PDPL · Saudi Arabia & UAE Data Protection
PDPL Compliance
Consulting
The Saudi Personal Data Protection Law (PDPL) is the Kingdom’s national privacy law — enforced by SDAIA and fully in effect since 14 September 2024 — and the UAE’s Federal Decree-Law 45/2021 is its mainland counterpart. TCSA builds the lawful-basis records, notices, transfer safeguards, and 72-hour breach response both regulators expect, in 6–12 weeks.
TCSA has delivered 500+ audits and assessments across 15+ countries, with a cross-jurisdiction privacy practice spanning GDPR, DPDP, and the Gulf. PDPL engagements are fixed-fee — quoted after a short scoping call, in SAR, AED, or USD for Gulf engagements.
KSA PDPL (SDAIA) · UAE Federal Decree-Law 45/2021 · Last reviewed June 2026
The PDPL Hub — go deeper
Twelve focused guides: understand, assess, build, operate
What Is the PDPL?
The complete guide: timeline, SDAIA, definitions, principles, rights, penalties.
Read the guidePDPL vs GDPR
Fourteen dimensions compared — what carries over and what must be localised.
Read the guideThe PDPL FAQ
Twenty-four practitioner questions on scope, roles, rights, transfers, evidence.
Read the guidePDPL by Industry
Retail, BFSI, healthcare, government, SaaS — where the law bites each sector.
Read the guideGap Assessment
Where you stand against the PDPL, risk-ranked — the diagnostic first step.
Read the guideCompliance Audit
Independent, evidence-based assurance over a programme that already runs.
Read the guideImplementation
From zero to an operating programme: notices, RoPA, DSRs, transfers, breach.
Read the guideData Discovery & RoPA
Map what you hold and build the records of processing SDAIA can ask for.
Read the guidePrivacy by Design
Embed minimisation, DPIAs, and deletion paths into products before launch.
Read the guideDPO as a Service
When the law requires a DPO — and a virtual DPO to operate the programme.
Read the guideVendor Risk & DPAs
Processor accountability, Data Processing Agreements, and ongoing monitoring.
Read the guideTraining & Awareness
Role-based PDPL training for the teams that actually touch personal data.
Read the guideKSA PDPL · SDAIA
Saudi Arabia’s PDPL in Plain Terms
Issued by Royal Decree M/19 in September 2021 and amended in March 2023, the PDPL entered into force on 14 September 2023. The one-year compliance grace period ended on 14 September 2024 — since then, the law has been fully enforceable against everyone in scope. The regulator is the Saudi Data & Artificial Intelligence Authority (SDAIA).
Every entity processing personal data in Saudi Arabia
The PDPL applies to any company or public entity — of any size, in any sector — that processes the personal data of individuals residing in the Kingdom. There is no small-business carve-out and no revenue threshold.
Foreign companies serving Saudi residents
The law is extraterritorial: an entity outside Saudi Arabia that processes the personal data of KSA residents is in scope, even with no local office. Under the Implementing Regulations, foreign controllers are also expected to designate a representative in the Kingdom.
All processing, defined broadly
Collection, storage, use, sharing, transfer, and destruction all count as processing. Distinctively, the PDPL even protects the data of deceased individuals where it would identify them or their family.
The law’s text, Implementing Regulations, and the Personal Data Transfer Regulation are published by SDAIA on its data-governance platform. Where SDAIA guidance is still evolving — such as the pending adequacy list for cross-border transfers — we flag positions on this page as indicative.
