What is Saudi Arabia's PDPL?
The Personal Data Protection Law (PDPL) is Saudi Arabia's landmark data privacy legislation. Enacted as part of Vision 2030's digital transformation agenda, it governs how personal data of individuals in the Kingdom must be collected, processed, stored, disclosed, and transferred.
Extraterritorial Reach
Applies to all entities — inside or outside the Kingdom — that process personal data of individuals in Saudi Arabia.
Legal Basis for Processing
Consent is the default legal basis. Other lawful bases include legal obligation, contractual necessity, and legitimate interests (excluding sensitive data).
Sensitive Data Protections
Processing of sensitive personal data requires explicit consent unless a specific statutory exception applies. Additional safeguards and regulatory conditions must be implemented. Sensitive data will include Genetic data, Biometric data, Health data, Credit data, and Data indicating racial or ethnic origin
Controller Registration
Controllers must register on the National Data Governance Platform if they are a public entity, process sensitive data, or if personal data processing is their core activity.
Key Roles
The PDPL defines specific roles with distinct obligations. Understanding which role applies to your organisation is the foundation of compliance.
1
Data Subject
Any individual whose personal data is collected or processed — including Saudi citizens, residents, visitors, and tourists physically present in the Kingdom. Rights extend beyond death.
2
Personal Data Controller
The entity that determines the purposes and means of personal data processing. Bears primary compliance obligations including registration, legal basis, and data subject rights fulfilment.
3
Personal Data Processor
Third parties processing data on behalf of the Controller under contract. Must adhere to instructions from the Controller and applicable PDPL obligations.
4
SDAIA (Regulator)
The Saudi Data and Artificial Intelligence Authority oversees enforcement, issues regulations, and receives breach notifications. May transfer authority to NDMO in future.
5
Data Protection Officer (DPO)
Mandatory for public entities with large-scale processing, organisations conducting systematic data subject monitoring, or those processing sensitive data. Must have relevant qualifications and experience.
DATA SUBJECT RIGHTS
Individual Rights Under the PDPL
Data subjects in Saudi Arabia are entitled to the following rights. Controllers must have processes in place to receive, verify, and respond to these requests.
1
Right to be Informed: Individuals must be told the legal basis, purpose of collection, the controller's identity, who data is shared with, cross-border transfer risks, and their rights — in clear, simple language.
2
Right of Access: Individuals may request a clear, readable copy of their personal data held by the Controller.
1
Right to Rectification Individuals can request correction, addition, or update of inaccurate or incomplete personal data.
3
Other Consequences: Reputational damage, litigation risks, and operational disruptions during investigations or audits.
PENALTIES
Consequences of Non-Compliance
The PDPL establishes a tiered penalty structure. Fines can be doubled for repeat violations, and certain breaches carry criminal liability including imprisonment.
1
Sensitive Data Breach: Fine up to SAR 3 million and/or up to 2 years imprisonment for unauthorised disclosure or publication of sensitive data with intent to harm the data subject or for personal gain.
2
Tier 2 Fines: Up to €20 million or 4% of global annual turnover, whichever is higher, for serious violations such as unlawful processing, breach of rights, or failing to notify breaches.
3
Other Consequences: Reputational damage, litigation risks, and operational disruptions during investigations or audits.
COMPLIANCE FRAMEWORK
PDPL Compliance Requirements
Below is a structured overview of key PDPL obligations and what organisations must implement to comply. This mirrors SDAIA's expectations for demonstrating accountability.
PDPL REQUIREMENT
WHAT ORGANISATIONS MUST DO
Governance Controller Registration
Register on the National Data Governance Platform if you are a public entity, process sensitive data, or personal data processing is your core activity.
Legal Basis Lawful Basis for Processing
Identify and document a valid legal basis for every processing activity. Consent is the default; alternatives include legal obligation, contract, and legitimate interests (not for sensitive data).
Transparency Privacy Notices
Provide clear, simple, and accessible privacy notices informing data subjects of the purpose, legal basis, data sharing details, cross-border transfers, and their rights.
Records Record of Processing Activities (RoPA)
Maintain an up-to-date RoPA documenting all processing activities, purposes, legal bases, data categories, retention periods, and third-party recipients.
