Implementing Saudi Arabia's personal data protection law

27 September 2023 6 min. read

The Kingdom of Saudi Arabia has recently taken a significant step towards bolstering data privacy with the introduction of the Personal Data Protection Law (PDPL). Kamran Ahmed from ECOVIS Al Sabti walks through the main pillars of the new law and outlines how companies can prepare successfully.

On September 7, 2023, the Saudi Data & Artificial Intelligence Authority (SDAIA) unveiled the Implementing Regulations to the Personal Data Protection Law (PDPL), providing clarity on the measures that organizations need to adopt for compliance before the end of the 12-month grace period. Full enforcement of the PDPL should start from 14 September, 2024.

The Implementing Regulations and the Personal Data Transfer Regulations both expand on the general principles and obligations outlined in the PDPL (amended in March) and introduce new compliance requirements for data controllers.

Implementing Saudi Arabia's personal data protection law

Who needs to comply with the law?

Material Scope
The PDPL applies to the processing of personal data and sensitive personal data concerning individuals residing in Saudi Arabia. Remarkably, it extends its provisions to cover the personal data of deceased individuals if this data could potentially identify the deceased or any of their family members.

Importantly, personal data processing for purely domestic purposes falls outside the scope of the PDPL.

Territorial Scope
Both public and private organizations come under the PDPL's purview. It applies to any entity, whether domestic or foreign, that processes personal data related to individuals in Saudi Arabia. Therefore, even foreign organizations handling data of Saudi residents are subject to the PDPL's jurisdiction.

Key requirements introduced by the regulations

The recently published Implementing Regulations provide detailed guidelines for data protection compliance under the PDPL. Some of the key requirements introduced by these Regulations:

Adequacy System for Data Transfers
The Personal Data Transfer Regulations establish a framework for transferring personal data outside Saudi Arabia to countries that meet SDAIA's criteria for data protection adequacy. While the list of "adequate" countries is yet to be unveiled, there are provisions for transfers to non-adequate countries, including the use of Binding Corporate Rules, standard contractual clauses, and certificates of compliance.

Additional Bases for International Data Transfers
The Regulations introduce alternative legal bases for transferring personal data outside of Saudi Arabia, such as when providing services or benefits to data subjects or facilitating operational processes essential to the controller's activities.

Consent becomes a cornerstone of data processing. It must be freely given, with specific, clear purposes. Explicit consent is required for sensitive data, credit data, and decisions solely based on automated processing.

Legitimate Interest Basis
Controllers must adhere to specific conditions when relying on legitimate interests as the legal basis for processing personal data, including a meticulous balance between data subject rights and the controller's legitimate interests.

Data Processors
Controllers must establish agreements with third-party processors, outlining key information, including breach notification commitments and the engagement of subcontractors. Controllers are responsible for verifying the processor’s PDPL compliance.

Data Subject Rights
The Regulations detail data subject rights and impose a 30-day response timeframe. An extension of an additional 30 days is possible under specific circumstances, contrasting with the GDPR’s potentially lengthier timelines.

Data Breach Notifications
Controllers must notify SDAIA of personal data breaches within 72 hours of awareness and inform data subjects promptly. Reporting thresholds align with the potential harm to personal data or data subjects’ rights and interests.

Data Protection Impact Assessments
Data Protection Impact Assessments (DPIAs) are required in various scenarios, such as processing sensitive data or making decisions based on automated processing. Minimum DPIA content is also specified.

Advertising and Direct Marketing
Consent is mandatory for processing personal data for advertising and direct marketing purposes, with user-friendly mechanisms for opting out.

Data Protection Officers
The Regulations define conditions necessitating the appointment of Data Protection Officers (DPOs), whose roles are pivotal in data protection compliance.

National Register of Controllers
The reintroduction of the requirement for registering controllers with SDAIA aims to enhance transparency.

Record of Processing Activities
Controllers must maintain a Record of Processing Activities (ROPA) during and post-processing activities, encompassing a description of implemented measures.

What should companies do next?

The PDPL’s grace period provides organizations with a year to ensure full compliance, beginning on September 14, 2023. To navigate this journey effectively companies should follow-up on seven steps:

Assess Data Processing Activities
Evaluate data processing activities concerning Saudi Arabia and comprehend the PDPL and Regulations' implications.

Secure Senior Management Buy-In
Garner support from senior management, emphasizing the risks associated with non-compliance.

Review and Update Policies
Revisit and update policies, processes, and contracts to align with new obligations, particularly statutory response deadlines.

Determine DPO Necessity
Assess whether a Data Protection Officer is required and ensure a timely appointment.

Document and Maintain Records
Document personal data, maintain a Record of Processing Activities, and adhere to governance requirements.

Implement Breach Policies
Develop or revise security breach policies and procedures to meet reporting deadlines.

Train Personnel
Train employees on PDPL principles, embedding data protection within the organizational culture.


The new Saudi PDPL and its accompanying Regulations bring about significant changes in data protection compliance. Organizations operating in or with Saudi Arabia must proactively prepare and adapt to ensure compliance while safeguarding individuals’ data privacy rights.