Topics

Personal Data Protection Law (PDPL)

نظام حماية البيانات الشخصية

Overseen by: Saudi Data and AI Authority (PDPL) · Last reviewed: 27 محرّم 1448هـ (13 July 2026)

In brief

Saudi Arabia's Personal Data Protection Law (PDPL) is the Kingdom's comprehensive data-protection framework, issued by Royal Decree M/19 (2021) and amended by M/148 (2023). It governs how controllers and processors collect, use and transfer personal data, is overseen by SDAIA, and carries fines of up to SAR 5 million, plus imprisonment for the unlawful disclosure of sensitive data.

Who must comply

  • Any entity carrying out any processing of the personal data of individuals within the Kingdom, by any means.
  • Extraterritorial reach: entities located outside the Kingdom that process the personal data of individuals residing in the Kingdom are also subject to the Law.
  • Both public- and private-sector controllers and processors are in scope; the Law also covers the data of deceased persons where it could identify them or a member of their family.

Penalties

  • Disclosing or publishing sensitive personal data with intent to harm the data subject or to gain a benefit (Article 35) — imprisonment for up to 2 years and/or a fine of up to SAR 3 million.
  • Other violations of the Law or its Implementing Regulations (Article 36) — a warning or a fine of up to SAR 5 million.
  • On a repeat violation the fine may be doubled, provided it does not exceed double the maximum — up to SAR 10 million on the Article 36 fine.

Effective dates

  • Issued by Royal Decree No. M/19 dated 9 Safar 1443 AH (16 September 2021).
  • Amended by Royal Decree No. M/148 dated 5 Ramadan 1444 AH (27 March 2023).
  • The Law entered into force on 14 September 2023 — 720 days after publication in the Official Gazette.
  • SDAIA issued the Implementing Regulations on 7 September 2023.
  • Controllers were given a one-year (Hijri) transition period; full enforcement began on 14 September 2024.

How to comply

  1. Map your data flows: identify the personal data you collect, its legal basis, purpose, retention period, and where it is stored or transferred.
  2. Establish a lawful basis for each processing activity and obtain valid, informed consent where it is required.
  3. Publish a privacy notice and honour data-subject rights — access, obtaining a copy, correction, and deletion.
  4. Implement technical and organizational safeguards proportionate to the sensitivity of the data, and stand up a breach-notification process to SDAIA and affected individuals.
  5. For cross-border transfers, meet the Article 29 conditions and SDAIA's transfer safeguards, and transfer only the minimum data necessary.
  6. Maintain a record of processing activities and an obligations register mapping each PDPL and Implementing-Regulation duty to an owner, evidence and review date.

Track every obligation in one place

Bawadir's Compliance tier turns a topic like this into a downloadable obligations register — every requirement, owner, deadline and source in one Excel workbook.

See the Compliance tier →

Latest updates on this topic

Official sources

Some official pages are rendered dynamically and may need a browser to open.

Questions & answers

What is the PDPL and who enforces it?

It is Saudi Arabia's comprehensive data-protection framework, issued by Royal Decree M/19 (9 Safar 1443 AH, 16 September 2021) and amended by M/148 (5 Ramadan 1444 AH, 27 March 2023). It is administered and enforced by SDAIA.

When did enforcement start?

The Law entered into force on 14 September 2023 (720 days after gazette publication). Controllers were given a one-year transition, so full enforcement began on 14 September 2024.

What are the penalties for breaking the PDPL?

Disclosing or publishing sensitive personal data (with intent to harm or gain) can bring up to 2 years' imprisonment and/or a fine of up to SAR 3 million. Other violations draw a warning or a fine of up to SAR 5 million, which may be doubled to SAR 10 million on repeat.

Does the PDPL apply to companies based outside Saudi Arabia?

Yes. It has extraterritorial reach — any entity outside the Kingdom that processes the personal data of individuals residing in Saudi Arabia is subject to the Law.

Can I transfer personal data outside the Kingdom?

Only under the Article 29 conditions and where the destination provides an adequate level of protection, transferring the minimum data necessary and without compromising national security.

Subscribe to the daily brief

Stay current — one brief, every working morning.

This page is a reference summary compiled from official sources — it is not legal advice. The authoritative text is always the original instrument; always verify against the official source before acting.

Compiled by Bawadir from the cited official Saudi sources, cross-referenced with the daily regulatory record. Reviewed and dated below. Last reviewed: 27 محرّم 1448هـ (13 July 2026)