Guide to Saudi Arabia’s Personal Data Protection Law (KSA PDPL)

Navigating Saudi Personal Data Protection Law (KSA PDPL), Implementing Regulations, and SDAIA Guidelines.

Overview: Saudi Personal Data Protection Law (KSA PDPL)

Kingdom of Saudi Arabia’s Personal Data Protection Law (KSA PDPL), enacted under Royal Decree No. M/19 on 16 September 2021 and amended by Royal Decree No. M/148 on 27 March 2023 is the country’s first comprehensive Data Privacy and Protection Legislation.

PDPL introduces a unified framework governing how personal data must be collected, processed, stored, and shared across both public and private sectors.

Enacted as part of the Saudi Vision 2030’s Digital Transformation Strategy, PDPL establishes the rights for individuals (referred to as Data Subjects) and imposes specific obligations on entities that handle personal data.

Saudi Personal Data Protection Law (KSA PDPL) aims to:

SDAIA Enforcement and Regulatory Supervision

Initially, the Saudi Data and Artificial Intelligence Authority (SDAIA) was appointed as the supervisory authority responsible for enforcing PDPL compliance for the first two years.

During this period, SDAIA issued the official PDPL Implementing Regulation, published guidelines, and provided regulatory support for organizations.

Responsibility for long-term supervision may later shift to the National Data Management Office (NDMO) under the umbrella of the Kingdom’s national data governance framework.

Saudi PDPL Enforcement Deadline: 14 September 2024

The Personal Data Protection Law (PDPL) and its Implementing Regulations came into force on 14 September 2023, followed by a one-year grace period.

As of 14 September 2024, all organizations operating in Saudi Arabia that process personal data must be fully compliant with PDPL obligations.

Guide to Saudi Arabia’s
Personal Data Protection Law (KSA PDPL)

Navigating Saudi Personal Data Protection Law (KSA PDPL),
Implementing Regulations & SDAIA Guidelines.

Overview: Saudi Personal Data Protection Law (KSA PDPL)

The Kingdom of Saudi Arabia’s Personal Data Protection Law (KSA PDPL), enacted by Royal Decree No. (M/19) on 16/09/2021 and amended by Royal Decree No. (M/148) on 27/03/2023 is the Kingdom’s first comprehensive data protection legislation.

Initially, the Saudi Data & Artificial Intelligence Authority (SDAIA) was designated to oversee enforcement of the Saudi Personal Data Protection Law (PDPL) for the first two years following its enactment. During this period, SDAIA issued the PDPL Implementing Regulation, published official compliance guidelines, and established supervisory mechanisms to support organizations compliance journey.

Enacted in line with Saudi Vision 2030’s push for technological innovation and a thriving digital economy, the Saudi Personal Data Protection Law (KSA PDPL) aims to:

Enforcement responsibility may later transition to the National Data Management Office (NDMO), reflecting the Kingdom’s broader data governance strategy under Saudi Vision 2030.

The Personal Data Protection Law (PDPL) and Implementing Regulation officially came into force on 14 September 2023, with a one-year grace period ending on 14 September 2024. As of this deadline, all public and private sector entities that process personal data in the Kingdom of Saudi Arabia are legally required to be fully compliant with the PDPL.

Organizations that fail to comply risk significant regulatory penalties, suspension of processing activities, reputational damage, and enforcement actions from SDAIA or the designated supervisory authority.

Compliance with the Saudi Personal Data Protection Law (KSA PDPL) is now a strategic and legal imperative for any business operating in Saudi Arabia especially those involved in cross-border data transfers, sensitive data processing, or undergoing IPO, merger, or investor due diligence.

Enforcement Timeline of Saudi Personal Data Protection Law (KSA PDPL)

KSA PDPL follows a phased enforcement approach. SDAIA continues to release regulatory updates, guidelines, and amendments, including the anticipated adequacy list for lawful cross-border data transfers.

14 September 2023

The PDPL (as amended),
its Implementing Regulations,
and related rules came into effect.

14 September 2024

The PDPL law is fully enforced. Organizations should align their practices with the law.

Ongoing

SDAIA will issue further regulations or updates, including “adequacy list” for cross-border data transfers.

Enforcement Authorities under the Saudi Personal Data Protection Law (KSA PDPL)

PDPL and Implementing Regulations designate specific authorities to oversee, enforce, and prosecute violations. SDAIA = regulatory enforcement, NDMO = potential successor, and the Public Prosecution Office = criminal cases involving unlawful personal data use.

SDAIA

SDAIA (Saudi Data & Artificial Intelligence Authority) will oversee PDPL enforcement for first 2 years.

NDMO

National Data Management Office (NDMO) may take over from SDAIA thereafter.

Public Prosecution Office

Public Prosecution handles criminal investigations & prosecutions related
to severe violations (e.g. unlawful disclosure of sensitive data)

Saudi Personal Data Protection Law Scope & Applicability (KSA PDPL)

Material Scope = what kind of processing activities the law applies to (Material) vs. Territorial Scope = where the processing takes place or who is doing it (Territorial)

PDPL Material Scope (What)

What is Covered

The Saudi Personal Data Protection Law (KSA PDPL) applies to the Processing of Personal Data related to individuals that takes place within the Kingdom of Saudi Arabia by any means.

