Data & Privacy · Saudi Arabia
Data protection & privacy laws in Saudi Arabia (2026)
Saudi Arabia shaded by its data & privacy status
Saudi Arabia has a comprehensive, GDPR-aligned data protection regime under the Personal Data Protection Law (PDPL), which entered into force on 14 September 2023 with full compliance required from 14 September 2024 after a one-year grace period. The national data protection authority is SDAIA, which issued the Implementing Regulations and a dedicated cross-border data transfer regulation, and operates enforcement committees that have begun imposing penalties.
Key points
The PDPL (Royal Decree M/19 of 2021, amended by M/148 of 2023) and its Implementing Regulations came into force on 14 September 2023; the one-year grace period ended 14 September 2024, after which all organizations processing personal data in the Kingdom must be fully compliant.
The Saudi Data and Artificial Intelligence Authority (SDAIA) is the regulator overseeing and enforcing the PDPL, issuing guidance (DPO appointment, privacy notices, data destruction/anonymization) and operating violation-review committees.
The law applies to any processing of personal data of individuals that occurs within the Kingdom, and to processing by entities located outside the Kingdom of personal data of individuals residing in Saudi Arabia.
Individuals have GDPR-style rights including to be informed, access, rectification, erasure, data portability, objection, and to lodge complaints with SDAIA, plus the right to be notified of breaches posing high risk.
A dedicated Regulation on Personal Data Transfer Outside the Kingdom (Article 29), updated 1 September 2024, governs transfers via adequacy assessments, standard contractual clauses, binding common rules, and certificates; controllers must conduct transfer risk assessments, with 2025 guidance issued on these.
Core obligations include lawful basis, purpose limitation, security, accountability, DPO appointment and DPIAs; breaches must be notified to SDAIA within 72 hours. Fines reach up to SAR 5 million per violation (doubled for repeat offenses), and unlawful disclosure of sensitive data can carry imprisonment up to 2 years and/or fines up to SAR 3 million.
Timeline - major decisions & events
SDAIA's quasi-judicial enforcement committees began issuing binding decisions including warnings, fines up to SAR 5 million, and remediation orders against non-compliant organisations. Signals the definitive end of the post-enactment tolerance period.
Clyde & Co ↗SDAIA's specialised committees announced 48 adjudication decisions against organisations for PDPL violations covering unlawful data collection, inadequate security controls, and unsolicited marketing without prior consent — establishing enforcement precedents across retail, telecoms, and financial services.
IAPP ↗The transition period ended, making all PDPL obligations — including breach notification, data-subject rights, and consent requirements — immediately and fully enforceable against all public and private entities processing personal data in the Kingdom.
Morgan Lewis ↗SDAIA published a standalone regulation governing personal data transfers outside Saudi Arabia, requiring either an SDAIA adequacy determination for the destination country or explicit SDAIA authorisation, and mandating risk assessments for large-scale or continuous cross-border transfers.
Securiti / SDAIA ↗The NCA released a revised ECC framework that removed the explicit data-localisation requirement from its own controls — transferring data-residency governance to NDMO/SDAIA — while strengthening incident-response, supply-chain, and cloud-security requirements.
NCA ↗Saudi Arabia's first comprehensive data protection law took effect alongside its implementing regulations; a one-year grace period until 14 September 2024 was granted for full compliance while SDAIA activated its supervisory powers and breach-notification registry.
SDAIA ↗One week before enforcement, SDAIA issued detailed rules setting a 72-hour breach notification window, 30-day data-subject request deadlines, requirements for data-protection impact assessments (DPIAs), and a preliminary cross-border data transfer framework.
Clyde & Co / SDAIA ↗The Council of Ministers approved 27 amendments that narrowed the sensitive-data definition, replaced 'written consent' with 'clear consent', expanded legitimate-interest processing grounds, and granted SDAIA investigators explicit confiscation powers, while confirming the September 2023 enforcement date.
Akin Gump / Council of Ministers ↗A Royal Decree created the Saudi Data & Artificial Intelligence Authority (SDAIA) together with the National Data Management Office (NDMO) and National Centre for AI (NCAI), making SDAIA the de facto data governance regulator and the body that would later administer the PDPL.
Saudi National Portal ↗The NCA's first ECC standard required government entities to host and store data on servers physically within Saudi Arabia, establishing the Kingdom's first statutory data-localisation requirement and setting mandatory baseline data-handling security controls.
NCA ↗King Salman issued Royal Order No. 6801 creating the NCA, directly linked to the Royal Court, with a mandate to protect critical infrastructure and government data. The NCA became the primary regulator for cybersecurity and data-handling standards until SDAIA's creation in 2019.
NCA ↗Saudi Arabia's first law addressing digital privacy, criminalising unauthorised computer access, interception of personal data, and misuse of information networks; carried penalties up to one year imprisonment and SAR 500,000 in fines. Served as the primary pre-PDPL privacy framework for 15 years.
WIPO Lex ↗Saudi Arabia - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →