Saudi Arabia Personal Data Protection Law (PDPL)
Active SDAIA enforcement began in 2026 following the close of the regulatory grace period. With penalties reaching SAR 5 million per violation, the PDPL is now the highest-stakes compliance obligation for any organisation processing the personal data of Saudi residents. This guide covers every key obligation, timeline, and requirement you need to build a defensible PDPL programme.
Key PDPL obligations
Lawful Basis for Processing
Personal data may only be processed on a recognised lawful basis: explicit consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. Consent must be freely given, specific, informed, and unambiguous — bundled consent is prohibited.
Data Subject Rights
Individuals have the right to access their data, request correction of inaccurate data, request erasure where processing is unlawful, object to direct marketing, and in certain circumstances request data portability. Controllers must respond within 30 days.
Data Protection Officer (DPO)
Organisations that process sensitive data at scale or conduct large-scale systematic monitoring must designate a DPO. The DPO oversees the compliance programme, maintains the RoPA, and acts as the primary contact with SDAIA.
Record of Processing Activities (RoPA)
Controllers must maintain an up-to-date inventory of every processing activity: purpose, legal basis, data categories, retention period, sharing arrangements, and cross-border transfer mechanisms. The RoPA must be available for SDAIA inspection.
Breach Notification (72 hours)
A personal data breach that creates a risk to data subjects must be reported to SDAIA within 72 hours of detection. Where the risk to individuals is high, affected data subjects must also be notified without undue delay. Breach records must be maintained.
Cross-border Transfer Controls
Transfers of personal data outside Saudi Arabia require either: the destination is on SDAIA's approved country list, SDAIA has granted specific approval for the transfer, or other lawful transfer mechanisms apply. Ad-hoc international transfers without a legal basis are prohibited.
Consent Requirements
Where consent is used as the lawful basis, it must be explicit, specific, informed, and withdrawable at any time. Consent cannot be bundled with terms of service. Withdrawal of consent must be as easy as granting it, and withdrawal does not affect the lawfulness of prior processing.
Data Retention Limits
Personal data must not be retained beyond the period necessary for the stated processing purpose. Controllers must define and document retention periods in the RoPA and implement automated or manual deletion processes. Sensitive data has shorter default limits.
Who is in scope for PDPL compliance
| Category | PDPL position |
|---|---|
| Saudi-based organisations | In scope for all personal data they collect or process, regardless of data subject location. |
| Foreign organisations | In scope when processing personal data of individuals located in Saudi Arabia, even if the organisation has no Saudi presence. |
| All data controllers | Any entity that determines the purpose and means of personal data processing. No turnover threshold or size exemption. |
| Sensitive data controllers | Health, genetic, biometric, financial, religious, and criminal data carry enhanced obligations: stricter consent requirements, shorter retention defaults, and mandatory DPO-level oversight. |
| Data processors | Third parties processing data on behalf of a controller must operate under a written contract binding them to PDPL-compliant standards. |
| Personal / household processing | Exempt — processing for purely personal or family purposes with no commercial or professional element. |
PDPL vs GDPR — key differences
Many Saudi organisations operate internationally or have European counterparts. Understanding how PDPL compares to the EU General Data Protection Regulation helps teams scope programmes efficiently and identify gaps where the laws diverge.
| Topic | Saudi PDPL | EU GDPR |
|---|---|---|
| Regulator | SDAIA (Saudi Data and AI Authority) | National DPAs (e.g. ICO, CNIL, BfDI) |
| Lawful basis options | Consent, contract, legal obligation, vital interests, public task, legitimate interests | Same six bases (Art. 6 GDPR) |
| Breach notification to regulator | 72 hours to SDAIA | 72 hours to DPA (Art. 33) |
| Data subject response deadline | 30 calendar days | One month, extendable to 3 months |
| DPO requirement | Required for large-scale/sensitive processing | Required for large-scale/sensitive processing (Art. 37) |
| DPIA requirement | Risk assessment obligation (no formal DPIA mandate by name) | Mandatory DPIA for high-risk processing (Art. 35) |
| Cross-border transfers | SDAIA-approved country list or specific SDAIA authorisation | Adequacy decision, SCCs, BCRs, or derogations |
| Maximum administrative fine | SAR 5 million per violation | EUR 20 million or 4% of global turnover (higher applies) |
| Small-business exemption | None specified | Reduced obligations for fewer than 250 employees in some areas |
| Consent for sensitive data | Explicit opt-in mandatory | Explicit consent mandatory (Art. 9) |
How GRC Vantage automates PDPL compliance
PDPL control library mapped to obligations
GRC Vantage ships a pre-built PDPL control framework aligned to every PDPL article and Implementing Regulation clause. Each control carries a description, evidence template, and ownership workflow so your team can demonstrate compliance without building the library from scratch.
DPO workflow and RoPA builder
The built-in Record of Processing Activities (RoPA) builder guides your DPO through each processing activity — legal basis, data categories, retention period, third-party sharing, and cross-border transfer mechanism — and produces a SDAIA-ready output. Audit trail included.
Breach notification workflow with 72-hour timer
When a breach is logged, GRC Vantage starts the 72-hour SDAIA notification clock, assigns investigation tasks, and drafts the notification with required fields pre-filled. Integrated escalation ensures the right people are alerted the moment a breach is declared.
Frequently asked questions
- What is the Saudi PDPL?
- The Saudi Personal Data Protection Law (PDPL) is the Kingdom's primary data privacy statute, issued by Royal Decree M/19 in 2021 and governed by the Saudi Data and AI Authority (SDAIA). It establishes the legal framework for how personal data of Saudi residents may be collected, processed, stored, shared, and transferred, setting rights for data subjects and obligations for data controllers. The 2024 Implementing Regulations clarified cross-border transfer controls, DPO requirements, and sensitive-data handling rules.
- Who does the Saudi PDPL apply to?
- The PDPL applies to any entity — private sector, government, or non-profit — that collects or processes personal data of individuals located in Saudi Arabia, regardless of where the organisation itself is based or where the processing occurs. Foreign entities that target Saudi residents or monitor their behaviour are also in scope. Purely personal or household processing is exempt.
- What are the penalties for PDPL non-compliance?
- Administrative penalties reach SAR 5 million per violation for serious breaches, including unlawful processing of sensitive data, failure to notify SDAIA of a personal data breach, or unauthorised cross-border transfers. Repeat violations can double the fine. Criminal liability applies for intentional misuse of personal data for personal gain or to cause harm.
- When did PDPL enforcement start?
- The PDPL was enacted in 2021 with a two-year grace period. SDAIA published the Implementing Regulations in 2023 (effective 2024) with a further transition period for cross-border transfer controls. Full active enforcement — including penalty proceedings — began in 2026 following the close of the grace period. Saudi organisations that delayed their compliance programmes are now directly exposed.
- What is a DPO and when is one required under the PDPL?
- A Data Protection Officer (DPO) is the individual accountable for managing a data controller's privacy compliance programme, including the Record of Processing Activities (RoPA), data subject rights fulfilment, and breach response. Under the PDPL Implementing Regulations, a DPO (or equivalent privacy function) is required when an organisation conducts large-scale systematic processing of personal data, processes sensitive data categories as a core activity, or operates as a data controller with significant impact on data subjects. Public authorities and entities processing sensitive data at scale are most clearly in scope.
- How does the PDPL compare to GDPR?
- The PDPL shares GDPR's foundational architecture — lawful basis, data subject rights, breach notification, and controller accountability — but differs on several points. PDPL breach notification runs to SDAIA within 72 hours (matching GDPR), but data subject notification timelines differ. PDPL does not mandate a formal Data Protection Impact Assessment (DPIA) by name, though risk assessment obligations exist. Consent under PDPL requires an explicit opt-in with no bundling, broadly aligned with GDPR. Cross-border transfer controls are stricter in some respects — Saudi law requires either SDAIA approval or a transfer to an approved country list. Unlike GDPR, PDPL applies to processing of Saudi residents' data without a turnover-based small-business exemption.
Build your PDPL compliance programme with GRC Vantage
The complete PDPL control library, RoPA builder, 72-hour breach notification workflow, and DSAR management are pre-loaded in GRC Vantage. Hosted inside Saudi Arabia for data residency. Book a demo or run your free readiness assessment today.