw consent at any time; the withdrawal process must be as easy as giving consent. Exceptions:
Consent is not needed if processing:
- Achieves a clear benefit and it’s impractical to contact the data subject. (Actual Interest)
- Is required by law or an existing agreement. (Legal Obligation)
- Is for national security or judicial requirements by a public entity. (Public Interest)
- Is for scientific or statistical research in compliance with PDPL.
- Relies on the controller’s “legitimate interest” (though not permitted for sensitive data). (Legitimate Interest)
When relying on “Legitimate Interests,” a Legitimate Interest Assessment (LIA) must be performed in accordance with PDPL Implementing Regulations to confirm its appropriateness.
Publish a Privacy Policy (Privacy Notice)
Before collecting personal data, data controllers must provide a concise and accessible privacy policy or notice stating:
- Purpose(s) for collection
- Types of data collected (mandatory vs. optional)
- Legal basis or justification
- How the data will be stored, used, and destroyed
- Whether it will be transferred or disclosed outside the Kingdom
- Possible consequences of not providing data
- Data Subjects’ Rights (DSR) and how to exercise them
Maintain Security Safeguards
Organizations must adopt organizational, administrative, and technical measures (e.g., data encryption, anonymization, access logs, intrusion detection, etc.) to secure personal data at all stages, including during transfer.
Personal Data Breach Notification
If a personal data breach (e.g., unauthorized access, leakage, destruction) occurs:
- Notify SDAIA within 72 hours of becoming aware.
- Notify Affected Individuals: If the breach poses a serious risk to them, they must be notified promptly, including details on the breach and how to contact the appointed Personal Data Protection Officer (DPO) for more information.
- If the breach involves criminal activity, organizations may need to inform other relevant authorities in addition to SDAIA.
Personal Data Protection Officer (DPO)
Organizations engaged in either must appoint a DPO in accordance with the SDAIA’s Rules for Appointing Personal Data Protection Officer (DPO):
A DPO can be an internal employee or an external service provider.
The DPO must have data protection expertise and risk management skills.
Independence of the function is recommended so the DPO can operate without conflict of interest.
The DPO’s appointment and contact info must be registered via the National Data Governance Platform.
- Large-scale data processing
- Regular or systematic monitoring of individuals
- Handling sensitive personal data
A DPO can be an internal employee or an external service provider.
The DPO must have data protection expertise and risk management skills.
Independence of the function is recommended so the DPO can operate without conflict of interest.
The DPO’s appointment and contact info must be registered via the National Data Governance Platform.
Data Protection Impact Assessment (DPIA)
Organizations must evaluate privacy risks and document how they manage them (especially for products/services used by the public).
At a minimum, Data Protection Impact Assessments (DPIA) must be carried out in cases required by the PDPL, helping ensure risks are mitigated with a documented plan.
At a minimum, Data Protection Impact Assessments (DPIA) must be carried out in cases required by the PDPL, helping ensure risks are mitigated with a documented plan.
Record of Processing Activities (RoPA)
During the data processing period and for 5 years afterward, organizations must keep internal Records of Processing Activities (RoPA) which must include:
- Their own contact details
- Purpose of processing
- Categories of data subjects
- Disclosures of personal data
- Any transfers outside Saudi Arabia
- Retention timelines
Vendor (Third-Party) Assessment
When outsourcing data processing, controllers must select processors that provide sufficient guarantees of PDPL compliance.
Data Controllers must also conduct ongoing monitoring to verify the vendor’s adherence to security and data protection instructions.
Data Controllers must also conduct ongoing monitoring to verify the vendor’s adherence to security and data protection instructions.
Sharing Personal Data Within the Kingdom
Even when sharing personal data domestically (i.e., within Saudi Arabia), you must comply with all relevant PDPL obligations.
This includes ensuring appropriate technical and organizational measures (such as Data Sharing Agreements (DSA), restricting access to authorized recipients, and implementing robust security controls) to protect personal data and uphold individuals’ rights.
This includes ensuring appropriate technical and organizational measures (such as Data Sharing Agreements (DSA), restricting access to authorized recipients, and implementing robust security controls) to protect personal data and uphold individuals’ rights.
Cross-Border Data Transfers
PDPL generally requires that personal data remain within Saudi Arabia unless:
Before transferring data outside the Kingdom, organizations must conduct a Transfer Impact Assessment (TIA) and document their safeguards.
- The recipient country or international organization has “adequate” data protection regulations and oversight
- SDAIA approves a transfer on national interest or compliance grounds
- Specific exemptions apply (e.g., vital interests, fulfilling an international agreement, minimal data necessary, etc.)
Before transferring data outside the Kingdom, organizations must conduct a Transfer Impact Assessment (TIA) and document their safeguards.
National Register of Controllers
All controllers that process personal data as a core part of their operations or handle sensitive data must register on the National Data Governance Platform.
Registration involves designating a representative, disclosing organizational details, and (where required) confirming the Personal Data Protection Officer (DPO) appointment.
Entities receive a certificate valid for 5 years, which must be renewed as required by law.
Registration involves designating a representative, disclosing organizational details, and (where required) confirming the Personal Data Protection Officer (DPO) appointment.
Entities receive a certificate valid for 5 years, which must be renewed as required by law.
Personal Data Protection Law (KSA PDPL) Penalties
Unauthorized Disclosure/Publication
Up to 2 years imprisonment and/or a fine up to
SAR 3 million.
Illegal Cross-Border Data Transfer
Up to 1 year imprisonment
and/or fine up to
SAR 1 million.
Violations of Other Provisions
Fines of up to SAR 5 million
can be doubled for any
repeated offenses.
KSA PDPL Compliance Timeline
14 September 2023
The PDPL (as amended),
its Implementing Regulations,
and related rules came into effect.
its Implementing Regulations,
and related rules came into effect.
14 September 2024
The PDPL law is fully enforced. Organizations should align their practices with the law.
Ongoing
SDAIA will issue further regulations or updates, including “adequacy list” for cross-border data transfers.
Practical Steps to Achieve KSA PDPL Compliance
Below is a suggested PDPL checklist combining best practices and explicit requirements:
Personal Data Inventory and Classification
- Identify all personal data you collect (including sensitive data)
- Map data flows (including cross-border transfers) and document each processing purpose
- Interview relevant stakeholders (e.g., IT, HR, Legal) to ensure you capture all personal data sources and usage
Legal Basis & Consent Management
- Ensure you have valid consent for each processing purpose or a lawful exemption
- Implement an easy consent withdrawal mechanism
Privacy Policies or Privacy Notices
- Draft/update a PDPL compliant privacy notice explaining your data collection, usage, and sharing practices
- Disclose cross-border transfers, data retention periods, and Data Subject Rights (DSR)
Data Security Measures
- Employ encryption, secure access controls, and intrusion detection, etc
- Keep logs of personal data handling, especially sensitive data
Data Breach Response Plan
- Develop a procedure to detect, investigate, and contain breaches
- Prepare notification templates and processes to inform SDAIA and affected individuals within 72 hours, when required
Appoint Personal Data Protection Officer (DPO)
- Evaluate if your core operations involve large-scale or sensitive data processing or systematic monitoring
- Register your Personal Data Protection Officer's (DPO) details with the National Data Governance Platform
Conduct Data Protection Impact Assessments (DPIAs)
- Assess the privacy risks of new and existing products/services
- Document findings and mitigation measures in a formal Data Protection Impact Assessment (DPIA) report
Record of Processing Activities (RoPA)
- Maintain up-to-date Records of Processing Activities (RoPA) of how you handle personal data, retention periods, third-party recipients, etc
- Keep these records for 5 years after processing ends
Vendor and Third-Party Assessments
- Vet service providers’ data protection practices
- Include Data Processing Agreements (DPA) ensuring they meet PDPL requirements
Cross-Border Data Transfer Checks
- Identify any data flows leaving Saudi Arabia
- Use SDAIA approved safeguards (e.g. Standard Contractual Clauses (SCC), Binding Common Rules (BCRs), and conduct risk assessments if no adequacy decision exists
- Transfer only minimal data required and confirm the transfer does not conflict with national security or individual rights
Register in the National Controllers Register
- If processing personal or sensitive data is a core activity, enroll on the National Data Governance Platform
- Obtain/renew the certificate every 5 years
Staff Training and Awareness
- Provide PDPL focused training to ensure employees understand how to handle personal data, respond to rights requests, and detect/report breaches
Key PDPL Compliance Takeaways:
The Saudi Arabia Personal Data Protection Law (PDPL) represents a significant shift in how organizations must handle personal data.
By aligning closely with international data protection standards, PDPL highlights the importance of consent, transparency, security, and accountability.
Don’t wait any longer
The 14 September 2024 grace period has already passed, so it’s critical to ensure your internal policies, systems, and procedures fully comply with the PDPL.
Document everything
From Record of Processing Activities (RoPA) to Data Protection Impact Assessments (DPIAs) to breach responses, thorough documentation is important to demonstrate compliance.
Take a holistic view
Think beyond minimal compliance. Building trust with consumers and regulators can offer competitive advantages.
Keep watch
SDAIA may release updated guidelines, an adequacy list for cross-border transfers, and new or revised regulations.
Privacy by Design (PbD)
Embed privacy features into all stages of personal data processing from collection through to destruction.
Easy Saudi Personal Data Protection Law (KSA PDPL) Compliance Ahead.
