top of page

In brief: What do you know about…Saudi Arabia’s Personal Data Protection Law (PDPL)?

PDPL will officially come into force on 14 September 2023. Organizations will have till 13 September 2024 to comply.

who needs to comply with this law?

a. Material Scope

Applies to the processing of personal data and sensitive personal data related to individuals residing in Saudi Arabia.

!covers the deceased’s personal data, if it would lead to identifying the deceased or one of his/her family members specifically.

Excludes: the processing for domestic purposes

b. Territorial Scope

The PDPL applies to public or private organizations that process personal data related to individuals in Saudi Arabia by any means. If a foreign organization processes personal data related to individuals residing in Saudi Arabia, then the PDPL will also apply.

What obligations do companies have?

1) Consent Requirements

-personal data can’t be processed without consent, only in a few cases consent is not required:

  • If the processing would achieve a clear benefit and it is impossible or impractical to contact the data subject;

  • If it is required by law or prior agreement to which the data subject is a party;

  • If the controller is a public entity and the processing is required for security or judicial purposes;

  • If the controller is collecting data for scientific, research, or statistical purposes while having taken the necessary steps stipulated within the law;

  • Processing is necessary for the legitimate interests of the controller or other party provided that the rights of data subjects are not prejudiced. However, this does not apply in the case of sensitive personal data.

consent can be withdrawn

! must not be a prerequisite for the data controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).

2)Privacy Policy Requirements

Has to be adopt and make it available to data subjects to review BEFORE collecting their data.

This policy shall include the purpose of its collection, the content of the personal data to be collected, the method of collecting it, the means of storing it, how it will be processed, how it will be destroyed, the rights of its owner in relation to it, and how these rights will be exercised.

3) Security Requirements

all necessary organisational, administrative, and technical measures and means to ensure the preservation of personal data, including when it is transferred

4)Data Breach Requirements

Notificationof the regulatory authority no later than 72 hours of first becoming aware of a data breach.+provide the detailed analysis of the breach and what steps are being taken to ensure such an incident is not repeated.

If data breach puts the data subjects' personal data at SIGNIFICANT risk, the data controller must inform them promptly. +communicate the contact details of the relevant DPO the data subjects can contact to know more about what data has been compromised.

5)Mandatory Data Protection Officer Requirement

6)Mandatory Data Protection Impact Assessment for any product or service provided to the public according to the nature of their processing activities.

7)Mandatory Record of Processing Activities

8)Vendor Assessment/Third Party checks

9)International transfers:

allowed but it is required the recipient country has:

- regulations that ensure appropriate protection of personal data

-has a supervisory entity that imposes appropriate procedures and measures on controllers to protect personal data.

What rights do data subjects have?

  • Right to Know Data subjects have the right to know about the data controller's contact details, the exact reason the data is being collected, the methods being used for data collection, and whether this collected data will be shared or sold.

  • Right to Correct Data subjects have the right to request correction of any data collected on them if it is incomplete, inaccurate, or obsolete.

  • Right to Erasure Data subjects have the right to request the destruction of data collected on them. The reasons can range from the user rescinding their consent for data collection to the data no longer serving the purpose for which it was collected.

  • Right Restrict theProcessing - Data subjects have the right to limit or refuse the processing of their personal information by the organization for special cases and for a limited period of time. This right is not explicitly provided under the PDPL, however, the regulatory authority has released a set of FAQ that provides details of this right.

  • Right to Data Portability: The data subjects can obtain their personal data in a legible and clear format and request their personal data to be transferred to another controller.

! Controller must fulfill the request in 30 days and record it.

Who enforces this new law?

Saudi Data & Artificial Intelligence Authority (SDAIA) till 2023

A transfer of supervision to the National Data Management Office (NDMO) will be considered in 2024.


-for disclosing or publishing sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million ($800,000); both organisations and individuals can therefore be sanctioned.

-other provisions of the PDPL:

warning notice or a fine not exceeding SAR 5 million ($1.3 million).

3 views0 comments


bottom of page