Saudi PDPL
Personal Data Protection Law (Royal Decree M/19 of 2021, as amended)
Saudi Arabia's PDPL is the Kingdom's first comprehensive data protection law, entering into force on 14 September 2023 alongside its Implementing Regulations. A transition period ended on 14 September 2024, after which the law became fully enforceable by SDAIA. It establishes consent requirements, data subject rights, accountability duties, and rules for transfers outside the Kingdom.
Who it applies to
Any processing of personal data of individuals that takes place within Saudi Arabia by any means, and processing of Saudi residents' personal data by entities outside the Kingdom, covering both public and private sector controllers and processors.
Identity requirements
- Establish a lawful basis for processing, generally requiring the data subject's consent, with limited statutory exceptions
- Provide data subjects with rights to be informed, to access, to obtain copies, to request correction, and to request destruction of their personal data
- Register or comply with national data controller requirements and maintain records of processing activities
- Implement organizational and technical safeguards to secure personal data and prevent unauthorized access
- Notify SDAIA of personal data breaches and notify affected data subjects where the breach may cause harm
- Apply conditions and approved mechanisms for transferring personal data outside Saudi Arabia
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Processing is generally consent-driven, requiring robust consent capture and lifecycle management for customer identities. |
| Data residency & cross-border transfer | The law and its transfer regulation restrict moving personal data outside the Kingdom to cases meeting defined conditions and safeguards. |
| Breach notification | Controllers must notify SDAIA and, where harm is likely, affected individuals of personal data breaches. |
| Identity verification (KYC/proofing) | Identity proofing must align with lawful-basis and data-minimization obligations when collecting identity data. |
| Audit, logging & accountability | Controllers must keep records of processing and demonstrate accountability under SDAIA oversight. |
Penalties
Penalties include fines of up to 5 million Saudi riyals (which may be doubled for repeat offenses) and, for unlawful disclosure or transfer of sensitive data, imprisonment of up to two years and/or a fine of up to 3 million riyals.
Saudi PDPL: frequently asked questions
- When did the Saudi PDPL become enforceable?
- The PDPL entered into force on 14 September 2023, and after a one-year transition period it became fully enforceable on 14 September 2024.
- Who regulates the Saudi PDPL?
- The Saudi Data and Artificial Intelligence Authority (SDAIA) is the supervisory authority responsible for enforcing the law and issuing its regulations and guidance.
- Does the PDPL restrict sending personal data outside Saudi Arabia?
- Yes. Cross-border transfers are permitted only under conditions set out in the law and the Regulation on Personal Data Transfer Outside the Kingdom.