Common questions about Saudi Arabia's Personal Data Protection Law: who it covers, what it requires, how data leaves the Kingdom, and how it overlaps with NCA and SAMA.
The Personal Data Protection Law is Saudi Arabia's general data protection regime. This FAQ covers the questions that come up most often when compliance and privacy teams first engage with it: who has to comply, the lawful bases for processing, the rights of individuals, cross-border transfer, breach notification, and how it sits alongside frameworks teams may already follow.
The PDPL is Saudi Arabia's general personal data protection law. It governs how the personal data of individuals is collected, processed, disclosed, transferred, and destroyed, sets out the rights of those individuals, and places accountability obligations on the organizations that decide how and why personal data is processed. It applies across the public and private sectors and is supported by Implementing Regulations and a separate regulation for transfers of data outside the Kingdom.
It was issued by Royal Decree (M/19) and amended by Royal Decree (M/148). A Competent Authority designated by the Council of Ministers oversees implementation, currently the Saudi Data and AI Authority (SDAIA), without prejudice to the powers of the Saudi Central Bank in its own domain. The Competent Authority can issue accreditation and audit licences, maintains a national register of controllers, handles complaints, and supervises controllers and processors, including those outside the Kingdom.
It shares the same family of ideas as GDPR, such as lawful bases, individual rights, accountability, breach notification, and restrictions on international transfers, but it is a distinct Saudi law. It has its own definitions, its own regulator, a national register of controllers, special regimes for Health and Credit data, and its own transfer rules. Treat existing GDPR alignment as a strong head start, not as automatic compliance, and map your controls rather than assuming equivalence.
The primary obligated party is the Controller: a public entity, a natural person, or a private legal person that determines the purpose and manner of processing personal data, whether it processes that data itself or through a processor. If your organization decides why and how personal data about individuals is handled, you are a controller under the law and the obligations fall on you.
Yes. The law reaches the processing of personal data of individuals residing in the Kingdom even when that processing is carried out by a party outside the Kingdom, by any means. The Competent Authority defines tools and procedures to monitor and enforce compliance for controllers and processors located abroad. A foreign-headquartered business serving Saudi residents should assume it is in scope.
Processors that handle personal data on behalf of a controller are bound by the law. A controller may only select processors that provide the guarantees needed to meet the law and must monitor their compliance, while remaining responsible to the individual and the Competent Authority. Anyone involved in processing must protect the confidentiality of the data even after the working or contractual relationship ends.
Processing by an individual purely for personal or family use is outside the scope, as long as the data is not published or disclosed to others. The law also does not override any other law or international agreement that grants the individual stronger protection. Certain obligations have narrow carve-outs for public entities acting for security or judicial purposes, but these are exceptions, not a general waiver.
Personal data is any data, in any form, that can directly or indirectly identify an individual, and it extends to a deceased person's data where it could identify them or a family member. Sensitive Data is a defined subset: racial or ethnic origin, religious, intellectual or political belief, criminal and security data, biometric or genetic data used to identify a person, health data, and data indicating unknown parentage. Health Data and Credit Data carry additional, stricter controls.
Consent is the default basis, it can be required to be explicit, can be withdrawn at any time, and cannot be made a condition for an unrelated service. Processing without consent is allowed in defined situations: where it serves the actual interests of the individual but reaching them is impossible or difficult, where another law or a prior agreement requires it, where a public entity needs it for security or judicial purposes, and for the controller's legitimate interests provided no Sensitive Data is involved and the individual's rights are respected.
Individuals have the right to be informed of the legal basis and purpose of collection, to access their personal data held by a controller, to obtain it in a readable and clear format, to request correction, completion or updating, and to request destruction when the data is no longer needed. Controllers must respond within the period set by the Implementing Regulations, and may set or limit time frames for the access right only in the specific cases the law allows.
The recurring duties are: have a privacy policy available before collection, give notice at the point of collection, collect directly and for a specific purpose, minimize data and keep it accurate, restrict and document disclosures, destroy data when its purpose ends, apply organizational, administrative and technical security, notify breaches, respond to individuals' rights requests, run impact assessments for products and services, and keep records of processing activities available to the Competent Authority.
Yes. A controller must have a privacy policy available to individuals before their data is collected, and must give a collection notice that covers the legal basis, the purpose, which data is mandatory and which is optional, the identity of the collecting party where relevant, whether data will be transferred or disclosed outside the Kingdom, the consequences of not providing the data, and the individual's rights and how to exercise them.
The law requires the Implementing Regulations to identify the situations in which a controller must appoint one or more personal data protection officers. Organizations with large-scale processing, regular monitoring, Sensitive Data, or public-body status are the typical candidates. Check the criteria in the current Implementing Regulations to confirm whether a formal appointment, and a defined responsibilities mandate, applies to you.
Yes. A controller must maintain records of personal data processing activities, available to the Competent Authority on request. At a minimum the records cover the controller's contact details, the purpose of processing, the categories of data subjects, any entities to which data has been or will be disclosed, whether data is transferred or disclosed outside the Kingdom, and the expected retention period. This is the Saudi equivalent of a record of processing activities.
Yes. A controller must conduct an impact assessment of personal data processing in relation to any product or service it offers, scaled to the nature of the activity, in line with the Implementing Regulations. In practice this means assessing privacy risk before launching or materially changing a product, service, or processing activity, and keeping the assessment on file as part of your accountability evidence.
The controller must implement all the necessary organizational, administrative and technical measures to protect personal data, including while it is being transferred, in line with the controls in the Implementing Regulations. The law does not prescribe a single technology, it expects measures proportionate to the data and the risk, which is where mapping to a recognized control set such as NCA ECC or ISO 27001 is efficient.
A controller must notify the Competent Authority upon becoming aware of any breach, damage, or unlawful access to personal data. The controller must also notify affected individuals where the incident would cause damage to their data or prejudice their rights or interests. The exact timing and content are set out in the Implementing Regulations, so a tested incident response process, with predefined notification templates and decision criteria, is essential.
Transfers and disclosures outside the Kingdom are permitted only for purposes set out in the law, such as performing an obligation under an agreement to which the Kingdom is a party, serving the Kingdom's interests, or performing an obligation to which the individual is a party. They must not prejudice national security or the Kingdom's vital interests, the destination must offer protection at least equivalent to the law as assessed by the Competent Authority, and the transfer must be limited to the minimum data necessary. Narrow exceptions exist for extreme necessity to protect life or health. The Data Transfer Regulation sets out the detailed mechanisms.
The Competent Authority supervises compliance through complaints, audits, and the national register. Sanctions range from a warning to monetary fines that scale with the seriousness of the violation and can be doubled for repeat offenses. The most serious cases, such as disclosing or publishing Sensitive Data with intent to harm an individual or for personal benefit, can carry imprisonment. Courts can also order confiscation, publication of the judgment, and compensation for material or moral damage to affected individuals.
Inventory your personal data and processing activities, set and document lawful bases, publish compliant privacy notices, stand up records of processing, impact assessments, and a breach process, assess cross-border transfers, and appoint a data protection officer and register with the Competent Authority where required. Most of this overlaps with NCA ECC, SAMA, and ISO 27001, so assess once and reuse. Kevala ships the PDPL as assessable controls out of the box, mapped to your other frameworks, with everything kept on your own infrastructure. See our companion NCA ECC FAQ and SAMA CSF FAQ.
Kevala supports the Saudi PDPL out of the box. Talk to us.