Saudi Arabia

Saudi Arabia Data Privacy Laws: PDPL Compliance Guide (2026)

By Recording Law Editorial TeamPublished March 21, 2026Reviewed May 20, 202621 min read

Saudi Arabia's Personal Data Protection Law (PDPL), enacted under Royal Decree No. M/19 and amended by Royal Decree No. M/148, governs the collection and processing of personal data for any organization handling data of individuals located in the Kingdom. Full enforcement by SDAIA commenced September 14, 2024.

Information last verified: May 19, 2026

Saudi Arabia's Personal Data Protection Law (PDPL) represents the Kingdom's first comprehensive data protection framework. Royal Decree No. M/19 enacted it on September 16, 2021; Royal Decree No. M/148 amended it on March 27, 2023. The law entered into force on September 14, 2023, and full enforcement began on September 14, 2024. Any organization that processes personal data of individuals located in the Kingdom must comply, regardless of where that organization is established.

This guide covers the PDPL's legal framework, SDAIA's enforcement role and track record, lawful bases for processing, sensitive data rules, data subject rights, controller obligations, breach notification, cross-border transfer requirements, penalties, and the most significant 2024-2026 regulatory developments.

For Saudi recording-law requirements, see our companion article on Saudi Arabia recording laws.

Quick Answer: What Is the Saudi Arabia Data Privacy Law?

Saudi Arabia's primary data privacy law is the Personal Data Protection Law (PDPL), enacted by Royal Decree No. M/19 on September 16, 2021, and amended by Royal Decree No. M/148 on March 27, 2023. The PDPL is enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA) through its National Data Governance Platform.

The law entered into force on September 14, 2023. Organizations were granted a one-year grace period to achieve compliance; that grace period expired on September 14, 2024, and full enforcement has been active since that date. As of early 2026, SDAIA has issued 48 enforcement decisions against organizations in violation of the PDPL.

Key features include: consent as the default lawful basis for processing; enhanced protections for sensitive personal data; a 72-hour breach notification obligation to SDAIA; data subject rights of access, correction, deletion, and portability; mandatory controller registration on SDAIA's platform; restrictions on cross-border data transfers; and penalties up to SAR 5 million for administrative violations, with criminal sanctions for intentional disclosure of sensitive data.

This article covers Saudi Arabia's data privacy law under the PDPL only. For sector-specific rules (financial services, telecommunications, healthcare), organizations should consult the relevant Saudi regulatory authority alongside the PDPL.

The PDPL: Legislative Framework and Regulator

World modern document shredder beside a neat stack of printed pages on a clean office

The PDPL is Saudi Arabia's first general data protection statute. It draws on international frameworks, particularly the EU General Data Protection Regulation (GDPR), while incorporating provisions specific to the Kingdom's legal and national security context.

Legislative History

The PDPL's key milestones are:

September 16, 2021: Royal Decree No. M/19 enacted the PDPL
March 27, 2023: Royal Decree No. M/148 amended the PDPL, introducing legitimate interests as a new lawful basis and strengthening cross-border transfer rules
September 7, 2023: SDAIA published the Implementing Regulations
September 14, 2023: PDPL entered into force; one-year grace period began
September 14, 2024: Grace period expired; full enforcement commenced
February 2025: SDAIA published the Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom
April 27, 2025: SDAIA opened a third public consultation on proposed amendments to the Implementing Regulations (closed May 27, 2025)
November 2025: SDAIA published its AI Adoption Framework, creating parallel governance obligations for AI systems that process personal data
Early 2026: SDAIA reported 48 cumulative enforcement decisions; Saudi Arabia declared 2026 the Year of AI

SDAIA: The Current Regulator

The Saudi Data and Artificial Intelligence Authority (SDAIA) is the competent authority for PDPL enforcement. SDAIA holds power to issue implementing regulations and supplementary guidance, investigate potential violations through formal committee-led proceedings, impose administrative fines, and refer criminal matters to the courts.

The PDPL provides that SDAIA serves as the competent authority for the first two years after the law enters into force, with the possibility of transferring oversight to the National Data Management Office (NDMO) thereafter, subject to a government assessment of the data sector's maturity. The two-year initial period ran from September 14, 2023 to approximately September 2025. As of May 2026, SDAIA continues to operate as the active regulator; no formal transfer to the NDMO has been announced. Organizations should monitor the SDAIA and National Communications Commission portals for any transition announcement.

