PDPL — Saudi Arabia’s Personal Data Protection Law Explained (2026 Guide)
%20(1).png)
The Saudi PDPL is the national law regulating personal data handling. Promulgated by Royal Decree in September 2021, it took effect on 14 September 2023, with a mandatory compliance deadline in one year (by 14 Sept 2024). Its purpose is to protect individuals’ privacy by imposing rules on how organizations collect, use, store, and share personal data. The PDPL covers personal data (any information related to an identifiable person) and sensitive personal data (special categories like health, genetic, biometric, religious, sexual orientation, etc.), which require stricter safeguards. The law applies broadly to “controllers” (entities deciding the purpose of processing) and “processors” handling data on their behalf, in both public and private sectors. In effect, PDPL establishes legal grounds for processing (primarily consent, among others), privacy policy requirements, data security obligations, data subject rights, and limits on data retention. It aligns closely with international standards (notably the EU GDPR) but is tailored to Saudi law and culture.
PDPL’s reach is broad. It applies to any entity (public or private) that processes the personal data of individuals residing in Saudi Arabia, regardless of where the entity is located. For example, a foreign e-commerce website serving Saudi customers or a multinational company processing data of Saudi employees must comply. The law explicitly includes “sensitive personal data” and even covers data of deceased individuals if it can identify them or their families. This means payroll files, customer databases, patient records, etc., all fall under PDPL if they involve Saudi individuals.
PDPL is comprehensive but not absolute. It explicitly excludes purely personal or domestic processing. For example, a private individual storing family photos or a home address book for personal reasons would not trigger PDPL obligations. The law also does not apply to situations covered by other special laws (e.g., state security, criminal investigations, judicial activities), though the exact boundaries depend on implementing regulations yet to be released. Notably, PDPL does not carve out employment data or B2B marketing as separate categories. All personal data processing requires consent or another legal basis, regardless of context.
PDPL is built on familiar data privacy and protection principles, many of which mirror the GDPR’s core tenets. Organizations acting as data controllers must embed these principles into their processing activities:
Personal data must be handled lawfully and fairly. Controllers need a valid legal basis (usually the data subject’s consent under PDPL, or other grounds as amended) for each processing activity, and they must inform data subjects why they collect data and how it will be used.
Data must be collected only for specified, explicit purposes and not used beyond those purposes. Likewise, only necessary data should be collected (the “data minimization” principle). Organizations should audit their data inventory to stop gathering unnecessary fields.
PDPL obligates controllers to keep personal data accurate, complete, and up to date, and to delete or anonymize data once it’s no longer needed for the original purpose. This means periodic data purges and updates are required to prevent data hoarding.
Controllers (and their processors) must implement appropriate organizational, administrative, and technical safeguards to protect data. This covers measures like encryption, access controls, breach detection, and incident response plans. The principle of accountability means organizations must document their compliance (e.g., records of processing activities) and be prepared to demonstrate it to regulators.
PDPL even requires controllers to select only third-party processors that can guarantee PDPL compliance and to oversee those vendors. These requirements ensure that both internal teams and external partners handle data responsibly.
PDPL mandates proactive transparency. Entities must publish clear privacy notices before collecting any personal data. These policies must explain the purposes of collection, what data is collected, how it will be stored and processed, retention periods, and the data subject’s rights (among other details).
If data is collected directly from the individual, controllers must explicitly inform them of the legal basis for processing, whether each data field is mandatory, any third parties receiving the data, and more. In effect, individuals should never be “in the dark” about why their data is needed or how it’s handled.
A proactive compliance approach transforms a regulatory challenge into a strategic asset. When each processing operation “respects the fundamental rights of individuals while enabling the company to pursue its business objectives,” compliance becomes a competitive edge.
PDPL grants individuals a suite of data subject rights, empowering them to control their personal information. These include:
Data subjects have the right to know who is collecting their data, why it’s being collected, how it will be used, and whether it will be shared or sold. This ties back to the mandatory privacy notices.
Individuals can request access to all personal data an organization holds about them. They can also ask for inaccuracies to be corrected or for their data to be deleted if it’s no longer needed or was collected with consent that has been withdrawn. Under PDPL, controllers must respond to these subject access requests within 30 days, providing the data or making corrections.
Consent under PDPL is freely given but revocable. Data subjects may withdraw their consent at any time, forcing the controller to cease processing (unless another legal ground applies). Importantly, consent cannot be a precondition for providing a service unless it directly relates to that service. Controllers must inform data subjects of this right (e.g., “You can withdraw consent at any time” in the privacy notice).
While PDPL does not carve out new “rights” unique to sensitive personal data, it does treat sensitive data more strictly. Disclosing or processing sensitive data without authorization can trigger severe penalties (see Penalties section).
Data subjects also have a general “right to limit processing” for special cases, although PDPL did not explicitly codify this right. It is, however, recognized in official FAQs. This means, for example, that a person can object to unnecessary profiling or ask a controller to suspend certain types of data use, subject to regulatory guidance.
PDPL permits cross-border data transfers only when they are necessary, lawful, and properly protected. Organizations must document a valid legal basis, assess risks in the recipient country, and apply safeguards such as contractual protections, encryption, and access controls. Records of transfer decisions should be maintained to demonstrate compliance with SDAIA.
Controllers remain fully accountable under PDPL and must ensure processors and third parties follow documented instructions, implement security measures, and report breaches promptly. Processors cannot reuse or transfer data without authorization. Effective vendor risk management is essential to reduce compliance and security risks.
The PDPL was published in the Official Gazette in September 2021, but its effective date was set to 14 September 2023. The Saudi Data & AI Authority (SDAIA) immediately allowed a one-year grace period, so organizations had until 14 September 2024 to fully comply. During this year, PDPL provisions were not yet strictly enforced, giving businesses time to prepare policies, systems, and training. (Notably, foreign entities had up to five years under earlier drafts, but the new amendments targeted global firms with Saudis’ data to ensure fairly prompt compliance.)
Saudi Data & Artificial Intelligence Authority (SDAIA) is the designated regulator for PDPL. SDAIA has broad powers to supervise implementation: it can request compliance documents, conduct inspections, and eventually enforce penalties. Officially, SDAIA will oversee PDPL enforcement for the first two years before potentially handing over to a new National Data Management Office (NDMO). Organizations should treat SDAIA as the point of contact for any reporting or queries.
PDPL violations carry serious penalties. For most breaches (failure to follow principles, processing without consent, etc.), PDPL authorizes a warning or a fine up to SAR 5,000,000 (≈USD 1.33M). Repeat offenses can double the fine. Publishing or disclosing sensitive personal data unlawfully is especially harsh: it can result in fines up to SAR 3,000,000 and/or up to 2 years in prison.
Both organizations and responsible individuals (e.g., directors) can be held liable for sensitive data breaches. Note that after amendments, criminal sanctions were mostly limited to sensitive data offenses; other violations incur only fines or warnings.
In addition to legal penalties, non-compliance risks reputational damage, loss of customer trust, and exclusion from government contracts. The lesson: PDPL compliance is mandatory, and breaches are costly.
Organizations subject to PDPL should adopt a structured compliance program. Key steps include:
With PDPL rooted in international norms, there are notable similarities to the EU GDPR and other privacy frameworks.
Both PDPL and GDPR emphasize core principles like lawfulness, purpose limitation, data minimization, security, and accountability.
They grant similar data subject rights (access, correction, deletion, portability) and require transparency through privacy notices. Both regimes also impose strict penalties for breaches and demand data breach notifications.
However, there are key differences. For example,
For international companies, these differences underscore the need for a unified compliance strategy. Adopting a single privacy governance framework that addresses all applicable laws (GDPR, PDPL, CCPA, etc.) is often more efficient than siloed efforts.
People often think PDPL is just about avoiding fines. However, at DPO Consulting, we believe it’s a chance to strengthen your organization’s data governance and reputation.
By respecting privacy rights and securing data, companies build customer trust and competitive trust. A robust PDPL compliance program can improve data quality, reduce breaches, and unlock new digital business opportunities in Saudi Arabia. Remember: data compliance goes hand-in-hand with innovation and business value.
For organizations navigating this new regulation, expert help can make a difference. DPO Consulting’s multi-regulatory compliance services specialize in aligning international data privacy laws, including PDPL, into one coherent program. Whether you need a privacy audit, policy templates, training, or an outsourced DPO, there are resources to guide you. The transition to PDPL compliance can be smooth with the right partners and a proactive approach.
Get in touch with our experts to know more about how we can help you!
Yes. PDPL has an extraterritorial scope. It explicitly covers any public or private organization (even if outside Saudi Arabia) that processes personal data of individuals in Saudi Arabia. Foreign businesses serving Saudi customers or employing Saudi nationals must therefore comply with PDPL. (An earlier draft allowed a five-year delay for overseas firms, but in practice, all processors of Saudis’ data are expected to align by the compliance deadline.)
“Sensitive personal data” under PDPL includes categories like health information, genetic or biometric data, racial or ethnic origin, religious or philosophical beliefs, political opinions, trade-union membership, sexual orientation, and criminal records. In short, any data revealing intimate aspects of a person’s identity is sensitive.
Yes. PDPL states that individuals may withdraw their consent to data processing at any time. When consent is withdrawn, the controller must stop processing that person’s data (unless there’s another legal justification, such as a contractual obligation or vital interest). Practically, this means organizations should implement easy ways for users to withdraw consent (e.g., an “unsubscribe” link or a data control panel) and have processes to delete or stop using the data promptly once consent is revoked.
Fully anonymized data (irreversibly de-identified so individuals cannot be identified) falls outside PDPL, as it is not “personal data.” However, pseudonymized data (where identifiers are replaced with codes but could be re-linked) is still treated as personal data under PDPL. In general, if there is any reasonable way to re-identify the person, the data are protected by PDPL, and all rules apply.
PDPL requires prompt notification. Controllers must inform the Saudi regulator (SDAIA) “no later than 72 hours” after becoming aware of a personal data breach. The notification must include details of the breach and mitigation steps. Additionally, if the breach poses a high risk to data subjects, the controller must inform the affected individuals without undue delay. It’s best practice to have a breach-response plan ready well before any incident.
Investing in GDPR compliance efforts can weigh heavily on large corporations as well as smaller to medium-sized enterprises (SMEs). Turning to an external resource or support can relieve the burden of an internal audit on businesses across the board and alleviate the strain on company finances, technological capabilities, and expertise.
External auditors and expert partners like DPO Consulting are well-positioned to help organizations effectively tackle the complex nature of GDPR audits. These trained professionals act as an extension of your team, helping to streamline audit processes, identify areas of improvement, implement necessary changes, and secure compliance with GDPR.
Entrusting the right partner provides the advantage of impartiality and adherence to industry standards and unlocks a wealth of resources such as industry-specific insights, resulting in unbiased assessments and compliance success. Working with DPO Consulting translates to valuable time saved and takes away the burden from in-house staff, while considerably reducing company costs.
GDPR and Compliance
Outsourced DPO & Representation
Training & Support
To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.
Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.
We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.
Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.
Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.
Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.
On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.
Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.
Grained Template comes with eCommerce set up, so you can start selling your services straight away.
To give you 100% control over the design, together with Webflow project, you also get the Figma file.
.svg)
.png)
