Data & Privacy - Saudi Arabia

The PDPL (Royal Decree M/19 of 2021, amended by M/148 of 2023) and its Implementing Regulations came into force on 14 September 2023; the one-year grace period ended 14 September 2024, after which all organizations processing personal data in the Kingdom must be fully compliant.

The Saudi Data and Artificial Intelligence Authority (SDAIA) is the regulator overseeing and enforcing the PDPL, issuing guidance (DPO appointment, privacy notices, data destruction/anonymization) and operating violation-review committees.

The law applies to any processing of personal data of individuals that occurs within the Kingdom, and to processing by entities located outside the Kingdom of personal data of individuals residing in Saudi Arabia.

Individuals have GDPR-style rights including to be informed, access, rectification, erasure, data portability, objection, and to lodge complaints with SDAIA, plus the right to be notified of breaches posing high risk.

A dedicated Regulation on Personal Data Transfer Outside the Kingdom (Article 29), updated 1 September 2024, governs transfers via adequacy assessments, standard contractual clauses, binding common rules, and certificates; controllers must conduct transfer risk assessments, with 2025 guidance issued on these.

Core obligations include lawful basis, purpose limitation, security, accountability, DPO appointment and DPIAs; breaches must be notified to SDAIA within 72 hours. Fines reach up to SAR 5 million per violation (doubled for repeat offenses), and unlawful disclosure of sensitive data can carry imprisonment up to 2 years and/or fines up to SAR 3 million.