The NDMO sits within the NCC and is responsible for national data governance policy more broadly, including the Istitlaa consultation platform through which public comments on proposed regulatory changes are submitted.

SDAIA operates the National Data Governance Platform (NDGP) as the central portal for controller registration, breach reporting, DPO appointment notifications, and regulatory communications.

Scope: Who Must Comply?

The PDPL applies to:

Any entity or individual located within Saudi Arabia that processes personal data, regardless of the nationality of the data subjects
Any entity or individual outside Saudi Arabia that processes personal data of individuals located in the Kingdom, even without a physical presence there

This extraterritorial reach mirrors the GDPR approach. A company headquartered in the United States, the European Union, or Asia that collects or processes data from Saudi residents through a website, mobile application, or service must comply with the PDPL.

Personal Data and Sensitive Personal Data

The PDPL defines personal data as any data that can identify an individual or make them identifiable, directly or indirectly. This includes names, national identification numbers, addresses, phone numbers, photographs, voice recordings, and any other information linked to an identifiable person.

Sensitive personal data receives heightened protection. The PDPL treats the following categories as sensitive:

Racial or ethnic origin
Religious, intellectual, or political beliefs
Criminal and security records
Biometric data (fingerprints, facial recognition, retinal scans)
Genetic data
Health data (medical records, conditions, treatments)
Data revealing that one or both of an individual's parents are unknown

This last category is unique to the PDPL and does not appear in the GDPR or most comparable frameworks. Organizations processing any of the above categories face stricter obligations and higher criminal exposure than those processing ordinary personal data.

Lawful Bases for Processing

The PDPL establishes an opt-in consent model as the default, supplemented by additional lawful bases introduced or clarified by the 2023 amendments.

Consent is the principal lawful basis under the PDPL. The law requires that consent be:

Explicit: the data subject must affirmatively agree; silence or inaction does not constitute consent
Specific: each purpose must be disclosed and consented to separately
Documented: organizations must be able to demonstrate that consent was given
Revocable: data subjects must be able to withdraw consent at any time, and controllers must cease processing upon withdrawal (unless another lawful basis applies)

For sensitive personal data and credit data, the consent requirement is heightened: explicit consent with detailed disclosure is mandatory, and no alternative lawful basis can substitute.

Other Lawful Bases

Beyond consent, the PDPL recognizes:

Legal or regulatory obligation: processing required to comply with a Saudi law or regulation
Contractual necessity: processing needed to perform obligations under a contract with the data subject
Vital interests: processing necessary to protect the health, safety, or life of the data subject or another person
Legitimate interests: processing necessary for the controller's legitimate interests, provided those interests do not override the data subject's rights (introduced by the M/148 amendments in 2023)
Public interest or national security: processing required for public interest or to protect national security
Publicly available data: processing of data lawfully made publicly available by the data subject

One critical restriction: the legitimate interests basis cannot be used for sensitive personal data. This is a stricter standard than the GDPR, which permits legitimate interests for some sensitive data categories in limited circumstances.

Sensitive Personal Data: Enhanced Obligations

Processing sensitive personal data triggers stricter requirements than ordinary personal data at every stage of the compliance lifecycle.

Explicit consent is required in all cases; no alternative lawful basis (including legitimate interests) may be substituted. Organizations must conduct a Data Protection Impact Assessment before commencing sensitive data processing. Legitimate interest cannot justify sensitive data processing under any circumstances. Sensitive data cannot be used for marketing purposes. Additional technical and organizational security safeguards must be implemented beyond those required for ordinary personal data.

The criminal penalties for unauthorized disclosure of sensitive personal data are more severe than for general PDPL violations, and SDAIA's enforcement actions have specifically targeted organizations that processed sensitive data without a valid legal basis.

Data Subject Rights

The PDPL grants individuals an enforceable set of rights. SDAIA has shown willingness to act on data subject complaints, and controllers that fail to respond within the statutory timeframes have faced enforcement consequences.

