What is the Personal Data Protection Law (PDPL)?

In September 2021, the Kingdom of Saudi Arabia (KSA) introduced their first data protection law, the Personal Data Protection Law (PDPL) in the government’s Official Gazette.

Three years later, The KSA becomes the latest nation to join the list of countries with regulations on personal data use. On 13th September 2024, this law becomes fully enforceable.

So, what is included in this law? Who does it apply to? How does it compare with existing data protection legislation such as the General Data Protection Regulation (GDPR)?

Who and what will the PDPL apply to?

The PDPL will be applicable to the processing of personal data by companies or public entities which take place in the Kingdom of Saudi Arabia, or relate to the personal data of residents of the Kingdom by companies located outside the Kingdom.

How is personal data defined in the PDPL?

There are clear similarities between the PDPL and GDPR in how personal data is defined.

In Article 1(4) of the PDPL, the definition of personal data is any information through which an individual may be directly or indirectly identified. This includes their name, social security number, phone numbers, addresses, bank account and credit card details, and pictures. 

The PDPL also provides that “personal data” includes the data of a deceased person, if such data would lead to their identification or a family member’s identification.

What obligations on controllers does the PDPL introduce?

There are, as expected, obligations on controllers under the PDPL. These obligations range from choosing a processor who also gives effect to the provision of the PDPL, to provisions governing the engagement of any sub-processors.

Article 11(1) of the PDPL states that there must be a direct link to the controllers processing purposes for collecting data, so therefore, there is a purpose limitation imposed. If the purpose for collecting the personal data no longer persists, then the controller must stop collecting such data and dispose of any that it has without delay.

Like the GDPR, the PDPL provides a need for transparency. Controllers are required to put a privacy notice in place for data subjects to view prior to collection of their data. Likewise, controllers shall not process personal data without taking steps to check the accuracy, completeness and ensuring that it is purpose-specific. The PDPL also states that controllers are required to be aware of the consequences of their processing which means a Data Protection Impact Assessment (DPIA) is needed to evidence the processing of personal data.

The appointment of DPOs in the PDPL

The PDPL specifies that controllers are required to appoint a person or persons to implement the provisions of the PDPL which means the creation of a Data Protection Officer (DPO) if one does not already exist. This, of course, is very similar to the GDPR’s provisions.

(If your organisation requires a DPO, you can outsource this role to us here at DPAS. Click to learn more about our outsourced DPO services.)

What data subject rights does the PDPL provide?

Again, much like the GDPR, the PDPL provides rights for data subjects. It provides that requests from data subjects be responded to in a time period determined by the regulations. However, the controller may determine periods for exercising the right of access in accordance with what the competent authority deems as a reasonable period.

Additionally, damages are available to data subjects for material and non-material loss in relation to breaches of the PDPL and/or the regulations.

What does the PDPL provide relating to data security?

There are security and incident response measures in the PDPL – echoing the GDPR – as well as the requirement for controllers to inform a competent authority when they become aware of a data security breach.

What are the penalties for non-compliance and how do they compare to the GDPR?

The penalty in relation to the disclosure or publication of sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million, or approximately €728,800 (Article 35(1) of the PDPL).

Penalties under the PDPL are limited to a warning notice or a fine not exceeding SAR 5 million (approx. €1,214,958). Any of the fines may be increased to up to double the stated maximums for repeat offences (Articles 35(4) and 36(1) of the PDPL). The court may also order confiscation of funds gained as a result of violations of the law and/or require publication of the judgement at the offender’s expense.

Under the GDPR, there are two tiers of fines. The less severe infringements could result in a fine of up to €10 million, or 2% of the worldwide annual revenue from the preceding financial year, whichever amount is higher. If the infringement is more serious, this could reach a fine of up to €20 million, or 4% of the worldwide annual revenue from the preceding financial year, whichever amount is higher.

Complying with data protection law builds trust

Privacy law in the UK has long been seen as a way of earning trust of customers and others whose personal data is being processed. The PDPL aims to foster trust in the citizens of Saudi Arabia by ensuring that personal data is processed responsibly and securely.

By aligning with international standards, the PDPL provides robust safeguards for personal data, benefiting both individuals and organisations. As the enforcement date approaches, businesses must ensure compliance to avoid penalties and build trust with their stakeholders.

Looking for support with compliance?

For further information or assistance with compliance with the PDPL (or any other data protection legislation), contact our experts today. Our team of professionals have years of experience working internationally with multinational organisations, and are happy to help you achieve your compliance goals.

Get in touch with us by calling 0203 3013384, emailing us at info@dataprivacyadvisory.com, or by filling in a contact form. Our team will get back to you as soon as possible.

Navigating your data protection obligations can be complicated, so let us make it simple for you.

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation