Saudi PDPL · The Complete Guide

What Is the
Saudi PDPL?

The Personal Data Protection Law is the Kingdom’s national privacy law — GDPR-inspired, SDAIA-enforced, and fully in effect since 14 September 2024. This guide walks the whole law: who it covers, what it demands, the rights it grants, and what non-compliance costs.

Written and maintained by TCSA’s cross-jurisdiction privacy team — last reviewed June 2026 against the amended law and current regulations.

Get a PDPL Readiness Assessment Explore the PDPL hub

M/19Royal Decree, 2021

14 Sep 2024full enforcement

SAR 5Mmax fine per violation

PDPL (as amended 2023) · Implementing & Transfer Regulations · SDAIA

Direct Answer

The law, in plain terms

The PDPL regulates the full lifecycle of personal data belonging to individuals in Saudi Arabia — collection, use, sharing, transfer, and destruction — for every organisation, of any size, in any sector, anywhere in the world, that processes it. It is consent-first, registration-backed, and enforced by SDAIA with real penalties. It was built as part of Vision 2030’s digital-economy programme: the Kingdom wants data flowing — lawfully.

How We Got Here

From Royal Decree to Active Enforcement

16 Sep 2021

PDPL issued by Royal Decree M/19

Saudi Arabia’s first comprehensive national data protection law, covering public and private sectors.

27 Mar 2023

Amended by Royal Decree M/148

The substantive rewrite: legitimate interest added for non-sensitive data, transfer rules reworked, and the enforcement posture clarified.

14 Sep 2023

In force, with regulations

The law took effect alongside its Implementing Regulations and the Personal Data Transfer Regulation, with a one-year grace period to comply.

14 Sep 2024

Full enforcement begins

The grace period ended. Since this date SDAIA can — and does — enforce against every organisation in scope.

2024 – present

Regulations evolving

The Transfer Regulation was amended in 2024; SDAIA continues to issue guidance, with the cross-border adequacy list still pending as of June 2026.

The Machinery

Who Enforces the PDPL

SDAIA — the regulator

The Saudi Data & Artificial Intelligence Authority supervises the PDPL: it issues the regulations and guidance, receives breach notifications, runs the registration platform, and houses the violation committees that levy fines.

The National Data Governance Platform

SDAIA’s portal (dgp.sdaia.gov.sa) is where controller registration happens when required, and where Data Protection Officer appointments are recorded.

Public Prosecution — criminal cases

Criminal violations — unlawful disclosure of sensitive data under Article 35 — are investigated and prosecuted by the Public Prosecution, separately from SDAIA’s administrative track.

NDMO — the long game

The National Data Management Office sits within the Kingdom’s broader data governance structure; supervision was designed to be transferable from SDAIA as the regime matures.

Scope

Who and What It Covers

In scope

Every public and private entity processing personal data of individuals in the Kingdom — no size threshold, no sector carve-out
Foreign entities processing Saudi residents’ data from anywhere in the world
Electronic and systematic manual (paper) processing alike
Data of deceased individuals, where it would identify them or their family

Out of scope

Processing strictly for personal or family use — the household exception
Truly anonymised data, where no individual can be re-identified by reasonably available means

Both exceptions are narrower than they look: household data made public or used commercially comes back into scope, and most “anonymised” datasets are in practice pseudonymised — which the law still treats as personal data.

The Vocabulary

Six Definitions That Decide Everything

Scoping disputes — is this in scope? are we a controller? is this sensitive? — resolve to these definitions. Get them right early and the rest of the programme follows.

Personal data

Any information that identifies an individual directly or indirectly — names, ID numbers, addresses, contact details, financial information, photos and video, plus online identifiers like IP addresses, device IDs, and cookies. Distinctively, data of deceased individuals is covered where it would identify them or their family.

Sensitive data

Data revealing racial or ethnic origin, religious, intellectual, or political beliefs, criminal and security data, biometric and genetic data, health data, and data indicating unknown parentage. Sensitive data carries stricter rules — and criminal exposure for unlawful disclosure.

Processing

Effectively anything done to personal data: collecting, recording, storing, indexing, organising, modifying, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing, and destroying it.

Controller

The entity that decides why and how personal data is processed. Controllers carry the primary legal burden — and remain responsible even when the work is outsourced.

Processor

An entity processing personal data on a controller’s behalf and under its instructions — cloud providers, payroll bureaus, agencies. Processors have their own duties: follow instructions, secure the data, support breach response and data subject requests.

Data subject

The individual the data is about. The PDPL grants data subjects an enforceable set of rights, a complaint channel to SDAIA, and a route to court-ordered compensation.

The Spine of the Law

Seven Principles Behind Every Obligation

Lawfulness & fairness

Every processing activity needs a valid legal basis — consent by default, or one of the law’s defined alternatives.

Purpose limitation

Data collected for a stated purpose cannot be quietly repurposed; new purposes need a fresh basis or a lawful compatibility route.

Data minimisation

Collect only what the purpose genuinely requires. "Nice to have" fields are liabilities, not assets.

Accuracy

Data must be accurate, complete, and current — with corrections passed to anyone you previously shared it with.

Storage limitation

When the purpose ends, the data goes — securely destroyed unless a legal retention duty says otherwise.

Security

Technical, organisational, and administrative safeguards proportionate to the data — at rest, in use, and in transit.

Accountability

Maintain the records that prove all of the above — starting with a Records of Processing Activities (RoPA) you can hand to SDAIA.

Lawfulness deserves its own map: the PDPL is consent-first, with a short list of alternatives — see the full lawful-bases table on the hub page, and the PDPL vs GDPR comparison for how the model differs from the EU’s.