It also applies to the Processing of Personal Data of individuals residing in the Kingdom by entities located outside the Kingdom.

This includes the personal data of deceased individuals, if the data would lead to identifying them or a member of their family.

Reference: PDPL Article 2 (1)

What is Excluded

Saudi Personal Data Protection Law (KSA PDPL) does not apply to personal data processed by individuals exclusively for personal or family use, provided that the data is not published or disclosed to anyone outside the individual’s private or social circle.

According to the PDPL Implementing Regulation, this includes processing within a family or close social group for non-commercial, non-professional purposes.

However, once the data is made public or used for commercial or non-profit activities, the PDPL becomes applicable.

Reference: PDPL Article 2 (2) and Implementing Regulation Article 2 (1, 2 and 3)

PDPL Territorial Scope (Where)

The Territorial Scope of the PDPL defines where and by whom the law applies. It covers:

Entities inside Saudi Arabia that process personal data by any means.

Entities outside Saudi Arabia that process personal data of individuals residing in the Kingdom, even if the processing occurs entirely abroad.

Note: This means PDPL obligations apply not only to Saudi-based companies but also to foreign companies handling data of Saudi residents.

Inside the Kingdom of Saudi Arabia

The Saudi Personal Data Protection Law (KSA PDPL) applies to all public and private sector entities (data controllers) that collect, store, or process personal data within Saudi Arabia, regardless of their legal form or sector.

Outside the Kingdom of Saudi Arabia

The Saudi Personal Data Protection Law (KSA PDPL) also applies extraterritorially to foreign entities that process the personal data of individuals residing in Saudi Arabia, even if the data processing systems or service providers are located outside the Kingdom.

Reference: PDPL Article 2 (1)

Key Definitions of Saudi Personal Data Protection Law (KSA PDPL)

The key definitions are drawn directly from the PDPL Law and reflect SDAIA’s official terminology: who is subject to the law, what constitutes personal or sensitive data, and which activities and entities are subject to compliance obligations.

Personal Data

Personal Data refers to any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual.

This includes, but is not limited to, name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of the individual, and any other data of a personal nature.

The PDPL also applies to the personal data of deceased individuals, if such data would lead to their identification or the identification of a member of their family.

(Ref: PDPL Article 1 (4) and 2 (1))

Sensitive Data

Sensitive Data refers to the category of personal data revealing racial or ethnic origin, or religious, intellectual or political belief; data relating to security, criminal convictions and offenses; biometric or genetic data for the purpose of identifying the person, health data and data that indicates that one or both of the individual’s parents are unknown.

Because of its sensitive nature, this category of data is subject to stricter legal requirements under the PDPL, including restrictions on lawful basis, consent conditions, cross-border transfer, and additional safeguards during processing.

(Ref: PDPL Article 1 (11))

Personal Data Processing

Processing refers to any operation carried out on personal data by any means, whether manual or automated. This includes a wide range of actions such as collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing, and destroying data.

Under the PDPL, any entity engaging in one or more of these activities is considered to be processing personal data and must comply with the legal requirements set out by SDAIA, including establishing a lawful basis, ensuring transparency, and safeguarding the rights of Data Subjects.

(Ref: PDPL Article 1 (5))

Data Controller

Data Controller refers to any Public Entity, natural person, or private legal person that specifies the purpose and manner of processing personal data, whether the data is processed by that Controller or by a Processor.

Under the PDPL, the Data Controller bears full legal responsibility for ensuring that personal data is processed lawfully, fairly, and securely.

The Controller must also uphold all Data Subject rights, ensure transparency, and demonstrate compliance with SDAIA’s requirements, even when the actual processing is outsourced to third parties.

(Ref: PDPL Article 1 (18))

Data Processor

Data Processor refers to any Public Entity, natural person, or private legal person that processes personal data for the benefit and on behalf of the Controller.

Under the PDPL, the Data Processor acts only on the documented instructions of the Data Controller and is not permitted to determine the purpose or means of processing.

Although primary responsibility lies with the Controller, Processors are still required to implement appropriate security measures, adhere to contractual obligations, and support the Controller in fulfilling compliance duties such as responding to data subject rights and breach management.

(Ref: PDPL Article 1 (19))

Data Subject

Data Subject refers to the individual to whom the personal data relate.

Under the PDPL, the Data Subject is the natural person whose personal data is collected, stored, used, or otherwise processed by a Data Controller or Processor.

Data Subjects are granted specific, enforceable rights under PDPL Article 4.

These rights apply whether the individual is a Saudi citizen or resident, and they are central to ensuring lawful and fair data processing under the supervision of SDAIA.

(Ref: PDPL Article 1 (16))

Core Principles of Saudi Personal Data Protection Law (KSA PDPL)

PDPL and Implementing Regulations impose several foundational principles for handling the personal data of individuals

based on transparency, necessity, proportionality, fariness, and accountability.