Right to Be Informed

Data subjects have the right to know: the legal basis for processing; the purpose of data collection; the means by which data is collected; and the identity of any third party to whom data may be disclosed.

Right of Access

Individuals can request a complete copy of all personal data an organization holds about them, in a readable format. Controllers must respond within 30 days, with a possible 30-day extension where the volume or complexity of the request justifies it. The controller must notify the data subject of any extension and explain the reason before the initial period expires.

Right to Correction

Data subjects can request correction of inaccurate personal data. When a correction is made, the controller must notify all third parties that previously received the data so they can update their records.

Right to Deletion

Individuals can request deletion of personal data when it is no longer necessary for the purpose for which it was collected, when consent has been withdrawn, or when processing was unlawful. Exceptions apply where the data is needed for legal proceedings or regulatory compliance.

Right to Data Portability

Upon request, controllers must provide personal data in a structured, machine-readable format (such as CSV or JSON) to allow the data subject to transfer it to another controller.

Data subjects can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing that occurred prior to withdrawal. Upon withdrawal, the controller must cease processing unless another lawful basis applies.

Right to Object

Data subjects can object to processing in certain circumstances, particularly where processing is based on legitimate interests. Controllers must cease processing unless they can demonstrate compelling legitimate grounds that override the data subject's interests.

The 30-Day Response Obligation

Controllers must respond to all data subject requests within 30 days. An extension of a further 30 days is available where justified by complexity or volume, but the data subject must be notified before the initial period expires. SDAIA enforcement actions have included failure to respond to data subject complaints as a standalone violation category.

Controller Obligations

World child-sized backpack hanging on a wall hook in a school hallway

Organizations that determine the purpose and means of processing personal data carry the following core obligations under the PDPL and its Implementing Regulations.

Controller Registration on the NDGP

Controllers meeting any of the following criteria must register on SDAIA's National Data Governance Platform:

Public entity
Core activity involves processing personal data
Transfers personal data outside the Kingdom or discloses it internationally
Processes sensitive personal data
Processes data about individuals who lack full or partial legal capacity

Registration is free and completed online. The registration certificate is valid for five years; SDAIA notifies controllers 30 days before expiry. Under the proposed 2025 amendments to the Implementing Regulations, the registration criteria will be further clarified and consolidated into the Implementing Regulations directly.

Privacy Notices

Controllers must provide data subjects with a privacy notice before or at the time of data collection. The notice must disclose: the identity of the controller; the purposes of processing; the lawful basis; the categories of data collected; any recipients of the data; cross-border transfer arrangements; data retention periods; and the data subject's rights and how to exercise them.

Data Protection Officer Appointment

SDAIA's Rules for Appointing a Data Protection Officer require DPO appointment where the controller:

Is a public entity providing large-scale services involving personal data processing
Has core activities that involve regular and systematic monitoring of data subjects on a large scale
Has core activities that involve large-scale processing of sensitive personal data

The DPO must hold appropriate academic qualifications and experience in data protection, have knowledge of risk management, and hold no convictions for dishonesty or breach of trust. The DPO may be an employee or an external contractor. DPO contact details must be submitted to SDAIA through the NDGP and updated whenever a change occurs.

The proposed 2025 amendments would consolidate DPO requirements into the Implementing Regulations and require controllers to formally document DPO appointments.

Data Protection Impact Assessments

A DPIA is required before undertaking processing that poses heightened risk to data subjects. Mandatory DPIA scenarios include:

Processing sensitive personal data
Systematic, large-scale processing of individuals who lack legal capacity
Collecting or linking data from multiple sources
Deploying new technologies with significant privacy impact
Automated decision-making that may cause serious harm to data subject privacy
Providing products or services likely to cause serious harm to data subject privacy interests

The Implementing Regulations set minimum DPIA requirements, and a copy must be shared with any processor handling the relevant data.

Privacy by Design

The PDPL requires controllers to embed data protection principles into systems, processes, and products from the design stage. Technical and organizational measures must be integrated into every operational decision involving personal data; documentation alone does not satisfy this obligation.

Records of Processing Activities

Controllers must maintain records of their processing activities covering: purposes of processing; categories of data subjects and personal data; recipients; cross-border transfer arrangements; and security measures implemented. Records must be accurate and kept for a defined period, and must be produced to SDAIA on request. The proposed 2025 amendments simplify the ROPA requirements by stating the core obligations more clearly.