Controller & Processor Duties
The Obligations That Actually Bite
Eight duties drive most PDPL remediation work. Controllers carry the primary burden; processors must follow controller instructions, secure the data, and support breach response under contract.
| Obligation | What the PDPL requires |
|---|---|
| Lawful basis & consent | Consent is the default basis. Narrow alternatives include performance of an agreement, a legal obligation, the data subject’s "actual interest" where contact is impossible, and — after the 2023 amendment — legitimate interest for non-sensitive data. |
| Privacy notices | Data subjects must be told the purpose, legal basis, collection method, and their rights at or before collection — via a privacy policy made available before processing starts. |
| Records of processing (RoPA) | Controllers must maintain records of processing activities covering purposes, data categories, recipients, cross-border transfers, and retention periods. |
| Registration with SDAIA | Controllers register on SDAIA’s National Data Governance Platform where required — notably public entities, controllers whose main activity is processing personal data, and those processing sensitive data. |
| DPO appointment | A Data Protection Officer is required on defined triggers: public entities processing at scale, large-scale regular and systematic monitoring of individuals, or core processing of sensitive data. The DPO is registered through the platform. |
| Data subject rights (DSRs) | Rights to be informed, access data, obtain a copy, request correction, request destruction, and withdraw consent — with responses due within the short statutory windows set by the Implementing Regulations. |
| Breach notification — 72 hours | Notify SDAIA within 72 hours of becoming aware of a breach that may harm personal data or data subjects, and notify affected individuals without undue delay where their rights or interests are at risk. |
| Cross-border transfers | Transfers outside the Kingdom need a lawful pathway under the Transfer Regulations: an adequacy decision (SDAIA’s approved-country list is still pending), Standard Contractual Clauses, Binding Common Rules for intra-group transfers, or certification — plus data minimisation and, in defined cases, a transfer risk assessment. |
Summarised from the PDPL (as amended 2023), its Implementing Regulations, and the Personal Data Transfer Regulation (as amended 2024). Always confirm current requirements against SDAIA’s official publications.
Lawful Bases
Six Ways to Process Data Lawfully
The PDPL is consent-first: every processing activity needs consent or one of a short list of alternatives — and the mapping must be documented in your records before processing starts. This is the single most common gap we find in GDPR-mature organisations entering the Kingdom.
| Basis | What it permits | Watch-outs | PDPL ref |
|---|---|---|---|
| Consent (the default) | Marketing, profiling, optional features, and any processing without another basis. Must be specific, informed, and as easy to withdraw as it was to give. | Cannot generally be made a condition of service unless the processing is directly connected to it. Sensitive data demands the most exacting consent discipline. | Arts. 5–7 |
| Actual interest of the data subject | Processing that delivers a clear benefit to the individual where contacting them is impossible or disproportionately difficult. | A narrow emergency-style ground — not a convenience substitute when consent is merely inconvenient to collect. | Art. 6 |
| Another law, or an agreement with the data subject | Processing required by Saudi law or a judicial ruling, and processing needed to implement an agreement the data subject is party to — payroll, service delivery, transactions. | The agreement leg covers what the contract genuinely needs, not adjacent marketing or analytics bolted onto it. | Art. 6 |
| Public-entity grounds | Processing by public entities for security purposes, judicial requirements, or other defined public functions. | Unavailable to private organisations — a private controller cannot self-declare a public interest. | Art. 6 |
| Legitimate interest (post-2023 amendment) | Processing necessary for a lawful interest of the controller — fraud prevention, internal reporting, service improvement — for non-sensitive data only. | Expects a documented balancing exercise against the data subject’s rights, and never reaches sensitive data. Far narrower than its GDPR cousin. | Art. 6 (as amended) |
| Research & statistics | Scientific, research, and statistical processing under the law’s conditions — typically with de-identification or other safeguards. | Public-benefit research, not a wrapper for commercial analytics or internal business intelligence. | Arts. 10, 27 |
Working summary of the PDPL’s consent rule and its exceptions, as amended 2023 — not legal advice. Sensitive data (health, biometric, genetic, criminal, beliefs) never rides on legitimate interest.
Data Subject Rights
Six Rights, Three Clocks
Saudi residents hold an enforceable set of rights over their data, and the deadlines around them are where compliance programmes get tested in practice. Data subjects can also seek court-ordered compensation for material or moral harm — independent of any SDAIA penalty.
To be informed
Purpose, legal basis, collection method, and rights — disclosed at or before collection.