Lawful Basis and Fairness

Data Controllers must collect and process Personal Data lawfully, fairly, and transparently. The Data Controller must obtain valid consent or rely on a lawful basis such as contractual necessity, legal obligation, or vital interest of the data subject, or legitimate interests of the controller (subject to safeguards and exclusions for sensitive data).

Consent is not always required where other lawful bases apply.

(Ref: PDPL Article 6)

Example: A Saudi FinTech app processes a customer’s IBAN, national ID, and contact information to activate a digital wallet. The processing is based on contractual necessity (to deliver the service), so consent is not required under PDPL Article 6(2). However, the app must still process the data fairly and transparently, informing the customer of the purpose, legal basis, and any third-party involvement.

Purpose Limitation

Data Controllers must collect and process Personal Data for specific, legitimate, and clearly stated purposes by the Data Controller. Any further processing that deviates from the original purpose requires a lawful basis, such as renewed consent or another exception allowed under the PDPL. Processing must not contradict any legal obligations.

(Ref: PDPL Articles 10, 11 (1) and Implementing Regulations Article 18)

Example: A Saudi online perfume retailer collects customers’ personal data during checkout to fulfill orders. If the company later wants to use this data for marketing, it must ensure the new purpose is lawful and either get renewed consent or verify that the new processing is compatible with the original purpose under Article 10 conditions.

Data Minimization

Data Controllers must collect and retain only the minimum amount of personal data necessary to achieve a specific, lawful processing purpose. Unnecessary, irrelevant, or excessive data collection is not permitted under Implementing Regulation Article 19. Controllers should document the necessity of each.

(Ref: Implementing Regulation Article 19)

Example: A Saudi retail store’s loyalty app collects users' mobile number, email, and date of birth to issue digital rewards and birthday offers. If the app attempts to collect passport numbers or salary data for the same purpose, it would violate the data minimization principle, as this data is not required to deliver the service.

Purpose Relevance and Accuracy

Data Controllers. must ensure Personal Data must be accurate, complete, up-to-date, and relevant to the purpose of processing. Under PDPL Article 14, Data Controllers are obligated to verify the quality of data before processing. If any data is found to be incorrect or outdated, PDPL Article 17 requires the Controller to correct it and notify all entities that previously received it.

(Ref: PDPL Article 17 & Article 30)

Example: A user updates their phone number and home address in a Saudi banking app. The bank, acting as Data Controller, must update its internal systems and also inform its credit bureau and KYC service providers to reflect the corrected data. This ensures accurate communication and avoids processing based on outdated information.

Storage Limitation

Data Controllers must retain personal data only for as long as necessary to fulfill the original collection purpose. Once that purpose no longer exists, the data must be securely destroyed without undue delay, unless a specific legal, or for the period required by the applicable laws, regulations, or judicial requirements.

Even in such cases, the data must be deleted once the lawful basis ends.

(Ref: Implementing Regulation Article 14)

Example: A Saudi fashion retailer collects customer order and delivery details to fulfill purchases. After the order is completed and the statutory accounting period ends, the retailer must securely delete the data. If a product is under dispute or litigation, the data may be retained temporarily for legal proceedings, but must be destroyed once the case is closed.

Security

Data Controllers must implement appropriate technical, administrative, and organizational measures to protect personal data from loss, misuse, unauthorized access, or breaches. This includes data in storage, in use, and in transit. Under PDPL Article 19 and Implementing Regulation Article 23, Controllers are required to follow security standards issued by the National Cybersecurity Authority (NCA) or recognized cybersecurity best practices to manage and reduce data breach risks.

(Ref: PDPL Article 19 and Implementing Regulation Article 23)

Example: A Saudi payment gateway collects and processes sensitive financial information from users. To protect this data, the company encrypts it at rest and in transit, restricts employee access to data on a need-to-know basis, and follows the National Cybersecurity Authority’s baseline controls. These practices help prevent data leaks, unauthorized transfers, and security breaches, ensuring full compliance with PDPL Article 19.

Accountability

Data Controllers must maintain detailed and accurate records of all personal data processing activities. These records must be readily available to the Saudi Data & Artificial Intelligence Authority (SDAIA) and include information such as the purpose of processing, data categories, recipients, transfers outside the Kingdom, and data retention timelines.

This helps demonstrate ongoing compliance with the PDPL.

(Ref: PDPL Article 31 & Implementing Regulation Article 33 (3))

Example: A FinTech app that handles customer ID verification and loan processing is required to maintain a full record of all personal data operations it conducts, such as the collection of Iqama numbers for onboarding, sharing data with credit agencies, and the legal basis for each transfer. These logs must be securely maintained and ready for SDAIA’s inspection.

Legal Bases for Processing Under Saudi Personal Data Protection Law (KSA PDPL)

Data Controllers must select the appropriate basis before initiating any processing, based on the nature of the data, processing purpose, and regulatory context. Below is an explanation of each legal basis, when it should and should not be used, and the supporting legal references.

Consent

When no other legal basis applies, especially for marketing, profiling, or optional services.

