Saudi Arabia Data Privacy Laws: PDPL Compliance Guide (2026)

Last updated: March 21, 2026

Saudi Arabia's Personal Data Protection Law (PDPL) represents a major milestone in the Kingdom's digital transformation under Vision 2030. Enacted through Royal Decree No. M/19 on September 16, 2021, and amended by Royal Decree No. M/148 on March 27, 2023, the PDPL establishes a comprehensive framework for how personal data must be collected, processed, stored, and shared within and outside Saudi Arabia.

If your organization handles personal data of individuals located in the Kingdom, understanding these requirements is not optional. SDAIA is actively enforcing the law, and the penalties for non-compliance are substantial.

This guide covers everything you need to know about Saudi Arabia's data privacy framework, including the PDPL's core provisions, SDAIA's enforcement powers, data subject rights, consent requirements, breach notification obligations, cross-border transfer rules, and the penalties for violations.

Overview of the PDPL

The Personal Data Protection Law is Saudi Arabia's first comprehensive data protection legislation. It draws heavily from international frameworks like the EU's General Data Protection Regulation (GDPR) while incorporating provisions tailored to the Kingdom's legal and cultural context.

Key Timeline

The PDPL's development followed a structured rollout:

• September 16, 2021 -- Royal Decree No. M/19 issued, establishing the PDPL
• March 27, 2023 -- Royal Decree No. M/148 amended the PDPL with significant updates
• September 7, 2023 -- Implementing Regulations published by SDAIA
• September 14, 2023 -- PDPL formally enacted, with a one-year compliance grace period
• September 14, 2024 -- Grace period ended; full enforcement began
• February 2025 -- SDAIA published Risk Assessment Guidelines for cross-border transfers
• 2025 -- Rules for Appointing Data Protection Officers published

Scope and Extraterritorial Application

The PDPL applies broadly. It covers any entity or individual located within Saudi Arabia that processes personal data by any means. It also applies extraterritorially to entities and individuals outside Saudi Arabia that process personal data of individuals located in the Kingdom.

This means a company based in the United States, Europe, or Asia that collects data from Saudi residents through a website, app, or service must comply with the PDPL, even if the company has no physical presence in Saudi Arabia.

Personal Data Definition

Under the PDPL, personal data means any data that can identify an individual or make them identifiable, directly or indirectly. This includes names, identification numbers, addresses, phone numbers, photographs, voice recordings, and any other information linked to an identifiable person.

SDAIA: The Enforcement Authority

The Saudi Data and Artificial Intelligence Authority (SDAIA) is the government body responsible for overseeing and enforcing the PDPL. SDAIA was established as the national authority for data and artificial intelligence, and it plays the dual role of regulator and promoter of Saudi Arabia's data-driven economy.

SDAIA's Powers

SDAIA holds significant regulatory authority, including the power to issue implementing regulations, rules, and guidelines that supplement the PDPL. The authority can investigate potential violations, issue enforcement decisions, impose fines, and refer criminal matters to the courts.

Enforcement Track Record

Since full enforcement began in September 2024, SDAIA has demonstrated it takes violations seriously. Within the first year, SDAIA's enforcement committees issued 48 decisions confirming PDPL violations against organizations. These decisions covered a range of issues including unlawful collection and processing of personal data, insufficient technical and organizational security controls, and sending marketing messages without obtaining prior consent.

SDAIA has also been responding promptly to data subject complaints, requiring controllers to respond within short timeframes and provide supporting evidence of their compliance.

National Data Governance Platform

SDAIA operates the National Data Governance Platform, which serves as the central portal for controller registration, breach reporting, and regulatory communication. Controllers meeting certain thresholds must register on this platform, and all breach notifications are submitted through it.

Lawful Bases for Processing

The PDPL establishes several lawful bases for processing personal data. While consent is the primary and default basis, the 2023 amendments expanded the available grounds.

Consent as the Default

Consent remains the principal legal basis under the PDPL. The law operates on an opt-in model, meaning organizations must obtain consent before processing personal data. Consent requirements under the PDPL are detailed and specific.

Organizations must inform data subjects why consent is being requested and the legal justification for processing. They must explain all granular purposes for data processing and the available consent options. Data subjects must be informed of their right to withdraw consent at any time. Consent must be explicit, documented, and provable.

For sensitive personal data or credit data, consent must be explicitly obtained with heightened disclosure requirements.