Security Obligations

Controllers must implement technical and organizational security measures proportionate to the risk. SDAIA's enforcement actions have specifically targeted organizations with insufficient security controls. Coordinating with Saudi Arabia's National Cybersecurity Authority (NCA) Essential Cybersecurity Controls is strongly recommended practice.

Breach Notification Requirements

The PDPL imposes a strict breach notification framework with no materiality threshold.

Notification to SDAIA: 72-Hour Deadline

Under Article 24 of the Implementing Regulations, controllers must notify SDAIA within 72 hours of becoming aware of a breach that may harm personal data or data subjects' rights. The 72-hour clock applies regardless of the size or apparent impact of the breach; the PDPL does not permit controllers to self-assess materiality and withhold notification.

Content of the Notification

Notifications to SDAIA must include: a description of the incident and how it occurred; the category and estimated number of affected individuals; an assessment of potential consequences; and the measures taken or planned to contain the breach and prevent recurrence.

Notification to Data Subjects

Data subjects must be notified without undue delay where a breach may cause harm to their personal data or interests. The notification must be sufficiently detailed to allow individuals to understand the risk and take protective steps.

Reporting Channel

All breach notifications must be submitted through the National Data Governance Platform. Organizations must register before they can access the breach reporting function; waiting until a breach occurs to register is not an acceptable approach.

SDAIA's Three-Stage Response Framework

SDAIA's Personal Data Breach Incidents Procedural Guide sets out a three-stage response protocol: (1) containment and initial assessment; (2) detailed investigation and risk evaluation; and (3) remediation with follow-up reporting to SDAIA.

Cross-Border Data Transfers

World credit card lying face down on a dark surface with a small padlock beside it

Transferring personal data outside Saudi Arabia is one of the most heavily regulated aspects of the PDPL. The cross-border transfer regime operates through the PDPL, the SDAIA Regulation on Personal Data Transfer Outside the Kingdom, and the February 2025 Risk Assessment Guideline.

General Conditions for Transfer

Controllers cannot transfer personal data outside the Kingdom unless all of the following conditions are met:

The transfer does not prejudice national security, the vital interests of the Kingdom, or public order
The recipient country provides an adequate level of data protection as determined by SDAIA
The transfer is limited to the minimum data necessary for the specified purpose
Appropriate safeguards are in place

Adequacy Assessments

SDAIA determines whether a recipient country provides equivalent protection by examining the country's data protection legal framework, whether a functioning supervisory authority exists and cooperates with Saudi regulators, and whether the recipient country's framework conflicts with Saudi law or interests. As of May 2026, SDAIA had not published a formal adequacy list comparable to the EU adequacy decisions.

Approved Safeguards for Non-Adequate Countries

For transfers to countries without an adequacy determination, controllers must implement SDAIA-approved safeguards:

Standard Contractual Clauses (SCCs) approved by SDAIA
Binding Corporate Rules for intra-group international transfers
Other contractual mechanisms providing protection equivalent to the PDPL

The February 2025 Risk Assessment Guideline

SDAIA published the Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom in February 2025. While not legally binding, the guideline establishes the methodology SDAIA expects controllers to follow, organized into four phases:

Phase 1: Preparation: Identify the types of personal data to be transferred, the categories of data subjects, the frequency of transfers, and the data recipient's compliance posture.

Phase 2: Risk Assessment: Evaluate whether the transfer could compromise national security, economic stability, or public interest. Assess the technical and organizational measures the recipient has in place.

Phase 3: Safeguards Implementation: Document the safeguards (SCCs, BCRs, or other mechanisms) and confirm they are in place before the transfer begins.

Phase 4: Documentation and Review: Maintain records of the risk assessment and review them whenever circumstances change, including when recipient-country law changes or a new category of data is added to the transfer.

For continuous or large-scale transfers of sensitive personal data, a risk assessment is mandatory before the transfer begins.

Data Localization Considerations

The PDPL does not impose a general data localization requirement. However, Saudi authorities have indicated a preference for storing sensitive and personally identifiable data within the Kingdom. Sector-specific rules in financial services, telecommunications, and health may impose additional localization obligations. The National Cybersecurity Authority's requirements apply in parallel.

Penalties and Enforcement

Administrative Penalties

SDAIA may issue a written warning for first or minor violations. For substantive violations, SDAIA may impose a fine of up to SAR 5 million (approximately USD 1.33 million). For repeat violations, the fine doubles to a maximum of SAR 10 million (approximately USD 2.67 million).

Beyond fines, SDAIA has authority to order suspension of processing activities. Courts can also order publication of the judgment at the violator's expense, confiscation of proceeds obtained through the violation, and destruction of unlawfully collected data.

Criminal Penalties

The PDPL includes criminal sanctions. Intentional disclosure or publication of sensitive personal data with intent to harm the data subject or gain personal benefit is a criminal offense under the PDPL. Penalties for this offense include:

Imprisonment of up to two years
A fine of up to SAR 3 million (approximately USD 800,000)
Or both

For repeat criminal offenses, courts may double the penalty to SAR 6 million and extended imprisonment.

The Enforcement Process: Five-Day Response Window

SDAIA investigations are conducted through a formal committee-led process with short statutory deadlines. Once an organization is notified of an alleged violation, it has only five days to submit its response and supporting evidence to SDAIA. Organizations that have not pre-identified authorized representatives, prepared valid powers of attorney, and tested access to SDAIA's electronic platforms are at a significant disadvantage when an investigation is opened.

The enforcement process operates largely through the NDGP, and SDAIA holds broad powers to obtain documents, data, and explanations from the subject of an investigation.

Enforcement Track Record: 48 Decisions Through Early 2026

As of early 2026, SDAIA's enforcement committees have issued 48 cumulative enforcement decisions against organizations found in violation of the PDPL. The primary violation categories in those decisions were:

Collecting or processing personal data without a valid legal basis
Unauthorized disclosure of personal data
Failure to implement adequate technical and organizational security controls
Sending marketing communications without prior consent

SDAIA has also acted on data subject complaints, requiring controllers to respond within short timeframes and provide supporting evidence of compliance. Enforcement activity is expected to grow as SDAIA's investigative capacity increases and Saudi residents become more aware of their PDPL rights.

The 2025 Proposed Amendments to the Implementing Regulations

On April 27, 2025, SDAIA opened a third public consultation on proposed amendments to the PDPL Implementing Regulations via the Istitlaa Platform. The consultation closed on May 27, 2025.

The proposed amendments respond to practical challenges organizations encountered during the first year of full enforcement. Key proposed changes include:

Controller Registration: Consolidation of the standalone Rules Governing the National Register of Controllers into the Implementing Regulations, with a clarified list of registration criteria.

Data Protection Officer: Consolidation of the standalone Rules for Appointing a DPO into the Implementing Regulations, with a requirement to formally document DPO appointment and submit DPO contact details to SDAIA's platform.

Records of Processing Activities: Simplified ROPA requirements, clarifying that records must be retained for a defined period, kept accurate and up to date, and produced to SDAIA on request.

Direct Marketing: Clarifications on consent requirements and opt-out mechanisms.

Breach Notification: Revised definitions and clarified notification procedures.

The finalized amendments had not been published as of May 2026. Organizations should monitor the SDAIA Laws and Regulations Portal for the final version.

Year of AI 2026 and PDPL Implications

Saudi Arabia declared 2026 its official Year of AI, signaling a government-wide commitment to accelerating AI deployment. SDAIA leads both the AI governance and data protection agendas, creating an integrated compliance environment for organizations deploying AI systems that process personal data.

In November 2025, SDAIA published its AI Adoption Framework, establishing a mandatory governance baseline covering five pillars: data governance, model accountability, transparency, human oversight, and risk management. AI systems that process personal data must satisfy both PDPL requirements and the AI Adoption Framework's governance controls simultaneously.

SDAIA's earlier Generative AI Guidelines (2024) and updated AI Ethics Principles (2025) form part of the same regulatory framework. Organizations using AI tools in Saudi Arabia must assess whether those tools process personal data of Saudi residents. If they do, PDPL consent, transparency, DPIA, and data minimization obligations apply in addition to the AI-specific governance requirements.