Access
Confirm what personal data you hold about them, subject to narrow statutory limits.
Obtain a copy
A readable, clear copy of their data on request.
Correction
Fix inaccurate, incomplete, or outdated data — and pass corrections to prior recipients.
Destruction
Deletion when data is no longer needed or processing was unlawful, unless legal retention overrides.
Withdraw consent
At any time, as easily as consent was given — without affecting earlier lawful processing.
to answer a data subject request
Per the Implementing Regulations — extendable in defined cases, so build the workflow for 30.
to notify SDAIA of a qualifying breach
From awareness — with affected individuals notified without undue delay where at risk.
for data subjects to complain to SDAIA
From the violation or awareness of it — every mishandled DSR is a potential complaint.
Windows per the PDPL and its Implementing Regulations as of June 2026; confirm current timelines against SDAIA’s official publications.
Penalties & Enforcement
What Non-Compliance Costs in the Kingdom
The PDPL is unusual among modern privacy laws in pairing administrative fines with genuine criminal exposure for sensitive-data violations.
Administrative fines — up to SAR 5 million per violation
Violation committees formed within SDAIA may issue warnings and fines of up to SAR 5 million per violation, and fines may be doubled for repeat violations. Enforcement is live: SDAIA has publicised dozens of enforcement decisions since the grace period ended — 48 in the first year alone.
Criminal liability for sensitive-data disclosure
Under Article 35 of the PDPL, disclosing or publishing sensitive data in violation of the law — with intent to harm the data subject or for personal benefit — is punishable by up to two years’ imprisonment, a fine of up to SAR 3 million, or both. Cases are pursued by the Public Prosecution, and courts may also order confiscation.
Figures per the PDPL as amended (2023); penalty amounts and committee practice should always be confirmed against SDAIA’s current official publications.
United Arab Emirates
The UAE PDPL: In Force, Awaiting Its Regulations
The UAE’s federal data protection law applies across mainland UAE and most free zones — but not in DIFC or ADGM, which run their own regimes. Smart Gulf operators build to the federal law’s text now, so the post-regulations conformity window is a formality rather than a fire drill.
The law: Federal Decree-Law No. 45 of 2021
The UAE’s first federal data protection law, effective 2 January 2022. It is GDPR-style in structure: lawful bases for processing, data subject rights, breach notification, and cross-border transfer conditions.
The regulator: UAE Data Office
Federal Decree-Law No. 44 of 2021 established the UAE Data Office as the federal regulator. As of June 2026 the Office is not yet fully operational, with the TDRA providing administrative support in the interim.
Executive regulations: still pending
The executive regulations that will activate penalties and operational detail had not been issued as of June 2026. Once published, organisations are expected to get a six-month window to conform — and administrative penalties will be set by Cabinet decision.
DIFC and ADGM are carved out
The financial free zones run their own regimes — the DIFC Data Protection Law No. 5 of 2020 and the ADGM Data Protection Regulations 2021, each with its own commissioner and active enforcement. Mainland UAE entities follow the federal PDPL.
The official text of Federal Decree-Law No. 45 of 2021 is published on the UAE Legislation portal. Regulatory status is as of June 2026 and indicative — the executive regulations may issue at any time.
Our consultants have delivered PDPL compliance for SRG Group.
How TCSA Delivers
A Phased Path to PDPL, in 6–12 Weeks
Consulting is quoted as a fixed, all-inclusive fee after a short scoping call — in SAR, AED, or USD for Gulf clients. If you already hold GDPR, DPDP, or ISO 27701 documentation, we reuse it — most controls localise rather than restart.
Scope & data mapping
We establish which entities, products, and flows fall under the KSA PDPL, the UAE PDPL, or DIFC/ADGM rules — including the extraterritorial analysis — then build your data inventory and cross-border transfer map.
Gap assessment
A clause-by-clause assessment against the PDPL, its Implementing Regulations, and the Transfer Regulations (and the UAE PDPL text where relevant), producing a prioritised remediation register your team can execute.