Other Lawful Bases

Beyond consent, the PDPL recognizes several additional lawful bases for processing:

• Legal or regulatory obligation -- Processing required to comply with Saudi law or regulation
• Contractual necessity -- Processing needed to fulfill obligations under an existing agreement with the data subject
• Vital interests -- Processing necessary to protect the health, safety, or life of the data subject or another person
• Legitimate interests -- Processing necessary for the controller's legitimate interests, provided those interests do not override the rights of the data subject (added by the 2023 amendments)
• Public interest or national security -- Processing required for public interest or national security purposes
• Publicly available data -- Processing data that has been lawfully made publicly available by the data subject

One critical restriction: legitimate interest cannot be used as a basis for processing sensitive personal data. This is a stricter standard than what exists under the GDPR.

Sensitive Personal Data

The PDPL provides enhanced protections for sensitive personal data, recognizing its potentially harmful nature if misused.

What Qualifies as Sensitive Data

Under the PDPL, sensitive personal data includes:

• Racial or ethnic origin data
• Religious, intellectual, or political beliefs
• Criminal and security records
• Biometric data (fingerprints, facial recognition, retinal scans)
• Genetic data
• Health data (medical records, conditions, treatments)
• Data indicating that one or both parents are unknown

Restrictions on Sensitive Data Processing

Processing sensitive data is subject to stricter requirements than ordinary personal data. Explicit consent is required in all cases. The legitimate interest basis cannot be used. Sensitive data cannot be used for marketing purposes. Organizations must implement additional technical and organizational safeguards. A Data Protection Impact Assessment must be conducted before processing.

The criminal penalties for unauthorized disclosure of sensitive data are more severe than for general PDPL violations.

Data Subject Rights

The PDPL grants individuals a comprehensive set of rights regarding their personal data. These rights are enforceable, and SDAIA has shown willingness to act on complaints from data subjects.

Right to Be Informed

Data subjects have the right to know the legal basis for processing their data, the purpose of collection and processing, the means by which their data is collected, and the identity of any entity to which their data may be disclosed.

Right of Access

Individuals can request access to all personal data an organization holds about them. Controllers must provide a complete copy of the data in a readable format.

Right to Correction

Data subjects can request that inaccuracies in their personal data be corrected. When corrections are made, the controller must notify all third parties that previously received the data to update, correct, or complete the information.

Right to Deletion

Individuals can request deletion of their personal data when it is no longer necessary for the purpose it was collected, when consent has been withdrawn, or when the data was processed unlawfully. Exceptions exist for data required for legal proceedings or regulatory compliance.

Right to Data Portability

The PDPL requires that personal data be provided in a structured, machine-readable format such as CSV or JSON when a data subject requests portability. This allows individuals to transfer their data to another controller.

Right to Withdraw Consent

Data subjects can withdraw their consent at any time. Upon withdrawal, the controller must cease processing unless another lawful basis applies. The withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal.

Right to Object

Individuals can object to the processing of their personal data in certain circumstances, particularly when processing is based on legitimate interests.

Response Timeframe

Controllers must respond to data subject requests within 30 days. An extension of an additional 30 days is permitted where the complexity or volume of requests justifies it, but the controller must inform the data subject of the extension and the reasons for it.

Controller Obligations

Organizations that determine the purpose and means of processing personal data bear significant responsibilities under the PDPL.

Registration Requirements

Controllers must register with SDAIA's National Data Governance Platform if they are a public entity, their primary activity involves processing personal data, they process sensitive personal data, or an individual's data processing extends beyond personal or family use.

Registration is completed online at no cost, and the registration certificate is valid for five years. SDAIA notifies controllers 30 days before expiry.

Data Protection Officer Appointment

SDAIA published Rules for Appointing a Data Protection Officer requiring controllers to appoint a DPO when the controller is a public entity providing large-scale services involving personal data processing, the controller's core activities involve regular and systematic monitoring of data subjects, or the controller's core activities involve processing sensitive personal data.

The DPO must have appropriate academic qualifications, experience in personal data protection, knowledge of risk management practices, and no convictions for dishonesty or breach of trust. The DPO can be an employee or external contractor, and their details must be submitted through the National Data Governance Platform.

Data Protection Impact Assessments

A DPIA is required before processing that poses heightened risks to data subjects. This includes processing sensitive personal data, systematic large-scale processing of individuals who lack legal capacity, collecting or linking data from multiple sources, using new technologies, automated decision-making, and providing products or services likely to cause serious harm to data subject privacy.

