Skip to content
MA

Hi, I'mMohammed AlYahya

Cybersecurity Leadership

Overview of Saudi Arabia’s Personal Data Protection Law (PDPL)

PDPL is the Saudi data protection law. SDAIA enforces it. The text and its implementing regulations are public. Most of what I write below restates the law; the value is in the practitioner commentary on what the law actually means when an SDAIA inspector walks in the door. If your organization handles personal data of Saudi residents (you do, even if you're based abroad) this is the framework you owe compliance to.

Key Definitions

  • Personal Data: Any information that can directly or indirectly identify a person.
  • Sensitive Data: Race, religion, health, genetics, biometrics, criminal record. SDAIA treats this category strictly; misclassifying sensitive data as ordinary personal data is one of the more common findings I see in early audits.
  • Processing: Any action taken with personal data: collecting, storing, transferring, deleting, anonymizing.
  • Controller: Decides why and how data is processed. Carries the legal liability.
  • Processor: Processes data on behalf of the controller. Processors aren't off the hook; PDPL contracts make them accountable to the controller's policy.

Who Does This Law Affect?

PDPL covers all personal data processing within Saudi Arabia, and processing of Saudi residents' data by entities outside the Kingdom. Personal use within a family is excluded unless shared with others.

The extraterritorial clause is real. Saudi residents using foreign apps and services trigger PDPL obligations on those foreign companies. Most foreign businesses I've spoken with hadn't realized this until SDAIA inspections started.

Data Subject Rights

Subjects can: know why their data is being collected, access what the controller holds on them, correct what's inaccurate, and request deletion when the original purpose has passed. Rights are exercised against the controller, not the processor. The controller has 30 days to respond.

Consent and Lawful Basis

PDPL requires a lawful basis for every processing activity. Consent is the familiar one, but not the only one: legal obligation, vital interests, and public interest also qualify. Sensitive data needs explicit, granular consent. A single "I agree to the terms" checkbox doesn't cover sensitive data.

I treat PDPL as a data problem with a control wrapper. Solve the data problem first (discovery, ownership, lawful basis) and the controls tell you what they need to be. Most failures I see at intake are ownership gaps, not control gaps.

Responsibilities of Data Controllers

Controllers must keep data accurate and minimized to what they actually need, publish a privacy notice that describes the real practice (not the aspirational one), implement security measures proportionate to sensitivity, notify SDAIA within 72 hours of a breach, and notify affected individuals when the breach is likely to cause them material harm.

Cross-Border Data Transfers

Data can leave Saudi Arabia when the destination has adequate protection (SDAIA maintains the list), a contractual safeguard equivalent to SCCs is in place, or a narrow exemption applies. Cross-border is the most operationally painful clause for multinationals. If your data lives in a hyperscaler region outside KSA, you need either an SCC equivalent or a documented case for an exemption. Get this in writing before processing starts; retrofitting it after the fact is hard.

Penalties

Fines up to 3 million SAR. Imprisonment up to 2 years for the worst violations. SDAIA tracks repeat offenders.

The Implementing Regulations

Operational specifics from the regulations:

  • Data subject response window: 30 days.
  • Anonymization must be unrecoverable to a specific individual.
  • DPIAs (Data Protection Impact Assessments) are required for high-risk processing.
  • Breach notification to SDAIA: 72 hours.

Choosing Processors

Processor contracts must explicitly bind the processor to PDPL obligations. "We use AWS" is not a contract. The agreement needs to spell out specific controls and the right to audit.

Special Categories: Health and Credit Data

Health data is processed under PDPL and the Ministry of Health regulations. Credit data falls under PDPL and the Credit Information Law. Where frameworks overlap, the stricter rule wins. You can't pick the more lenient interpretation.

Where to Start

If you're a Saudi entity beginning PDPL work:

  1. Discover the personal data you hold (data mapping). Almost nobody knows what they actually have.
  2. Establish ownership for each category.
  3. Document lawful basis per processing activity.
  4. Build the privacy notice from the ownership and lawful basis records, not from a template.
  5. Implement breach notification procedures before you need them.

The sequence is the Foundation phase of the FALAQ approach. The order matters: trying to write the privacy notice first usually produces a template no one in the organization actually follows.

PDPL is the regulatory baseline. SDAIA inspections are real. Treat it that way.