Remediation & documentation
Privacy notices, consent flows, RoPA, DSR workflow, DPO appointment and SDAIA platform registration where triggered, transfer safeguards (SCCs / Binding Common Rules), and processor clauses for your vendor stack.
Operate & evidence
A 72-hour breach-response playbook with a tabletop drill, staff training, and an internal audit pass — optionally anchored to ISO 27701 so your privacy programme is certifiable, not just compliant.
Cross-Jurisdiction View
PDPL vs GDPR vs DPDP
Most Gulf-facing companies answer to more than one privacy law. This is the comparison we use to design one programme that satisfies all three — see our GDPR and DPDP practices for the EU and India legs.
| Dimension | Saudi PDPL | GDPR (EU) | DPDP Act (India) |
|---|---|---|---|
| Regulator | SDAIA (Saudi Data & AI Authority) | National supervisory authorities + EDPB | Data Protection Board of India |
| Status | In force Sept 2023; fully enforced since 14 Sept 2024 | Enforced since May 2018 | Enacted Aug 2023; phased enforcement under the DPDP Rules |
| Default lawful basis | Consent-first, with narrow exceptions (incl. legitimate interest for non-sensitive data) | Six co-equal lawful bases | Consent, plus defined "legitimate uses" |
| Cross-border transfers | Adequacy list (pending), SCCs, Binding Common Rules, certification + minimisation | Adequacy decisions, SCCs, BCRs | Permitted except to government-restricted countries; sectoral rules persist |
| Breach notification | 72 hours to SDAIA; individuals without undue delay | 72 hours to the supervisory authority | Notify the Board and affected users; detailed report within 72 hours under the Rules |
| Maximum penalty | SAR 5M per violation (doubled on repeat) + criminal: 2 years / SAR 3M for sensitive-data disclosure | €20M or 4% of global turnover | Up to INR 250 crore per instance |
| DPO | Required on defined triggers; registered with SDAIA | Required on defined triggers | Required for Significant Data Fiduciaries (India-based) |
Indicative summary for planning, not legal advice. The UAE PDPL is covered in its own section above; DIFC and ADGM entities follow their zone regimes.
PDPL Compliance — Frequently Asked Questions
Straight answers on Saudi and UAE data protection from a cross-jurisdiction privacy team.
Does the Saudi PDPL apply to companies outside Saudi Arabia?
Yes. The PDPL applies extraterritorially: any entity outside the Kingdom that processes the personal data of individuals residing in Saudi Arabia is in scope, even with no Saudi office or entity. The Implementing Regulations also expect foreign controllers to designate a representative in the Kingdom. If you sell SaaS, run an app, or deliver services to Saudi residents from India, the UAE, Europe, or the US, you should assess applicability before SDAIA — or a Saudi enterprise customer — asks you to.
What are the penalties under the Saudi PDPL?
Two layers. Administrative: violation committees within SDAIA can issue warnings and fines of up to SAR 5 million per violation, and fines may be doubled for repeat violations. Criminal: under Article 35, disclosing or publishing sensitive data in violation of the law, with intent to harm the data subject or for personal benefit, carries up to two years’ imprisonment and/or a fine of up to SAR 3 million. Enforcement is no longer theoretical — SDAIA publicised 48 enforcement decisions in its first year of active enforcement.
How is the PDPL different from GDPR?
The PDPL is GDPR-inspired but not GDPR-identical. The biggest differences: consent is the default lawful basis (legitimate interest exists only for non-sensitive data, added by the 2023 amendment); controllers may need to register on SDAIA’s National Data Governance Platform; cross-border transfers follow SDAIA’s own Transfer Regulations and SCCs (the adequacy list is still pending); and the PDPL adds criminal liability for unlawful sensitive-data disclosure. A mature GDPR programme is a strong head start, but it must be localised — notices, records, transfer mechanisms, and breach workflows all need PDPL-specific versions.
Do we need a Data Protection Officer under the PDPL?