The Implementing Regulations specify minimum DPIA requirements and require controllers to share a copy with any processor handling the relevant data.

Privacy by Design

The PDPL requires organizations to embed data protection principles into systems, processes, and products from the design phase. This goes beyond policy documentation and demands that privacy considerations are integrated into every operational decision involving personal data.

Record Keeping

Controllers must maintain records of their processing activities, including purposes of processing, categories of data subjects and personal data, recipients of disclosed data, cross-border transfer details, and security measures implemented.

Breach Notification Requirements

The PDPL imposes strict obligations for reporting personal data breaches.

Notification to SDAIA

Under Article 24 of the Implementing Regulations, controllers must notify SDAIA within 72 hours of becoming aware of any data breach that may harm personal data or data subjects. Unlike many international frameworks, the PDPL does not include a materiality threshold. All breaches that may harm personal data or conflict with data subjects' rights must be reported, regardless of size or impact.

Notification Content

When notifying SDAIA, organizations must provide a description of the incident and how it occurred, the category and estimated number of affected individuals, an assessment of the potential consequences, and the measures taken to mitigate risks and prevent future incidents.

Notification to Data Subjects

Data subjects must be notified without undue delay when a breach may cause harm to their personal data or interests. The notification must include sufficient detail for individuals to understand the risk and take protective action.

Reporting Method

All breach notifications must be submitted through the National Data Governance Platform. Organizations must register on the platform before they can access the breach reporting function. Waiting until a breach occurs to register is not an acceptable approach.

Three-Stage Response Framework

SDAIA has published a Personal Data Breach Incidents Procedural Guide that outlines a three-stage response framework: containment and initial assessment, detailed investigation and risk evaluation, and remediation with follow-up reporting to SDAIA.

Cross-Border Data Transfers

Transferring personal data outside Saudi Arabia is one of the most heavily regulated aspects of the PDPL. Organizations must satisfy multiple requirements before any data leaves the Kingdom.

General Requirements

Controllers cannot transfer personal data outside Saudi Arabia unless they meet the following conditions. The transfer must not prejudice national security or the vital interests of the Kingdom. The recipient country must provide an adequate level of data protection as determined by SDAIA. The transfer must be limited to the minimum data necessary for the specified purpose. Appropriate safeguards must be in place.

Adequacy Assessments

SDAIA evaluates whether recipient countries provide equivalent protection by examining the country's data protection legal framework, whether a functioning supervisory authority exists and is willing to cooperate with Saudi regulators, and whether the legal framework conflicts with Saudi law or interests.

Approved Safeguards

For transfers to countries that have not received an adequacy determination, controllers must implement SDAIA-approved safeguards. These include Standard Contractual Clauses (SCCs) approved by SDAIA, Binding Corporate Rules for intra-group transfers, and other contractual mechanisms that provide equivalent protection.

Risk Assessment Requirements

In February 2025, SDAIA published Risk Assessment Guidelines for cross-border personal data transfers. These guidelines require organizations to assess the impact of the transfer on Saudi citizens, businesses, and the broader economy. They must evaluate whether the transfer could compromise national security, economic stability, or public interest. Organizations must document that sufficient security measures are in place to protect personal data during and after the transfer.

For continuous or large-scale transfers of sensitive data, mandatory risk assessments must be completed and documented before the transfer begins.

Data Localization Considerations

While the PDPL does not impose a blanket data localization requirement, Saudi authorities have indicated a preference for storing sensitive and personally identifiable data within the Kingdom. The National Cybersecurity Authority (NCA) works alongside SDAIA to enforce data transfer restrictions, and specific sectors may face additional localization obligations.

Penalties and Enforcement

The PDPL establishes a tiered penalty framework that includes both administrative fines and criminal sanctions.

Administrative Penalties

For general violations of the PDPL and its implementing regulations, SDAIA may issue a warning or impose a fine of up to SAR 5 million (approximately USD 1.33 million). For repeat violations, the fine can be doubled to SAR 10 million.

Criminal Penalties

Intentional disclosure or publication of sensitive personal data with the intent to harm the data subject or achieve personal benefit is a criminal offense. Penalties include imprisonment of up to two years, a fine of up to SAR 3 million (approximately USD 800,000), or both. For repeat criminal offenses, the court may double the penalty to SAR 6 million and/or extended imprisonment.