Data Controllers must obtain consent that is:

Freely Given: Consent must not be a condition for receiving services unless essential to that service.
Granular: Separate consent is required for each processing purpose.
Withdrawable: Data Subjects may withdraw their consent at any time. The withdrawal process must be as simple as giving consent.

When to Use Consent as a Legal Basis:

When no other legal basis applies
For optional services, direct marketing, targeted ads, or profiling
For cookie tracking and non-essential analytics
When the Data Subject must have full control over the processing

When NOT to Use Consent as a Legal Basis:

If processing is legally required or contractually necessary
To justify high-risk processing without true choice
As a fallback when unsure of the appropriate legal basis

References:

PDPL Article 5 (1) (2): Consent Requirement and Withdrawal
PDPL Article 7: Consent must be explicit and not conditional without necessity
Implementing Regulation Article 11: Conditions for valid consent
Implementing Regulation Article 12: Consent withdrawal must be easy

Legal Obligation

When processing is explicitly required by Saudi law or regulation.

When to Use Legal Obligation as a Legal Basis:

When Saudi law, regulation, or judicial ruling mandates the processing
For compliance with tax, anti-fraud, or financial reporting obligations

When NOT to Use Legal Obligation as a Legal Basis:

When no legal text or authority mandates the processing
If based solely on internal policy or assumed obligation

References:

PDPL Article 6 (2): Processing is allowed when mandated by law or agreement

Contractual Necessity

When processing is necessary to fulfill or enter into a contract with the Data Subject.

When to Use Contractual Necessity as a Legal Basis:

To fulfill or enter into a contract with the Data Subject
For processing required to deliver services (e.g. registration, transactions)

When NOT to Use Use Contractual Necessity as a Legal Basis:

If the processing is not essential to perform the contract
For pre-contractual advertising or ancillary features

References:

PDPL Article 6 (2): Covers existing contractual obligations

Legitimate Interest

When processing is necessary for the Controller’s legitimate business needs and does not infringe on Data Subject rights.

When to Use Legitimate Interest as a Legal Basis:

When processing is necessary for the Controller’s lawful interest
For fraud prevention, internal reporting, service improvement (non-sensitive data)

When NOT to Use Legitimate Interest as a Legal Basis:

When Sensitive Personal Data is involved
If there is a high risk to Data Subject rights
Without conducting a documented Legitimate Interest Assessment (LIA)

References:

PDPL Article 6 (4): Allows use of legitimate interest under strict conditions
Implementing Regulation Article 16 (3) (4): Requires formal LIA to justify use

Actual Interest (Vital Interest of the Data Subject)

To protect the Data Subject’s vital interests when contact is impossible or difficult.

When to Use Actual Interest as a Legal Basis:

When the processing benefits the Data Subject but contacting them is not feasible
In emergencies such as medical or safety-related scenarios

When NOT to Use Actual Interest as a Legal Basis:

If the Data Subject is reachable and could reasonably give consent
For convenience or as a substitute for legitimate interest

References:

PDPL Article 6 (1): Processing is allowed where contact is difficult and actual interest exists
Implementing Regulation Article 14: Evidence must be retained for actual interest use

Public Interest (Public Entity)

If processing is by a public entity for national security or judicial reasons.

When to Use Public Interest as a Legal Basis:

When a public authority processes data for national security, law enforcement, or judicial reasons
For regulatory supervision, public safety, or investigations

When NOT to Use Public Interest as a Legal Basis:

By private-sector entities for their own operational needs
When the activity does not serve a documented public interest

References:

PDPL Article 6 (3): Allows public entities to process data for public interest purposes

Scientific or Statistical Research

If processing is anonymized or pseudonymized for public-interest research.

When to Use Scientific or Statistical Research as a Legal Basis:

For anonymized or pseudonymized processing for public-benefit research
By academic, health, or national research entities under appropriate safeguards

When NOT to Use Scientific or Statistical Research as a Legal Basis:

For internal business intelligence or commercial analytics
If sensitive data is used without anonymization and safeguards

References:

PDPL Article 10: Data may not be used beyond collection purpose except for research
Implementing Regulation Article 15: Sets conditions for using data in research contexts

Data Subject Rights (DSR) under Saudi Personal Data Protection Law (KSA PDPL)

The Saudi Personal Data Protection Law (KSA PDPL) grants individuals, known as Data Subjects, a set of enforceable rights over their personal data.

These Data Subject Rights (DSR) are primarily granted in Article 4 of the PDPL, which lays out the foundational entitlements such as the right to be informed, to access, to correct, and to request destruction of personal data.

Additional data subject rights and detailed procedures are specified in the Implementing Regulations issued by the Saudi Data & Artificial Intelligence Authority (SDAIA). These include mechanisms for exercising rights, specific timeframes for responses, controller obligations, and extended rights such as the right to receive a copy of personal data and the right to withdraw consent.

Data Controllers must provide accessible channels to receive and process such requests, and must respond within 30 days as mandated by Implementing Regulation Article 3(1)(a). This period may be extended once, with justification and advance notice to the Data Subject.

Data Processors, while not directly responsible for responding to Data Subjects, are required to support the Data Controller in fulfilling these data subject rights. Upon request, the Processor must locate, modify, or erase relevant personal data as instructed, and ensure compliance with the PDPL and applicable regulatory controls.

Right to be Informed

Data Subjects have the right to be informed by the Data Controller at the point of collection in a privacy notice about the legal basis and purpose for collecting their personal data, whether data is mandatory or optional, who will access it, and whether it will be transferred or processed outside Saudi Arabia.

(Ref: PDPL Articles 4 (1), 13)

“The right to be informed about the legal basis and the purpose of collection of their personal data.”

Example: An e-commerce app collects customer information during sign-up. Before collecting data, it must clearly inform the user of the legal basis (e.g. contractual necessity), the purpose (e.g. account creation), whether fields are optional or mandatory, and whether data will be transferred outside KSA. This notice enables the user to give informed consent.

Right to Access Personal Data

Data Subjects have the right to access their personal data held by the Data Controller and to understand how and why it is being processed, provided such access does not endanger national security, another person’s privacy, or violate court or legal restrictions. This access must be provided in line with the procedures set out in the PDPL and its Implementing Regulations.

(Ref: PDPL Articles 4 (2), 16)

“The right to access their Personal Data held by the Controller, in accordance with the rules and procedures set out in the Regulations, and without prejudice to the provisions of Article (9) of this Law.

Example: A customer contacts a food delivery app requesting access to all personal data held about them, including delivery history, saved addresses, and communication logs. The Data Controller must grant access unless access would reveal personal data of another customer or pose a risk under PDPL Article 16.

Right to Request Access a Copy of Personal Data

Data Subjects have the right to request a copy of their personal data from the Data Controller in a readable and clear format. However, the Data Controller must ensure that fulfilling such requests does not compromise national security, legal proceedings, or the privacy of others, as stated in Article 16.

(Ref: PDPL Articles 4 (3), 16

“The right to request obtaining their Personal Data held by the Controller in a readable and clear format, in accordance with the controls and procedures specified by the Regulations."

Example: A user asks their digital bank to provide a downloadable copy of their account history and personal profile. The bank, acting as the Data Controller, provides the data in a readable format such as PDF or CSV, after confirming the request does not expose third-party data.

Right to Correct Personal Data

Data Subjects have the right to request correction, completion, or updating of their personal data held by the Data Controller, if the data is inaccurate, incomplete, or outdated. Once corrected, the Data Controller is also obligated to notify all third parties to whom the data was previously shared, ensuring that the corrected version is consistently maintained across all systems.

(Ref: PDPL Articles 4 (4), 17)

“The right to request correcting, completing, or updating their Personal Data held by the Controller"

Example: A retail customer logs in and notices their name is misspelled and their email is outdated. They request correction. The Data Controller updates the records and notifies affiliated marketing systems and third-party processors that also store the data.

Right to Request Destruction of Personal Data

Data Subjects have the right to request the Data Controller to destroy their personal data when it is no longer needed, consent is withdrawn (and no other legal basis applies), or if the data is being processed unlawfully. The Data Controller must also ensure destruction across all systems, backups, and notify any third parties with whom the data was shared, except where legal or judicial retention is required.

(Ref: PDPL Articles 4 (5), 18 & Implementing Regulation Article 8)

“The right to request a Destruction of their Personal Data held by the Controller when such Personal Data is no longer needed by Data Subject, without prejudice to the provisions of Article (18) of this Law."

Example: A user closes their mobile wallet account and requests deletion of their personal data. Since there is no legal basis to retain the data (e.g. no open financial dispute), the Data Controller deletes all active records and also instructs its Data Processors such as, cloud storage provider and analytics vendor to delete or anonymize the data.

Right to Withdraw Consent

A customer of a retail brand had consented to receive promotional emails. Later, they withdraw consent. The Data Controller stops sending marketing emails and notifies their Data Processors such as, email marketing provider to stop all further communication. Past lawful use of the data remains unaffected.

Right to File a Complaint

Data Subjects have the right to file a complaint with the supervisory authority, Saudi Data & Artificial Intelligence Authority (SDAIA) if they believe their rights under the PDPL have been violated. The complaint must be submitted within 90 days of the violation (or becoming aware of it), and must include relevant details and supporting evidence.

(Ref: PDPL Implementing Regulation Article 37)

"Data Subject may complain to the Competent Authority within a period not exceeding (90) days from the date of the incident or the date on which the Data Subject became aware of it. The Competent Authority shall determine whether to accept the complaint or not after this period in cases where there are reasonable causes that may have prevented the Data Subject from submitting the complaint in time."

Example: An individual believes a delivery app used their data for advertising without proper legal basis. After failing to resolve it with the company, the individual files a complaint with SDAIA within 90 days, attaching the privacy notice and promotional messages as supporting evidence. SDAIA investigates and informs them of the outcome.

Right to Claim Compensation

Data Subjects have the right to claim compensation through the competent court if they suffer material or moral harm resulting from violations of the PDPL or its Implementing Regulations. This right applies regardless of administrative or regulatory penalties imposed on the Data Controller or Processor and allows individuals to seek legal redress for damages.

