Compliance & Data Protection

An Overview of Saudi Arabia's Personal Data Protection Law (PDPL)

By Abdulaziz AlAmoudi, Founder · Lawyer & Legal Consultant ·

Saudi Arabia's Personal Data Protection Law (PDPL) is one of the Kingdom's most significant recent regulatory frameworks. It governs how personal data is collected, processed, stored, and transferred. The Saudi Data & AI Authority (SDAIA) oversees the law and its Implementing Regulations. This article offers an introductory overview to help organisations understand their core obligations.

What is the PDPL?

The PDPL was issued by Royal Decree No. (M/19). Its purpose is to protect the privacy of individuals with respect to their personal data and to regulate how entities — public and private — handle that data. It is accompanied by Implementing Regulations that set out the practical rules for applying it.

Scope of application

The law generally applies to any processing of personal data that takes place within the Kingdom, and its effect may extend to the processing of the data of individuals residing in the Kingdom from outside it, subject to the applicable controls. "Personal data" covers any data that identifies an individual or makes them identifiable, with stricter rules for sensitive data.

Data subject rights

The law grants individuals a set of rights over their personal data, generally including:

  • The right to be informed of the legal basis and purpose for collecting their data.
  • The right to access their data held by the processing entity.
  • The right to request correction or updating of their data.
  • The right to request destruction of their data in the cases provided for by the law.

Obligations on organisations

Entities that process personal data should take practical steps toward compliance, which generally include:

  • Establishing a clear legal basis for each processing activity and documenting its purpose.
  • Maintaining transparent privacy policies and making them available to data subjects.
  • Implementing appropriate technical and organisational safeguards.
  • Regulating cross-border data transfers in line with the applicable controls.
  • Managing data subject consent and responding to their requests.

How we help

The Compliance Law Firm team helps organisations assess their compliance with the law, prepare privacy policies and the necessary documentation, and review processing and data-transfer activities. For advice tailored to your organisation, we would be glad to hear from you.

Book a legal consultation

Disclaimer: This article is for general information only and does not constitute legal advice. The rules vary according to the facts; please refer to the official legal texts and obtain specialised legal advice before taking any action.