PDPL Compliance Guide for Saudi Arabia
What the PDPL is
The Personal Data Protection Law (PDPL), enacted by Royal Decree M/19, is Saudi Arabia's first comprehensive data protection framework. It came into effect on September 14, 2023, with a transition period allowing organizations time to achieve full compliance. The Saudi Data and Artificial Intelligence Authority (SDAIA) is the competent authority overseeing implementation, though supervisory functions may eventually transfer to a dedicated Personal Data Protection Authority.
For European companies operating in the Kingdom through an LLC, branch, or RHQ, PDPL compliance is not optional. Any entity processing personal data within Saudi Arabia, or processing data relating to Saudi residents, falls within scope.
Who it applies to
- Any entity or individual processing personal data within Saudi Arabia, regardless of where the entity is incorporated
- Any entity processing personal data of individuals residing in Saudi Arabia, even if processing occurs outside the Kingdom
- Government bodies processing personal data (with certain exemptions for national security and judicial functions)
Key definitions
| Term | PDPL definition | GDPR equivalent |
|---|---|---|
| Personal data | Any data that can identify an individual directly or indirectly | Broadly equivalent |
| Sensitive data | Data revealing ethnic origin, religious or political beliefs, criminal records, biometric/genetic data, health data, credit data | Similar to GDPR "special categories" with some differences |
| Data controller | Entity that determines the purpose and means of processing personal data | Equivalent |
| Data processor | Entity that processes personal data on behalf of the controller | Equivalent |
| Processing | Any operation performed on personal data: collection, recording, storage, use, disclosure, destruction | Broadly equivalent |
Legal bases for processing
Consent is a primary legal basis under the PDPL but it is not the only one. The law recognizes several grounds for lawful processing:
- Consent: must be informed, specific, unambiguous, and freely given. For sensitive data, consent must be explicit.
- Contractual necessity: processing required to perform a contract with the data subject
- Legal obligation: processing necessary for compliance with Saudi law
- Vital interests: processing necessary to protect the life or health of the data subject
- Legitimate interest: recognized under the implementing regulations, subject to a balancing test (this basis is narrower than under the GDPR)
- Publicly available data: processing data that the data subject has deliberately made public
Data subject rights
The PDPL grants individuals the following rights, which organizations must be prepared to fulfill:
- Right to be informed: about what data is collected, why, and how it will be used
- Right of access: to obtain a copy of their personal data
- Right to correction: to request rectification of inaccurate data
- Right to destruction: to request deletion of personal data when no longer needed for its original purpose
- Right to withdraw consent: at any time, without affecting lawfulness of prior processing
- Right to data portability: in certain circumstances
- Right to object: to processing in specific situations
Organizations must respond to data subject requests within the timeframes specified in the implementing regulations. Having a documented process for handling these requests before they arrive is essential.
Cross-border data transfers
The PDPL restricts the transfer of personal data outside Saudi Arabia. Transfers are permitted only when:
- The receiving country provides an adequate level of data protection (SDAIA maintains or will maintain a list of adequate jurisdictions)
- Adequate safeguards are in place (contractual clauses, binding corporate rules, or other approved mechanisms)
- The transfer is necessary for specific purposes defined in the law (contract performance, legal claims, public interest)
Practical implications for European companies
If your Saudi entity shares employee data, customer data, or operational data with a European parent or other group entities, you must assess whether the transfer meets PDPL requirements. Do not assume that GDPR compliance in Europe automatically satisfies PDPL transfer conditions. The adequacy lists and mechanisms are separate.
Certain categories of data may be subject to additional data localization requirements under sector-specific regulations, particularly in financial services (SAMA rules) and telecommunications.
Data breach notification
The PDPL requires data controllers to notify SDAIA of personal data breaches that may cause harm to data subjects. Key obligations:
- Notification to SDAIA must be made within the timeframe specified in the implementing regulations
- Affected data subjects must also be notified if the breach is likely to cause significant harm
- Notifications must include: nature of the breach, categories of data affected, estimated number of individuals affected, potential consequences, and remedial measures taken
- Organizations should maintain an internal breach register documenting all incidents, whether or not they trigger notification obligations
Penalties
The PDPL establishes penalties for non-compliance, including:
- Fines of up to SAR 5 million for violations (the implementing regulations may specify different amounts for different types of violations; verify the current schedule)
- Imprisonment for certain offenses, particularly those involving disclosure of sensitive data with intent to harm
- Warning notices and corrective orders for less severe violations
- Penalties may be doubled for repeat offenses
Sector-specific overlaps
The PDPL operates alongside, rather than replacing, sector-specific data rules:
- SAMA (Saudi Central Bank): additional requirements for financial data, including data localization rules for banking and insurance
- NCA (National Cybersecurity Authority): cybersecurity controls that complement PDPL's security requirements
- CITC (Communications, Space and Technology Commission): telecommunications data rules
- NPHIES/NCAR: health data regulations for the healthcare sector
Where sector rules impose stricter requirements than the PDPL, the stricter standard applies.
Compliance steps for foreign companies
- Data mapping. Identify what personal data you collect, where it is stored, who accesses it, and where it flows (including cross-border transfers to parent entities).
- Legal basis assessment. For each processing activity, document the applicable legal basis under the PDPL.
- Privacy notice. Publish a clear, Arabic-language privacy notice that meets PDPL disclosure requirements. An English version should supplement but not replace the Arabic version.
- Consent mechanisms. Where consent is the legal basis, implement mechanisms that capture informed, specific, and unambiguous consent. Review existing consent flows inherited from European operations.
- Data subject rights procedures. Establish internal processes for receiving, verifying, and responding to data subject requests within regulatory timeframes.
- Cross-border transfer assessment. Audit all data flows outside Saudi Arabia and ensure each transfer has a lawful basis under the PDPL.
- Breach response plan. Develop an incident response plan that includes PDPL notification requirements alongside any existing GDPR breach procedures.
- Data protection officer. Assess whether your organization is required to appoint a DPO under the implementing regulations. Even where not strictly required, designating a responsible individual is prudent.
- Vendor and processor contracts. Review agreements with third-party processors to ensure they include PDPL-compliant data processing terms.
- Training. Ensure staff handling personal data understand PDPL obligations, particularly those who may be accustomed only to GDPR frameworks.
PDPL vs. GDPR at a glance
| Area | PDPL | GDPR |
|---|---|---|
| Scope | Processing in Saudi Arabia or relating to Saudi residents | Processing in the EU/EEA or relating to EU residents |
| Primary legal basis | Consent, contractual necessity, legal obligation, vital interests, legitimate interest, public data | Six legal bases including legitimate interest (broader application) |
| Sensitive data | Includes credit data; religious belief is sensitive | Similar categories; religious belief also sensitive |
| Cross-border transfers | Restricted; adequacy list pending/evolving | Restricted; established adequacy decisions |
| Breach notification | To SDAIA within specified timeframe | To supervisory authority within 72 hours |
| Maximum fines | Up to SAR 5 million (verify current schedule) | Up to EUR 20 million or 4% of global turnover |
| DPO requirement | Required in certain circumstances | Required for large-scale processing and public bodies |
GDPR compliance provides a strong foundation but does not substitute for PDPL-specific compliance. The differences in cross-border transfer rules, consent requirements, and enforcement mechanisms are material.
What foreign operators get wrong
Common mistakes
- Assuming GDPR compliance is sufficient. The PDPL has its own requirements, particularly around cross-border transfers and consent. A separate compliance assessment is necessary.
- Ignoring Arabic-language requirements. Privacy notices and consent forms should be available in Arabic. Relying solely on English-language documents may not satisfy disclosure obligations.
- Overlooking intercompany data flows. Routine transfers of employee data, CRM data, or analytics data to a European parent entity are cross-border transfers under the PDPL and must be assessed.
- No breach response plan. Without a documented plan, organizations risk missing notification deadlines and compounding penalties.
- Treating the transition period as a free pass. The grace period is for achieving compliance, not for delaying the start of compliance work. Organizations that wait until enforcement begins will face a significantly compressed timeline.
- Failing to account for sector-specific rules. If you operate in financial services, healthcare, or telecommunications, additional data rules apply on top of the PDPL.
Frequently asked questions
Does the PDPL apply if my company only processes employee data?
Yes. Employee data is personal data under the PDPL. All processing of employee information, including collection during recruitment, storage during employment, and transfers to parent entities abroad, must comply with the law.
Do I need a data protection officer?
The implementing regulations specify circumstances under which a DPO appointment is required, generally related to the scale and sensitivity of data processing. Even where not mandatory, designating an individual responsible for data protection compliance is strongly recommended.
Can I transfer personal data to our European headquarters?
Cross-border transfers require either that the receiving country is on SDAIA's adequacy list or that adequate safeguards are in place. Implement appropriate contractual protections and document your transfer impact assessment before initiating routine data flows.
Is there a registration requirement with SDAIA?
The implementing regulations address registration and notification obligations. Check the current requirements with SDAIA, as these may evolve as the regulatory framework matures.
What is the current compliance deadline?
The PDPL came into effect in September 2023 with a transition period that has been extended. Verify the current deadline directly with SDAIA, as it is subject to change. Regardless of the deadline, organizations should be actively working toward compliance now.
Primary sources
- SDAIA (Saudi Data and Artificial Intelligence Authority): sdaia.gov.sa
- PDPL full text (Royal Decree M/19): available via the Bureau of Experts
- Implementing Regulations: published by SDAIA, available on their official portal
- National Data Governance Office: ndmo.gov.sa
Last reviewed: March 12, 2026. The PDPL and its implementing regulations are evolving. Transition deadlines, enforcement guidance, and cross-border transfer rules may change. Confirm current obligations with SDAIA or qualified data protection counsel before making compliance decisions.