Rights Data Subject Request (DSR) Process
Establish workflows to receive, verify, and respond to access, rectification, erasure, and consent withdrawal requests within regulatory timeframes.
DPO Data Protection Officer Appointment
Appoint a qualified DPO if required (public entities, systematic monitoring, sensitive data processing). The DPO must have relevant qualifications and experience in data protection.
Risk Privacy Impact Assessment (PIA)
Conduct PIAs for high-risk processing activities, especially involving sensitive data, large-scale profiling, automated decision-making, or new technologies.
Security Data Security Measures
Implement appropriate technical and organisational measures to protect personal data. Document security controls and review them regularly in line with NCA cybersecurity frameworks.
Breach Data Breach Notification
Establish a breach detection and response process. Notify SDAIA of breaches that may harm data subjects. Maintain a breach log with impact assessments. Notification must be made within the timeframe prescribed by SDAIA regulations following discovery of the breach.
Transfers Cross-Border Data Transfers
Transfers outside KSA must comply with SDAIA’s data transfer regulations, including adequacy assessment or implementation of approved safeguards.
Vendors Third-Party & Processor Management
Vet processors and third parties. Establish data processing agreements. Monitor compliance readiness of vendors who handle personal data on your behalf.
Consent Consent Management
Where consent is the legal basis, collect it in a clear, affirmative, purpose-specific manner. Maintain timestamped records of consent and provide a simple withdrawal mechanism.
Marketing Direct Marketing Rules
Comply with SDAIA's updated direct marketing guidelines (2024 amendments). Obtain valid consent before sending marketing communications. Honour opt-outs promptly.
Retention Data Retention & Minimisation
Define and enforce retention schedules. Personal data should not be retained longer than necessary for its stated purpose. Implement processes for defensible deletion.
When is a DPO Mandatory?
The PDPL defines specific roles with distinct obligations. Understanding which role applies to your organisation is the foundation of compliance.
Under the PDPL and SDAIA's Rules for Appointing Personal Data Protection Officers (published August 2024), a Controller must appoint a DPO in any of the following circumstances: - The organisation is a public entity - The organisation's core activities involve the large-scale processing of personal data - The organisation conducts regular and systematic monitoring of data subjects - The organisation processes sensitive personal data as part of its operations Even where a DPO appointment is not strictly mandatory, SDAIA encourages voluntary appointment as part of a robust compliance posture. Controllers must also verify whether their data processors have appointed a DPO where one is required.
Can the DPO Be Outsourced?
Yes, and this is explicitly provided for under the PDPL framework. Article 4(2) of SDAIA's DPO Rules states clearly that the DPO can be an internal employee of the Controller or an external contractor. The appointment must be formalised in writing; either via an internal appointment letter or an external contract, and the DPO's contact details must be made accessible to data subjects and submitted to SDAIA through the National Data Governance Platform. This flexibility allows Controllers to choose the arrangement best suited to their size and operational structure, whether that means building the function internally or engaging external expertise.
Why Organisations Choose an Outsourced DPO?
For many organisations, particularly those new to PDPL compliance, mid-sized enterprises, or those operating in Saudi Arabia from abroad; appointing an in-house DPO may not be practical. An outsourced DPO provides access to specialist, multi-jurisdictional data protection expertise without the overhead of a full-time hire. It also ensures the DPO maintains the independence required by SDAIA, as the rules prohibit assigning the DPO responsibilities that could conflict with their compliance role.
Talk To Our Expert
Schedule a session with our team to see how GoTrust unifies consent, privacy automation, DSPM, and governance into one intelligent compliance platform.
GoTrust Knowledge Hub
Stay informed with insights, updates, and expert perspectives on data privacy, compliance, and digital trust.
India
303, Tower C, ATS Bouquet, Noida Sector 132, U.P.
UAE
DIFC Innovation Hub, Gate Avenue, Zone D, Co-working Space Level 1 Al Mustaqbal St, Dubai
Netherlands
Cuserpark Amsterdam, De Cuserstraat 91, 1081CN, Amsterdam, Netherlands