PDPL: Saudi Arabia's Data Privacy Revolution.

Saudi Arabia's Personal Data Protection Law (PDPL), issued under Royal Decree M/19 of 1443H, came into full effect on 14 September 2023 — marking the Kingdom's formal entry into the global data privacy regulatory landscape. Governed by the Saudi Data and Artificial Intelligence Authority (SDAIA) and the National Data Management Office (NDMO), the PDPL imposes substantial obligations on any entity that collects, processes, or transfers personal data of individuals within Saudi Arabia.

Scope and Applicability

The PDPL applies to any processing of personal data relating to individuals residing in Saudi Arabia, regardless of where the data controller is located. This extraterritorial scope mirrors the approach of the EU GDPR and means that foreign companies — including those providing services online to Saudi residents — are subject to PDPL requirements even if they have no physical presence in the Kingdom.

Exemptions exist for personal data processed for personal or family purposes, data relating to deceased individuals, and data used exclusively for national security purposes. However, the overwhelming majority of commercial and professional service activities fall within the PDPL's scope.

Lawful Bases for Processing

Unlike the EU GDPR, the PDPL does not use the same six-category lawful basis structure. Saudi PDPL permits processing where: (1) the data subject has given clear, specific consent; (2) processing is necessary for the performance of a contract with the data subject; (3) processing is required by a legal obligation; (4) processing is necessary to protect the vital interests of the data subject; or (5) processing is necessary for the legitimate interests of the controller, provided those interests do not override the data subject's rights.

Sensitive personal data — defined to include health data, biometric data, genetic data, credit data, and data revealing religious beliefs or criminal records — requires explicit consent or falls under specific statutory exceptions. Processing sensitive data without a valid basis attracts the PDPL's highest penalty tier.

Cross-Border Data Transfers

Cross-border transfer of personal data outside Saudi Arabia is subject to significant restrictions. Transfers are permitted only where: (1) the destination country provides an adequate level of data protection as recognised by SDAIA; (2) the controller has obtained SDAIA's prior approval; or (3) the transfer is necessary for one of the specified exceptions (contract performance, legal proceedings, vital interests).

As of 2026, SDAIA has not yet published a formal list of countries with adequate protection — meaning most cross-border transfers require either explicit SDAIA approval or a contractual mechanism (such as data transfer agreements incorporating SDAIA-approved standard clauses). This is a significant operational constraint for multinational enterprises and cloud-based service providers with data hosted outside the Kingdom.

Data Subject Rights

The PDPL grants Saudi residents the following data subject rights, which controllers must be operationally prepared to fulfil:

Right of Access

Data subjects may request confirmation of whether their data is being processed and receive a copy of the data. Controllers must respond within a defined period (set out in the implementing regulations — generally within 30 days).

Right to Correction and Erasure

Data subjects may request correction of inaccurate data and erasure of data that is no longer necessary for the original purpose of collection or where the legal basis for processing no longer exists.

Penalties and Enforcement

The PDPL establishes a tiered penalty regime. Processing personal data in violation of the PDPL is punishable by a fine of up to SAR 1 million (approx. USD 267,000). Violations involving sensitive personal data or cross-border transfer restrictions attract fines of up to SAR 5 million (approx. USD 1.33 million). Repeat violations may result in doubling of the applicable fine. SDAIA has enforcement powers including the right to conduct audits, demand information, and suspend data processing operations.

Practical Compliance Roadmap

Enterprises operating in Saudi Arabia should prioritise the following PDPL compliance actions:

• Conduct a data mapping exercise to identify all personal data processed, its lawful basis, and current cross-border transfer flows.
• Update privacy policies and consent mechanisms to comply with PDPL transparency requirements.
• Assess cross-border transfer arrangements — review cloud hosting locations and evaluate whether SDAIA approval or contractual safeguards are required.
• Establish a data subject rights management process capable of responding within regulatory timeframes.
• Implement a data breach response plan with 72-hour SDAIA notification capability.
• Review vendor contracts for data processing terms — PDPL requires appropriate contractual protections when engaging third-party processors.