AMLEGALSDPDPAVibe Data Privacy
← GCC Regulatory Hub

Saudi
Sovereignty.

Personal Data Protection Law (PDPL) under SDAIA. The Kingdom's comprehensive framework for data sovereignty and privacy.

SAR 5M
Maximum Fine
Per Violation Instance
SDAIA
Regulator
Data & AI Authority
Strict
Localization
Sovereignty Mandate
DPO
Mandatory
For High-Risk Processing
Royal Decree M/19

PDPL Framework

The Personal Data Protection Law (PDPL) came into force in September 2023, establishing Saudi Arabia's first comprehensive data protection framework. Administered by the Saudi Data & Artificial Intelligence Authority (SDAIA).

The law applies to any processing of personal data within Saudi Arabia, as well as processing outside the Kingdom if it relates to Saudi residents. It covers both public and private sector entities.

PDPL emphasizes data sovereignty with strict localization requirements for sensitive data, particularly governmental and health-related information.

Core Principles

Art. 5

Lawful Basis

Processing must have legitimate purpose and legal basis

Art. 6

Transparency

Clear disclosure of identity, purpose, and rights

Art. 10

Purpose Limitation

Data used only for specified collection purposes

Art. 11

Data Minimization

Limited to what is necessary for stated purposes

Art. 12

Accuracy

Ensure data is accurate, complete, and up to date

Art. 19

Security

Implement appropriate technical and organizational measures

Chapter 4

Data Subject Rights

Right to Information

Know identity of controller and purpose of processing

Right to Access

Obtain copy of personal data being processed

Right to Correction

Request rectification of inaccurate data

Right to Destruction

Request deletion when no longer necessary

Right to Restriction

Limit processing in certain circumstances

Right to Complaint

Lodge complaints with competent authority

Supervisory Authority

SDAIA Mandate

The Saudi Data & Artificial Intelligence Authority (SDAIA) serves as the comprehensive regulator for both data protection and AI governance. This unified approach positions Saudi Arabia uniquely in the global regulatory landscape.

Enforcement

Investigate violations and impose penalties

Registration

Maintain controller registration requirements

Guidance

Issue implementing regulations and guidelines

Cross-Border

Approve international data transfers

Compliance Requirements

Controller Registration

Entities processing personal data must register with SDAIA

Privacy Notice

Clear disclosure of processing purposes and data subject rights

Data Localization

Sensitive data must be stored within Saudi Arabia

Breach Notification

Report breaches to SDAIA and affected individuals

KSA-India Data Corridor

Navigate the complexities of data transfers between Saudi Arabia and India under PDPL and DPDPA frameworks.

Request KSA Briefing