Additional Consequences

Beyond fines and imprisonment, violations can result in confiscation of proceeds obtained through the violation, a court order requiring the publication of the judgment at the violator's expense, an order to destroy unlawfully collected personal data, and reputational damage and loss of business relationships.

Enforcement Trends

SDAIA's enforcement actions during the first year of the PDPL reveal a focus on several key areas. Unlawful data collection and processing without a valid legal basis has been a primary concern. Insufficient security controls protecting personal data have drawn scrutiny. Marketing communications sent without prior consent have resulted in multiple enforcement actions. Failure to respond adequately to data subject complaints has triggered regulatory attention.

Organizations should expect enforcement activity to increase as SDAIA's capacity grows and awareness of data subject rights expands among the Saudi population.

Compliance Checklist

Organizations subject to the PDPL should prioritize the following steps to achieve and maintain compliance:

1. Conduct a data inventory -- Map all personal data processing activities, identifying what data you collect, why, and how it flows
2. Establish lawful bases -- Document the legal basis for each processing activity
3. Update privacy notices -- Ensure transparency about data collection, use, and sharing
4. Implement consent mechanisms -- Build opt-in consent flows that meet PDPL requirements
5. Appoint a DPO -- If your organization meets the threshold criteria
6. Register on the NDGP -- Complete registration on the National Data Governance Platform
7. Conduct DPIAs -- For processing activities that pose heightened risks
8. Establish breach response procedures -- Ensure you can detect, assess, and report breaches within 72 hours
9. Review cross-border transfers -- Assess adequacy, implement safeguards, and document risk assessments
10. Train staff -- Ensure employees understand their obligations under the PDPL
11. Maintain records -- Keep detailed documentation of all processing activities and compliance efforts

Frequently Asked Questions

Who does the Saudi PDPL apply to?

The PDPL applies to all entities and individuals located within Saudi Arabia that process personal data. It also has extraterritorial reach, applying to organizations outside the Kingdom that process personal data of individuals located in Saudi Arabia. This means international companies offering goods or services to Saudi residents or monitoring their behavior must comply, even without a physical presence in the country.

What is the difference between the PDPL and GDPR?

While the PDPL draws inspiration from the GDPR, there are notable differences. The PDPL places greater emphasis on consent as the default lawful basis for processing. Legitimate interest cannot be used for sensitive data processing under the PDPL. The PDPL includes criminal penalties including imprisonment, which the GDPR does not. Cross-border transfer requirements under the PDPL incorporate national security considerations specific to Saudi Arabia. The PDPL also includes a unique category of sensitive data covering individuals whose parents are unknown.

What are the penalties for non-compliance with the PDPL?

Penalties include administrative fines of up to SAR 5 million (approximately USD 1.33 million) for general violations, with the possibility of doubling for repeat offenses. Criminal violations involving intentional disclosure of sensitive data can result in up to two years imprisonment and fines up to SAR 3 million. Courts can also order confiscation of proceeds, publication of judgments, and destruction of unlawfully collected data.

How does the PDPL handle cross-border data transfers?

Transferring personal data outside Saudi Arabia requires meeting several conditions: the transfer must not prejudice national security, the recipient country must provide adequate data protection, appropriate safeguards such as SDAIA-approved Standard Contractual Clauses must be in place, and a risk assessment must be conducted for sensitive or large-scale transfers. SDAIA published specific Risk Assessment Guidelines in February 2025 to provide a structured methodology for organizations.

Do organizations need to appoint a Data Protection Officer?

A DPO appointment is mandatory for public entities providing large-scale services involving personal data, organizations whose core activities involve regular and systematic monitoring of data subjects, and organizations whose core activities involve processing sensitive personal data. The DPO must have appropriate qualifications, data protection experience, and must be registered on the National Data Governance Platform.

Sources and References

This article was researched using the following authoritative sources:

• SDAIA Laws and Regulations Portal -- Official repository of the PDPL text, implementing regulations, and supplementary rules
• National Data Governance Platform -- SDAIA's portal for controller registration and breach reporting
• SDAIA Personal Data Breach Incidents Procedural Guide -- Official guidance on breach response
• SDAIA Rules for Appointing DPO -- Official rules on DPO appointment requirements
• Saudi National Portal -- Data Regulation and Cybersecurity -- Government overview of the regulatory framework
• IAPP -- Saudi PDPL First Anniversary Analysis -- Detailed analysis of enforcement developments
• ICLG Data Protection Report 2025-2026 -- Saudi Arabia -- Comprehensive legal analysis