KSA’s Personal Data Protection Law


Privacy and data protection is becoming one of the most critical issues of an era that is characterized by the technological revolution and a paradigm shift in our interaction with each other and the digital world in general. Data protection is an essential element in protecting the rights of individuals, which is intrinsically tied to the Human Rights of Individuals. Privacy and data protection are not just the responsibility of a nation state, but the onus to have a robust privacy structure is the responsibility of organizations too. Several national laws to safeguard citizens’ privacy ights and the practical application of data protection rules in day-to-day businesses have been modelled after the European regime of data protection and privacy regulations. So, it is crucial to consider the Kingdom of Saudi Arabia’s new rules in light of the General Data Protection Regulation (GDPR). The cornerstone for the law’s effective implementation and operation in Saudi Arabia will be its main considerations, principles, and requirements.


The KSA’s New Personal Data Protection Law  designed to systematically protect “personal data” of individuals.  After a period of 180 from the date of publication, the law will come into effect on 23 March 2022., and thus data controllers would have to ensure compliance to the law. Vision 2030 programme in the Kingdom of Saudi Arabia brought about significant changes in the telecommunication, media and technology regulatory landscape. Saudi Data & Artificial Intelligence Authority (“SDAIA”) will be coordinating with the Central bank and other Information Technology ministries for the implementation of PDPL.On September 24, 2021, the PDPL was released in the Saudi Arabian Official Gazette. It goes into effect in full on March 23, 2022. After that, Data Controllers have an additional year to comply with the PDPL, though this time frame may be extended. The PDPL will be supplemented by rules, which must be published by 23 March 2022 and will probably give more context and direction for the PDPL’s actual use.

Personal Data Protection law


  • Privacy of personal data of residents of Saudi Arabia 
  • Streamline various sector-specific privacy laws under one single statute 
  • Regulate data sharing 
  • Prevent the abuse of personal data 
  • Develop digital Infrastructure 
  • Support innovation to grow a digital economy 
  • Place Saudi Arabia aligned with the international standards



The PDPL requires that organizations not process personal data without the consent of its owner except for the cases stipulated under the Draft Regulation.

Data Controller : 

1.The Controllers must adopt a data privacy policy, and the policy should be available to individuals to view before collecting their data. 

2.If the Controller is collecting data directly from the data owner, it must inform him or her of: 

  1. a) the legal basis for collecting data 
  2. b) the purpose of collecting data, 
  3. c) the information of those who collect it, d) informing the data subjects 
  4. e) decision of cross border transfer of data Data controllers must prepare, Maintain and register data processing activities with SDAIA.
  5. Breach incident must be notified ‘immediately’ to the SDAIA and data subjects.
  6. Controllers must appoint at least one of their employees to be responsible for achieving compliance with the Law. 
  7. Controllers must conduct an evaluation of the effects of processing associated with any product or service provided to the public, in accordance with the requirements of the Regulations. 

Cross Border Transfers 

KSA’s Personal Data Protection Law strictly stipulates that a cross-border data transfer may only take place unless a strict impact assessment has been carried out to evaluate just how secure the external location is. Additionally, written consent from the regulatory authority is also required.

Data Subject Rights

Rights of the Data Subjects have been enumerated, inclusive of; 

Right to be informed 

  • Right to access 
  • Right to rectification 
  • Right to destruction


The KSA PDPL provides that the penalty for disclosing or publishing sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million ($800,000); both organizations and individuals can therefore be sanctioned. For violating the cross-border data transfer requirements, there may be imprisonment for up to one year and/or a fine not exceeding SAR 1 million ($267,000). For violations of other provisions of the Saudi PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million ($1.3 million). The court may double the penalty of the fine in case of repetition of offenses.


  • Compliance of data sovereignty regulations in cross boarder transfer of. data
  • Compliance with sever other sectorial stakeholders and regulations (Eg. CITC,SAMA)
  • Operationalization and classification of data to mitigate any identified data sovereignty risks
  • The concepts of privacy and data protection have to be embedded in the approach of an organization
  • Vendor management
  • Compliance with international standardizations
  • Establishing robust Cybersecurity and privacy management

Checkout Other Whitepapers

In an age defined by technological leaps, the convergence of Generative AI and Data Privacy emerges as a pivotal crossroads.As Generative AI …

This paper is an in-depth analysis of the newly introduced Digital Personal Data Protection Act 2023. The Act is a simple and …

The European Commission introduced a proposal in April 2021 to regulate artificial intelligence (AI) in a 108-page document, aiming to establish a …

As defined by the EU Council, the NIS 2 directive “will set the baseline for cybersecurity risk management measures and reporting obligations …