Data Subject Rights

Eight Rights Saudi Residents Can Enforce

Plan workflows around the statutory clocks: responses within 30 days under the Implementing Regulations, complaints to SDAIA within 90 days of a violation, and compensation claims that run independently of regulatory penalties.

To be informed

Told the purpose, legal basis, collection method, and their rights — at or before collection, via a privacy notice.

Access

Confirm whether you process their data and see it, within narrow statutory limits (e.g. national security, others’ privacy).

Obtain a copy

Receive their personal data in a clear, readable format.

Correction

Have inaccurate, incomplete, or outdated data corrected — with downstream recipients notified.

Destruction

Have data destroyed when no longer needed, when consent is withdrawn with no other basis, or when processing was unlawful.

Withdraw consent

At any time, as easily as it was given — without affecting processing that was lawful before withdrawal.

Complain to SDAIA

File a complaint with the regulator within 90 days of a violation or of becoming aware of it.

Seek compensation

Pursue court-ordered compensation for material or moral harm — independent of any administrative penalty on the controller.

Controller Duties

The Compliance Checklist, Condensed

Ten duties cover the bulk of PDPL programmes. Each maps to a deeper guide in the PDPL hub.

1Map every processing activity to a documented legal basis before processing starts

2Publish privacy notices covering purpose, basis, rights, transfers, and retention — before collection

3Maintain a Records of Processing Activities (RoPA) producible to SDAIA on request

4Register on the National Data Governance Platform where the registration triggers apply

5Appoint and register a Data Protection Officer when the DPO triggers are met

6Run Data Protection Impact Assessments for high-risk and public-facing processing

7Secure the data with proportionate technical and organisational safeguards

8Answer data subject requests within the statutory window — plan for 30 days

9Notify SDAIA within 72 hours of qualifying breaches, and affected individuals where at risk

10Use a lawful pathway under the Transfer Regulations for any data leaving the Kingdom

Summarised from the PDPL (as amended 2023), its Implementing Regulations, and the Transfer Regulation — always confirm current requirements against SDAIA’s official publications.

Cross-border transfers

Personal data may leave the Kingdom only through a lawful pathway under the Transfer Regulations (as amended 2024): an adequacy decision once SDAIA’s approved-country list lands, Saudi-form Standard Contractual Clauses, Binding Common Rules for intra-group transfers, or certification — with data minimisation throughout and a transfer risk assessment in defined cases. EU SCCs do not substitute.

Penalties

Two tracks. Administrative: SDAIA’s violation committees issue warnings and fines up to SAR 5 million per violation, doubled for repeat violations. Criminal: unlawful disclosure of sensitive data — with intent to harm or for personal benefit — carries up to two years’ imprisonment and/or a SAR 3 million fine under Article 35, prosecuted by the Public Prosecution. Courts can also order confiscation, and harmed individuals can claim compensation separately.

Primary sources: the PDPL text, Implementing Regulations, Transfer Regulation, and SDAIA’s guidance are published via sdaia.gov.sa and the National Data Governance Platform. This guide summarises the law as of June 2026 for planning purposes — it is not legal advice, and evolving SDAIA guidance (such as the pending adequacy list) should always be checked at source.

What Is the PDPL — FAQs

The five questions every Saudi-facing leadership team asks first.

What is the Saudi PDPL in one paragraph?

The Personal Data Protection Law (PDPL) is Saudi Arabia’s national privacy law — issued by Royal Decree M/19 in September 2021, amended in March 2023, in force since 14 September 2023, and fully enforced since 14 September 2024. It governs how any organisation, inside or outside the Kingdom, collects, uses, shares, and transfers the personal data of individuals in Saudi Arabia, under the supervision of SDAIA, with administrative fines up to SAR 5 million per violation and criminal liability for unlawful disclosure of sensitive data.

Is the PDPL actually being enforced?

Yes. The grace period ended on 14 September 2024, and SDAIA has been issuing enforcement decisions since — including publicised actions in its first year of active enforcement. Treating the PDPL as a future obligation is the single most expensive misread a Saudi-facing business can make right now.

What changed in the 2023 amendment?

Royal Decree M/148 (March 2023) reshaped the law before it took effect. The headline changes: legitimate interest was added as a lawful basis for non-sensitive data, the cross-border transfer regime was reworked into what became the Transfer Regulations, and registration duties were refined. If you are reading PDPL commentary, check whether it predates the amendment — much of the older material is stale.

Does the PDPL apply to companies with no presence in Saudi Arabia?

Yes — it applies extraterritorially. Any entity, anywhere, that processes the personal data of individuals residing in the Kingdom is in scope, and the Implementing Regulations expect foreign controllers to designate a representative in Saudi Arabia. Selling SaaS to Saudi customers, running an app with Saudi users, or processing a Saudi subsidiary’s HR data from abroad all count.

How does the PDPL relate to GDPR?

It is GDPR-inspired in structure — principles, rights, breach notification, transfer controls — but materially different in the details: consent-first lawful bases, a registration regime on SDAIA’s platform, Saudi-form transfer mechanisms, and criminal liability for sensitive-data disclosure. We maintain a dimension-by-dimension comparison on our PDPL vs GDPR page.

Continue your PDPL research

The PDPL hub — obligations, lawful bases, penalties, and every guide in one place.
PDPL vs GDPR — fourteen dimensions compared, and the localisation workplan.
PDPL gap assessment — turn this guide into a risk-ranked register for your organisation.
The PDPL FAQ — twenty-plus practitioner questions, answered plainly.

Written By Expert Auditors

Saundhi Chauhan

Lead Auditor

ISO 27001 Lead AuditorISO 27701 Lead Auditor

Surendra Pal Singh

Chief Information Security Officer & Data Protection Officer

CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor

Last reviewed: June 2026•Content verified by certified lead auditors

Keep Exploring

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

What Is theSaudi PDPL?