Saudi PDPL

Personal Data Protection Law

Royal Decree M/19Enforced — Fully enforceable 14 September 2024

Saudi Arabia's Personal Data Protection Law establishes comprehensive data protection requirements for all public and private sector organisations processing personal data. It mandates consent-based processing, 72-hour breach notification, cross-border transfer restrictions, and Data Protection Officer appointments, with extraterritorial reach to foreign entities processing Saudi residents' data.

30+

Articles

72h

Breach Notification

All

Sectors Covered

Sep 2024

Enforced

Implementation Timeline

16 September 2021

Royal Decree M/19 issued and published

27 March 2023

Amendments adopted (Royal Decree M/148)

14 September 2023

PDPL and Implementing Regulations came into effect

14 September 2024

Compliance grace period ended — fully enforceable

Who's In Scope

Public Sector

Saudi government agencies
Public authorities and entities
State-owned enterprises processing personal data

Private Sector

All private companies and businesses
Sole proprietors and non-profit entities
Any entity processing personal data in Saudi Arabia

Extraterritorial

Foreign organisations processing data of Saudi residents
Entities outside KSA targeting Saudi market

Key Requirements

Art. 2-3

Legal Basis & Consent

Establish lawful grounds for data processing, obtain explicit consent before collection and processing except where legally permitted.

Art. 20

Breach Notification

Notify SDAIA within 72 hours of becoming aware of a data breach affecting data subjects' rights or interests.

Art. 24

Processing Records

Maintain Registers of Processing Activities (RoPA) documenting all data processing operations.

Art. 28

Cross-Border Transfers

Only transfer personal data outside KSA when adequate safeguards exist, subject to SDAIA approval requirements.

Art. 30

Data Protection Officer

Appoint a Data Protection Officer to oversee PDPL compliance within the organisation.

Penalties & Enforcement

General PDPL Violations

SAR 5,000,000 (~EUR 1.2M)

Maximum administrative fine for non-compliance

Sensitive Data Disclosure

SAR 3,000,000 + 2 years imprisonment

Criminal offence for unauthorised disclosure with intent to harm

Repeat Violations

Double the stated maximum

Competent court may double fines, even exceeding stated caps

How Orizon Can Help

Compliance Management

We provide structured preparation and compliance support for Saudi PDPL.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your Saudi PDPL compliance posture and build a practical roadmap.

Get Started

Saudi PDPL

Personal Data Protection Law

Royal Decree M/19Enforced — Fully enforceable 14 September 2024

Who's In Scope

Public Sector

Saudi government agencies
Public authorities and entities
State-owned enterprises processing personal data

Private Sector

All private companies and businesses
Sole proprietors and non-profit entities
Any entity processing personal data in Saudi Arabia

Extraterritorial

Foreign organisations processing data of Saudi residents
Entities outside KSA targeting Saudi market

Key Requirements

Art. 2-3

Legal Basis & Consent

Establish lawful grounds for data processing, obtain explicit consent before collection and processing except where legally permitted.

Art. 20

Breach Notification

Notify SDAIA within 72 hours of becoming aware of a data breach affecting data subjects' rights or interests.

Art. 24

Processing Records

Maintain Registers of Processing Activities (RoPA) documenting all data processing operations.

Art. 28

Cross-Border Transfers

Only transfer personal data outside KSA when adequate safeguards exist, subject to SDAIA approval requirements.

Art. 30

Data Protection Officer

Appoint a Data Protection Officer to oversee PDPL compliance within the organisation.

Penalties & Enforcement

General PDPL Violations

SAR 5,000,000 (~EUR 1.2M)

Maximum administrative fine for non-compliance

Sensitive Data Disclosure

SAR 3,000,000 + 2 years imprisonment

Criminal offence for unauthorised disclosure with intent to harm

Repeat Violations

Double the stated maximum

Competent court may double fines, even exceeding stated caps