Article 40 of the PDPL:

"Any individual that suffers damage as a result of any of the violations stated in this Law or the Regulations may apply to a competent court for proportionate compensation for the material or moral damage."

Example: A customer of a mobile banking app discovers that their personal financial data was unlawfully shared with a third-party advertiser without consent. As a result, they suffer reputational harm and emotional distress. The customer files a compensation claim with the competent court. If the court confirms that the Data Controller violated the PDPL, it may award proportionate compensation for the damage suffered.

Compliance Obligations Under Saudi Personal Data Protection Law (KSA PDPL)

PDPL establishes a clear set of compliance requirements for organizations acting as data controllers and in some cases, data processors. Each obligation must be addressed proactively to meet SDAIA’s regulatory standards, avoid penalties, and uphold the rights of Data Subjects under the law.

Determine Legal Bases of Processing

Under the Saudi PDPL, every personal data processing activity must be backed by a valid legal basis. Controllers must document and justify the legal basis for each processing purpose before initiating any activity involving personal data.

Accepted Legal Bases Under PDPL:

Consent
Obtain clear, explicit, and freely given consent for processing activities not covered by other legal bases.
(Ref: PDPL Article 5(1), Article 7; Implementing Regulation Articles 11 & 12)

Contractual Necessity
Process data required to perform or enter into a contract with the data subject.
(Ref: PDPL Article 6(2))

Legal Obligation
Process personal data where required by law or existing legal agreements.
(Ref: PDPL Article 6(2))

Actual (Vital) Interest of Data Subject
When it is impractical to contact the data subject but the processing serves their best interest (e.g. emergency medical use).
(Ref: PDPL Article 6(1); Implementing Regulation Article 14)

Legitimate Interest of the Controller
When processing is necessary for the controller’s legitimate interest, provided it does not override the data subject’s rights.
Cannot be used for sensitive data. Requires a Legitimate Interest Assessment (LIA).
(Ref: PDPL Article 6(4); Implementing Regulation Article 16)

Public Interest / Security / Judiciary
When processing is conducted by a public entity for national security or judicial requirements.
(Ref: PDPL Article 6(3))

Scientific, Statistical, or Research Purposes
Allowed with safeguards, such as anonymization or pseudonymization.
(Ref: PDPL Article 10; Implementing Regulation Article 15)

Best Practice:
Always map each processing purpose to a specific legal basis in your Record of Processing Activities (RoPA). If consent is used, ensure it meets the PDPL's explicit standards and allow easy withdrawal mechanisms.

Controllers must not rely on consent as a fallback. Choosing the wrong legal basis can lead to compliance failure, fines, or enforcement action by SDAIA.

Publish a Privacy Policy (Privacy Notice)

Before collecting personal data, data controllers must provide a concise and accessible privacy policy or notice stating:

- Purpose(s) for collection

- Types of data collected (mandatory vs. optional)

- Legal basis or justification

- How the data will be stored, used, and destroyed

- Whether it will be transferred or disclosed outside the Kingdom

- Possible consequences of not providing data

Data Subjects’ Rights (DSR) and how to exercise them

Maintain Security Safeguards

Organizations must adopt organizational, administrative, and technical measures (e.g., data encryption, anonymization, access logs, intrusion detection, etc.) to secure personal data at all stages, including during transfer.

Personal Data Breach Notification

If a personal data breach (e.g., unauthorized access, leakage, destruction) occurs:

- Notify SDAIA within 72 hours of becoming aware.

- Notify Affected Individuals: If the breach poses a serious risk to them, they must be notified promptly, including details on the breach and how to contact the appointed Personal Data Protection Officer (DPO) for more information.

If the breach involves criminal activity, organizations may need to inform other relevant authorities in addition to SDAIA.

In any case, organizations should thoroughly investigate each data breach to identify its root causes and establish measures to prevent future breaches.

Personal Data Protection Officer (DPO)

Organizations engaged in either must appoint a DPO in accordance with the SDAIA’s Rules for Appointing Personal Data Protection Officer (DPO):

- Large-scale data processing

- Regular or systematic monitoring of individuals

Handling sensitive personal data

Note:

A DPO can be an internal employee or an external service provider.

The DPO must have data protection expertise and risk management skills.

Independence of the function is recommended so the DPO can operate without conflict of interest.

The DPO’s appointment and contact info must be registered via the National Data Governance Platform.

Data Protection Impact Assessment (DPIA)

Organizations must evaluate privacy risks and document how they manage them (especially for products/services used by the public).

At a minimum, Data Protection Impact Assessments (DPIA) must be carried out in cases required by the PDPL, helping ensure risks are mitigated with a documented plan.

Record of Processing Activities (RoPA)

During the data processing period and for 5 years afterward, organizations must keep internal Records of Processing Activities (RoPA) which must include:

Their own contact details

Purpose of processing

Categories of data subjects

Disclosures of personal data

Any transfers outside Saudi Arabia

Retention timelines

The RoPA must be kept updated to reflect any new or modified processing activities.