Only if you hit a trigger. A DPO is required where the controller is a public entity processing personal data at scale, where core activities involve regular and systematic monitoring of individuals on a large scale, or where core activities involve processing sensitive data. If triggered, the appointment is documented and the DPO is registered through SDAIA’s National Data Governance Platform. Many of our clients combine the role with an existing CISO or use a virtual DPO arrangement — we help you decide and document either path.
How long does PDPL compliance take, and how is it priced?
For most mid-size organisations, 6–12 weeks from kickoff to an operating compliance programme: scoping and data mapping first, then gap assessment, remediation and documentation, and finally breach-drill and handover. Engagements are custom-scoped to entity count, data flows, regulator deadlines, and whether cross-border transfer work and DPO support are in scope. We provide a fixed, all-inclusive quote after a short scoping call — in SAR, AED, or USD for Gulf engagements — with no hourly billing and no scope creep.
What are the breach notification rules in Saudi Arabia and the UAE?
In Saudi Arabia, controllers must notify SDAIA within 72 hours of becoming aware of a personal data breach that may harm personal data or data subjects, and notify affected individuals without undue delay where their rights or interests are at risk. In the UAE, the federal PDPL requires notifying the UAE Data Office — and affected individuals where the breach prejudices their privacy — but exact timelines and forms await the pending executive regulations. We build one breach playbook that satisfies both, with the 72-hour clock as the design constraint.
We are a B2B company with no consumer data. Does the PDPL still apply to us?
Almost certainly yes. The PDPL protects individuals, not consumers — so employee records, candidate CVs, business points of contact, and the personal details of partners and vendor staff are all in scope when those individuals are in Saudi Arabia. A pure B2B model usually narrows your processing inventory; it rarely empties it.
Does the PDPL require us to store data inside Saudi Arabia?
Not as a blanket rule. The PDPL regulates transfers rather than mandating localisation: data may leave the Kingdom where a lawful pathway under the Transfer Regulations exists — adequacy (once SDAIA’s list lands), Saudi-form Standard Contractual Clauses, Binding Common Rules, or certification — with minimisation and, in defined cases, a transfer risk assessment. Sector rules can be stricter, so regulated industries should check their own regulators too.
Does the PDPL cover anonymised or pseudonymised data?
Truly anonymised data — where no individual can be re-identified by any reasonably available means — falls outside the law. Pseudonymised data does not: if a key, lookup table, or combination of attributes can link it back to a person, it remains personal data with full PDPL obligations. Most "anonymised" analytics datasets we review are, on inspection, pseudonymised.
Do small businesses have to register with SDAIA?
Size is not the test — the trigger is. Registration on SDAIA’s National Data Governance Platform applies on defined criteria, notably public entities, controllers whose main activity is processing personal data, and those processing sensitive data. A ten-person health-tech startup can be squarely in the registration net while a much larger trading company is not. We confirm your position as part of any gap assessment.
Keep Exploring
Related Reading
What Is the PDPL?
Saudi and UAE Personal Data Protection Laws — scope, rights, penalties.
Read morePDPL Implementation
Phased roadmap for PDPL compliance across KSA and UAE operations.
Read morePDPL vs GDPR
Key differences between the Saudi/UAE PDPL and EU GDPR.
Read moreMiddle East — UAE & Saudi Arabia
How we serve Gulf banks, vendors and enterprises, remote + on-site.
Read moreSAMA CSF & BCM
The Saudi Central Bank's cyber and continuity frameworks, demystified.
Read moreGDPR Compliance
The EU's data protection regulation for any company with EU users.
Read moreWritten By Expert Auditors
Get Started
Make PDPL a
Closed Question
SDAIA is enforcing, your Saudi and Emirati customers are asking, and the 72-hour clock does not wait for a project plan. Start with a readiness assessment scoped to your actual data flows.
KSA PDPL (SDAIA) · UAE Federal Decree-Law 45/2021 · Serving the GCC, India, USA & UK
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours