Personal Data Protection Law (PDPL) Saudi Arabia

    Overview

    Saudi Arabia's Personal Data Protection Law (PDPL) establishes rules for collecting, processing, storing, and protecting personal data. First enacted in September 2021 and amended in April 2023, the law enhances privacy rights for individuals while setting clear obligations for businesses handling personal data. The Implementing Regulations of the Personal Data Protection Law (PDPL) provide additional detailed obligations and compliance measures for businesses. Additionally, the Regulation on Personal Data Transfer Outside the Kingdom establishes guidelines for transferring personal data internationally while maintaining privacy standards mandated by the PDPL.

     

    Regulation Summary

    Timeline
    • Enacted: September 2021
    • Amended: April 2023
    • Effective Date: March 2024
    What Businesses Are Affected
    • Entities operating in Saudi Arabia that process personal data.
    • Foreign businesses processing the personal data of individuals residing in Saudi Arabia.
    Exemptions
    • Personal or household data processing for non-commercial use.
    • Data processing by public authorities for security, defense, or judicial purposes.
    Responsibilities for Businesses
    • Obtain explicit consent before processing personal data.
    • Clearly inform individuals about data collection, purpose, and retention periods.
    • Explain the purpose and legal basis for processing personal data.
    • Respond to data subject requests within 30 days.
    • Implement security measures to prevent unauthorized access and breaches.
    • Report data breaches to the competent authority within 72 hours.
    • Conduct Data Protection Impact Assessments (DPIAs) to evaluate risks.
    • Appoint a Data Protection Officer (DPO) for large-scale or sensitive data processing.
    Specific Responsibilities for Website Owners
    • Publish a privacy policy explaining how data is collected and used.
    • Implement cookie consent mechanisms for tracking technologies.
    • Provide users with an option to withdraw consent at any time.
    Additional Requirements
    • Cross-border data transfers are restricted, except when:
      • The recipient country offers adequate protection.
      • The transfer is legally required or contractually necessary.
      • The transfer serves the public interest.
    • Data Protection Officer (DPO) may be required for businesses handling large amounts of personal data.
    Data Subject Rights
    • Access: Individuals can request copies of their personal data.
    • Correction: Users can update or correct inaccuracies.
    • Erasure: Data subjects may request deletion of their data.
    • Portability: Personal data can be transferred to another provider.
    • Objection: Individuals can object to data processing for marketing or profiling.
    Enforcement
    • Regulatory Authority: For the first two years, the Saudi Data & Artificial Intelligence Authority (SDAIA) will oversee the implementation of the PDPL. After this period, the National Data Management Office (NDMO) will assume regulatory authority over the law.
    • Penalties: Non-compliance can result in fines of up to SAR 5 million (~$1.3 million USD), up to 2 years imprisonment or SAR 3 million (~$800,000 USD) fine for unauthorized disclosure of sensitive data, with potentially doubled penalties for repeat violations.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596