Vendor (Third-Party) Assessment

When outsourcing data processing, controllers must select processors that provide sufficient guarantees of PDPL compliance.

Data Controllers must also conduct ongoing monitoring to verify the vendor’s adherence to security and data protection instructions.

Sharing Personal Data Within the Kingdom

Even when sharing personal data domestically (i.e., within Saudi Arabia), you must comply with all relevant PDPL obligations.

This includes ensuring appropriate technical and organizational measures (such as Data Sharing Agreements (DSA), restricting access to authorized recipients, and implementing robust security controls) to protect personal data and uphold individuals’ rights.

Cross-Border Data Transfers

PDPL generally requires that personal data remain within Saudi Arabia unless:

The recipient country or international organization has “adequate” data protection regulations and oversight

SDAIA approves a transfer on national interest or compliance grounds

Specific exemptions apply (e.g., vital interests, fulfilling an international agreement, minimal data necessary, etc.)

If the destination is not deemed “adequate,” organizations may rely on appropriate safeguards like Standard Contractual Clauses (SCC), Binding Common Rules (BCR), or certifications.

Before transferring data outside the Kingdom, organizations must conduct a Transfer Impact Assessment (TIA) and document their safeguards.

National Register of Controllers

All controllers that process personal data as a core part of their operations or handle sensitive data must register on the National Data Governance Platform.

Registration involves designating a representative, disclosing organizational details, and (where required) confirming the Personal Data Protection Officer (DPO) appointment.

Entities receive a certificate valid for 5 years, which must be renewed as required by law.

Saudi Personal Data Protection Law Penalties and Fines (KSA PDPL)

PDPL enforces strict penalties for non-compliance, with criminal and financial consequences depending on the nature and severity of the violation. Penalties range from imprisonment and substantial fines for unauthorized disclosure or illegal cross-border transfers, to escalating fines for repeated breaches of other regulatory provisions.

Unauthorized Disclosure/Publication

Up to 2 years imprisonment and/or a fine up to

SAR 3 million.

Illegal Cross-Border Data Transfer

Up to 1 year imprisonment
and/or fine up to
SAR 1 million.

Violations of Other Provisions

Fines of up to SAR 5 million

can be doubled for any

repeated offenses.

Practical Steps to Achieve Compliance Under Saudi Personal Data Protection Law (KSA PDPL)

PDPL checklist outlines the key steps organizations should take to operationalize compliance. It blends explicit regulatory requirements with practical privacy program elements, ensuring personal data is inventoried, processed lawfully, protected adequately, and monitored consistently in line with SDAIA expectations.

Personal Data Inventory and Classification

Identify all personal data you collect (including sensitive data)

Map data flows (including cross-border transfers) and document each processing purpose

Interview relevant stakeholders (e.g., IT, HR, Legal) to ensure you capture all personal data sources and usage

Legal Basis & Consent Management

Ensure you have valid consent for each processing purpose or a lawful exemption

Implement an easy consent withdrawal mechanism

Privacy Policies or Privacy Notices

Draft/update a PDPL compliant privacy notice explaining your data collection, usage, and sharing practices

Disclose cross-border transfers, data retention periods, and Data Subject Rights (DSR)

Data Security Measures

Employ encryption, secure access controls, and intrusion detection, etc

Keep logs of personal data handling, especially sensitive data

Data Breach Response Plan

Develop a procedure to detect, investigate, and contain breaches

Prepare notification templates and processes to inform SDAIA and affected individuals within 72 hours, when required

Appoint Personal Data Protection Officer (DPO)

Evaluate if your core operations involve large-scale or sensitive data processing or systematic monitoring

Conduct Data Protection Impact Assessments (DPIAs)

Assess the privacy risks of new and existing products/services

Document findings and mitigation measures in a formal Data Protection Impact Assessment (DPIA) report

Record of Processing Activities (RoPA)

Maintain up-to-date Records of Processing Activities (RoPA) of how you handle personal data, retention periods, third-party recipients, etc

Keep these records for 5 years after processing ends

Vendor and Third-Party Assessments

Vet service providers’ data protection practices

Include Data Processing Agreements (DPA) ensuring they meet PDPL requirements

Cross-Border Data Transfer Checks

Identify any data flows leaving Saudi Arabia

Use SDAIA approved safeguards (e.g. Standard Contractual Clauses (SCC), Binding Common Rules (BCRs), and conduct risk assessments if no adequacy decision exists

Transfer only minimal data required and confirm the transfer does not conflict with national security or individual rights

If processing personal or sensitive data is a core activity, enroll on the National Data Governance Platform

Obtain/renew the certificate every 5 years

Staff Training and Awareness

Provide PDPL focused training to ensure employees understand how to handle personal data, respond to rights requests, and detect/report breaches

From PDPL Legal Compliance to Competitive Business Advantage

PDPL is now fully enforceable. Align with PDPL and SDAIA requirements, embed privacy into operational, legal, and technical frameworks, and leap in to IPO preparedness, public sector eligibility, investor trust, and cross-border data enablement.

Your PDPL Readiness Playbook:

The Saudi Arabia Personal Data Protection Law (KSA PDPL) marks a regulatory shift that redefines how organizations must manage, process, and protect personal data across the Kingdom.

It introduces new obligations, legal bases, data subject rights, and enforcement mechanisms with real consequences for non-compliance.

To stay ahead, organizations must go beyond policy paperwork and embed privacy into their operational DNA from systems and vendors to training and governance.

Here’s how to get started →

The Grace Period Ended

The 14 September 2024 enforcement deadline has passed. Organizations must ensure their legal basis, consent, breach, and cross-border data transfers are aligned with the PDPL and Implementing Regulations.

Operationalize PDPL Compliance

From RoPA and DPIAs to DSR workflows, training logs, and breach response records, PDPL requires evidence of accountability. SDAIA expects organizations to demonstrate compliance on request, not just declare it.

Treat PDPL alignment as a competitive advantage

PDPL readiness is increasingly a prerequisite for IPO preparation, due diligence audits, and investor confidence. For vendors and suppliers, public sector entities now require PDPL compliance as a condition for contract renewals and eligibility in new tenders.

Embed Privacy by Design (PbD)

Ensure privacy is built into every system, vendor workflow, and process, from collection to deletion. Follow principles like data minimization, access limitation, and purpose restriction early in development.

Establish a Continuous Compliance Program

PDPL is not a one-time project. Assign ownership through a Data Protection Officer (DPO) or equivalent governance lead. Conduct regular audits, refresh employee training, assess third-party risk, and test your breach readiness every quarter.

3 ways we can help you:

1. End-to-End PDPL Implementation

2. Ongoing DPO-as-a-Service (DPOaaS)

3. External PDPL Audit & Risk Review

Saudi Personal Data Protection Law Compliance Services by Hala Privacy (KSA PDPL)

PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Personal Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Saudi PDPL Compliance Implementation in 4 Weeks (KSA PDPL) ↓

Click the button below to start your PDPL Compliance journey, stay prepared for SDAIA audits, and eliminate the risk of enforcement actions.

4-Week Saudi PDPL Compliance Sprint (KSA PDPL)

Hala Privacy offers a focused 4-week PDPL Compliance sprint for Small & Medium Enterprises (SMEs). Unlike other consulting firms, we don’t outsource or inflate costs. Our in-house PDPL Experts, Consultants, and Legal Counsel deliver compliance through on-site discovery, workshops, policy implementation, and structured, audit-ready documentation.

We handle everything: Data Controller Registration, DPO Assignment, RoPA, Legal Basis, Privacy Notice, DSR, DPA, DPIA, TIA, SCC, BCR, Cookies & Consent, Breach Readiness, Training, etc., ensuring SDAIA aligned PDPL Compliance.

Guide to Saudi Arabia’s Personal Data Protection Law (KSA PDPL)

Navigating Saudi Personal Data Protection Law (KSA PDPL), Implementing Regulations, and SDAIA Guidelines.

Overview: Saudi Personal Data Protection Law (KSA PDPL)

Guide to Saudi Arabia’s Personal Data Protection Law (KSA PDPL)

Navigating Saudi Personal Data Protection Law (KSA PDPL), Implementing Regulations & SDAIA Guidelines.

Overview: Saudi Personal Data Protection Law (KSA PDPL)

Enforcement Timeline of Saudi Personal Data Protection Law (KSA PDPL)

Enforcement Authorities under the Saudi Personal Data Protection Law (KSA PDPL)

SDAIA

NDMO

Public Prosecution Office

Saudi Personal Data Protection Law Scope & Applicability (KSA PDPL)

PDPL Material Scope (What)

PDPL Territorial Scope (Where)

Key Definitions of Saudi Personal Data Protection Law (KSA PDPL)

Core Principles of Saudi Personal Data Protection Law (KSA PDPL)

Legal Bases for Processing Under Saudi Personal Data Protection Law (KSA PDPL)

Data Subject Rights (DSR) under Saudi Personal Data Protection Law (KSA PDPL)

Compliance Obligations Under Saudi Personal Data Protection Law (KSA PDPL)

Saudi Personal Data Protection Law Penalties and Fines (KSA PDPL)

Unauthorized Disclosure/Publication

Illegal Cross-Border Data Transfer

Violations of Other Provisions

Practical Steps to Achieve Compliance Under Saudi Personal Data Protection Law (KSA PDPL)

From PDPL Legal Compliance to Competitive Business Advantage

Your PDPL Readiness Playbook:

Saudi Personal Data Protection Law Compliance Services by Hala Privacy (KSA PDPL)

PDPL Compliance Implementation

Personal Data Protection Officer As A Service (DPOaaS)

PDPL Compliance Audit (External)

Saudi PDPL Compliance Implementation in 4 Weeks (KSA PDPL) ↓

4-Week Saudi PDPL Compliance Sprint (KSA PDPL)

Guide to Saudi Arabia’s
Personal Data Protection Law (KSA PDPL)

Navigating Saudi Personal Data Protection Law (KSA PDPL),
Implementing Regulations & SDAIA Guidelines.