Business Compliance Checklist

Organizations subject to the PDPL should address the following:

Conduct a personal data inventory: Map all processing activities, identifying what data is collected, on what legal basis, and how it flows within and outside the organization
Document lawful bases: For each processing activity, document which PDPL lawful basis applies
Update privacy notices: Ensure all disclosures meet PDPL transparency requirements
Build opt-in consent flows: For processing relying on consent, implement mechanisms that record explicit, specific, revocable consent
Register on the NDGP: If any registration criterion applies, complete registration before commencing processing
Appoint a DPO if required: Check whether the controller meets DPO thresholds; if so, appoint and register the DPO on the NDGP
Conduct DPIAs: Before processing activities that pose heightened risk to data subjects
Establish a breach response procedure: Ensure the organization can detect, assess, and notify SDAIA within 72 hours
Assess cross-border transfers: Conduct documented risk assessments for all transfers outside the Kingdom; implement SCCs or other approved safeguards
Prepare for enforcement: Identify authorized representatives, establish powers of attorney for SDAIA proceedings, and test NDGP platform access
Assess AI systems: Determine whether AI tools that process personal data trigger both PDPL and AI Adoption Framework obligations
Train staff: Ensure all employees who handle personal data understand their PDPL obligations

Not Legal Advice: This article presents general legal information about Saudi Arabia's Personal Data Protection Law as verified in May 2026. It does not constitute legal advice and does not address all sector-specific rules that may apply to particular industries. Laws and regulations change; verify current requirements with a lawyer licensed in the relevant jurisdiction before taking action.

Authorities Cited

Frequently Asked Questions

Who does the Saudi PDPL apply to?

The PDPL applies to all entities and individuals located within Saudi Arabia that process personal data by any means. It also applies extraterritorially to organizations outside the Kingdom that process personal data of individuals located in Saudi Arabia. International companies offering goods or services to Saudi residents, or monitoring their behavior, must comply even without a physical presence in the country.

When did full PDPL enforcement begin?

The PDPL entered into force on September 14, 2023. SDAIA granted a one-year compliance grace period, which expired on September 14, 2024. Full enforcement commenced on that date. As of early 2026, SDAIA had issued 48 cumulative enforcement decisions against organizations found in violation.

Who is the PDPL regulator: SDAIA or the NDMO?

SDAIA is the current and active regulator. The PDPL provides that SDAIA serves as the competent authority for the first two years after the law enters into force, with a possible transfer of enforcement responsibility to the National Data Management Office (NDMO) thereafter, subject to a government assessment of the data sector's maturity. As of May 2026, no formal transfer has been announced and SDAIA continues to lead enforcement.

What are the penalties for non-compliance with the PDPL?

Administrative fines reach up to SAR 5 million (approximately USD 1.33 million) for general violations, doubling to SAR 10 million for repeat violations. Criminal penalties for intentional disclosure of sensitive personal data include up to two years imprisonment and fines up to SAR 3 million, doubling to SAR 6 million and extended imprisonment for repeat criminal offenses. Courts may also order publication of judgments and confiscation of proceeds.

What is the breach notification deadline under the PDPL?

Controllers must notify SDAIA within 72 hours of becoming aware of a data breach that may harm personal data or data subjects' rights. There is no materiality threshold; all breaches meeting this description must be reported. Notifications are submitted through the National Data Governance Platform at dgp.sdaia.gov.sa.

How does the PDPL handle cross-border data transfers?

Transferring personal data outside Saudi Arabia requires meeting several conditions: the transfer must not prejudice national security or public order; the recipient country must provide adequate data protection as assessed by SDAIA; appropriate safeguards such as SDAIA-approved Standard Contractual Clauses must be in place; and the data transferred must be limited to the minimum necessary. For sensitive or large-scale transfers, a documented risk assessment following SDAIA's February 2025 Risk Assessment Guideline is mandatory.

Is PDPL consent different from GDPR consent?

There are significant differences. The PDPL places greater emphasis on consent as the default lawful basis. Legitimate interests cannot be used for sensitive personal data under the PDPL, which is stricter than the GDPR. The PDPL also includes a unique sensitive data category covering individuals whose parents are unknown. Criminal imprisonment is available under the PDPL for intentional sensitive data disclosure, which has no direct GDPR equivalent.

Do organizations need to appoint a Data Protection Officer?

DPO appointment is mandatory for public entities providing large-scale services involving personal data, organizations whose core activities involve regular and systematic monitoring of data subjects on a large scale, and organizations whose core activities involve large-scale processing of sensitive personal data. The DPO must be registered on SDAIA's National Data Governance Platform. Proposed 2025 amendments would consolidate DPO requirements into the Implementing Regulations.

What are the proposed 2025 amendments to the PDPL Implementing Regulations?

SDAIA opened a third public consultation on proposed amendments in April 2025, which closed May 27, 2025. The proposals would consolidate controller registration rules and DPO appointment rules into the Implementing Regulations (repealing the standalone instruments), simplify records of processing activity requirements, clarify direct marketing consent obligations, and revise breach notification definitions. The final amendments had not been published as of May 2026.

How does the Year of AI 2026 affect PDPL compliance?

Saudi Arabia declared 2026 its Year of AI. SDAIA's November 2025 AI Adoption Framework creates mandatory governance obligations for AI systems covering data governance, model accountability, transparency, human oversight, and risk management. AI systems that process personal data of Saudi residents must comply with both the PDPL and the AI Adoption Framework simultaneously. Organizations should assess whether AI tools they deploy trigger PDPL consent, DPIA, and data minimization requirements.

Sources and References

SDAIA Laws and Regulations Portal(sdaia.gov.sa).gov
National Data Governance Platform(dgp.sdaia.gov.sa).gov
SDAIA Personal Data Breach Incidents Procedural Guide(sdaia.gov.sa).gov
SDAIA Rules for Appointing Data Protection Officer(sdaia.gov.sa).gov
SDAIA Regulation on Personal Data Transfer Outside the Kingdom(dgp.sdaia.gov.sa).gov
SDAIA Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom(dgp.sdaia.gov.sa).gov
Saudi National Portal — Data Regulation and Cybersecurity(my.gov.sa).gov
Istitlaa Platform — Proposed Amendments to PDPL Implementing Regulations(istitlaa.ncc.gov.sa).gov
IAPP — Saudi PDPL First Anniversary: Amendments, Enforcement and Ongoing Developments(iapp.org)
IAPP — Saudi Arabia Data Protection Authority Steps Up Enforcement(iapp.org)
ICLG Data Protection Laws and Regulations Report 2025-2026: Saudi Arabia(iclg.com)
Chambers Data Protection and Privacy 2026: Saudi Arabia(practiceguides.chambers.com)
Clyde and Co — Enforcement of the Saudi PDPL is Live (March 2026)(clydeco.com)
Clyde and Co — Saudi Arabia PDPL Third Public Consultation (May 2025)(clydeco.com)
Clyde and Co — Update on Saudi Arabia Risk Assessment Guidelines for Cross-Border Transfers(clydeco.com)
Dentons — Proposed Amendments to KSA PDPL Implementing Regulations (May 2025)(dentons.com)
Dentons — Saudi Arabia Framework for Cross-Border Data Transfers(dentons.com)
A and O Shearman — Enforcement of the Saudi Personal Data Protection Law(aoshearman.com)
Global Privacy Blog — Active Enforcement of Saudi Arabia Privacy Regime (May 2026)(globalprivacyblog.com)
Global Privacy Blog — KSA Issues New Data Transfer Risk Assessment Guidelines(globalprivacyblog.com)
CMS Law — One Year Anniversary Saudi PDPL (September 2025)(cms-lawnow.com)
Morgan Lewis — Guide to Registering as a Data Controller under Saudi PDPL(morganlewis.com)
King and Spalding — International Personal Data Transfers under Saudi PDPL(kslaw.com)
Akin Gump — KSA PDPL and Implementing Regulations: Key Obligations(akingump.com)
U.S. Commercial Service — Saudi Arabia ICT Cross-Border Data Transfer Rules Under Enforcement(trade.gov).gov
Bird and Bird — Saudi Arabia Public Consultation on Draft Changes to Data Protection Regulations(twobirds.com)
DLA Piper Data Protection Laws of the World: Saudi Arabia(dlapiperdataprotection.com)