Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Arab Emirates
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

One year anniversary: Saudi Personal Data Protection Law

12 Sep 2025 Middle East 8 min read

On 14 September 2024, Saudi Arabia’s Personal Data Protection Law became fully enforceable, causing a significant shift in the management of personal data across the Kingdom. One year on, the law is reshaping compliance expectations for both public and private sector entities, operating locally or from abroad, that process the personal data of individuals in Saudi Arabia.

Saudi Arabia’s Personal Data Protection Law (PDPL), issued under Royal Decree No. M/19 of 9/2/1443 H and amended by Royal Decree No. M/148 dated 5/9/1444H is the Kingdom’s first comprehensive data protection law. The PDPL was formally enacted on 14 September 2023 and organisations were granted a one-year grace period to prepare for compliance. The PDPL is supported by the Implementing Regulation, which expands upon and operationalises key requirements of the law. The PDPL is currently enforced and overseen by the Saudi Data and Artificial Intelligence Authority (SDAIA).

Developments since full enforcement

  • We have observed SDAIA responding promptly and forcefully to data subject complaints. Controllers have been asked to respond to complaints within short time periods and to provide supporting evidence to justify their position.
  • SDAIA has issued a series of guidelines and rules available on SDAIA’s official Regulations and Policies page. These cover key areas such as privacy policy development, controller registration, cross-border data transfers, and the appointment of data protection officers, offering practical guidance and tools for organisations navigating the new regulatory landscape.
  • Around the time of the enforcement deadline, the SDAIA published the Regulation on Personal Transfer Outside the Kingdom (Data Transfer Regulation), which governs cross-border data flows, although the list of countries recognised as meeting requirements for data transfers has not yet been confirmed.
  • SDAIA issued a set of approved standard contractual clauses for data transfers.

Who must comply?

One of the defining features of the PDPL is its extraterritorial reach. The law applies to: 

  • Entities and individuals located within Saudi Arabia that process personal data by any means.
  • Entities and individuals outside Saudi Arabia that process personal data of individuals located in the Kingdom.

The PDPL also applies to Saudi citizens, residents (whether temporary or permanent), visitors, tourists, and any other individuals physically present in the Kingdom. Unlike the GDPR, which limits its extraterritorial scope to specific activities such as offering goods or services or monitoring the behaviour of individuals, the PDPL applies to any processing of personal data of individuals in Saudi Arabia, which makes the law’s reach considerably broader. 

For local and foreign businesses operating in Saudi Arabia, any activity involving the collection, use, storage, or transfer of personal data of individuals in Saudi Arabia must comply with the PDPL. This includes customer data, employee records, marketing databases, and any other personal data processed in business. Organisations must assess their data flows, update internal policies, and ensure they meet the PDPL’s requirements, even if their operations are based outside the Kingdom.

Key compliance obligations

The PDPL introduces a comprehensive framework for data protection. Below are several core obligations that businesses operating in Saudi Arabia should carefully consider.

  • Controller registration: Controllers (i.e. entities that determine the purposes and means of processing personal data) must register on the National Data Governance Platform if they are a public entity, their primary activity involves personal data processing or if they process sensitive data (e.g. health information, biometric data, or criminal records).
  • Legal basis for processing: Controllers must ensure that processing is carried out only where a legal basis exists. While consent is the default basis under the PDPL, other lawful bases include compliance with a legal obligation; contractual necessity (based on a prior agreement); and legitimate interests (excluding sensitive data). Unlike the GDPR, the PDPL does not require a separate legal basis for processing sensitive data, but additional safeguards apply.
  • Indirect collection and disclosures: Personal data should generally be collected directly from the individual and used only for the specified purpose. If data is collected indirectly or used for a different purpose, a separate legal basis is required. The same applies to data disclosures, which must be supported by a legal basis. Certain disclosures are explicitly prohibited, such as those that threaten the security or interests of the Kingdom, obstruct the detection of crimes, or compromise the safety of individuals. The Implementing Regulation sets out additional requirements, including the obligation to document disclosure requests from public authorities. 
  • Privacy policies: Controllers must provide individuals with clear and accessible information at the time of data collection. Businesses should ensure their privacy policies are comprehensive, easy to understand, and available in Arabic and English, where appropriate.
  • Marketing: Without prejudice to marketing rules under other applicable Saudi laws, controllers must obtain opt-in consent from individuals before processing personal data for direct-marketing purposes. The PDPL prohibits the use of sensitive data for marketing. In addition, businesses must ensure that individuals are provided with clear and accessible opt-out mechanisms.
  • Cross-border transfers: While cross-border transfers are permitted under the PDPL, they must meet certain conditions, including ensuring the transfer does not conflict with the Kingdom’s national interests. Transfers to adequate countries are allowed, but SDAIA has not yet published an official list. Controllers must use SDAIA-approved Standard Contractual Clauses (SCCs) or other safeguards for transfers to non-adequate countries. The Data Transfer Regulation also requires a risk assessment prior to any transfer where safeguards such as SCCs are used, or where the transfer involves sensitive data on a continuous or large-scale basis.
  • Data breach notifications: Similar to the EU’s GDPR, controllers must notify SDAIA within 72 hours of becoming aware of a personal data breach, which may cause harm to the personal data or data subject or conflict with their rights and interests, and inform affected individuals without delay.
  • Processors: When engaging third parties to process personal data on their behalf, controllers must ensure that processors provide sufficient guarantees to protect personal data. They must also enter into a written agreement containing specific provisions, including a requirement to notify the controller without delay in the event of a data breach.

Embedding compliance into practice

Failure to comply with the PDPL and its Regulations can result in significant administrative fines and criminal penalties. Depending on the nature and severity of the violation, fines may reach up to SAR 5 million (approximately GBP 1 million), which may be doubled for repeat offences. The unauthorised disclosure or misuse of sensitive data could lead to imprisonment for up to two years.

To mitigate these risks, organisations should take proactive steps to embed data protection into their operations. This includes:

  • Appointing a Data Protection Officer or equivalent to oversee PDPL compliance.
  • Establishing a data protection governance framework with clearly defines roles and responsibilities.
  • Implementing a Data Protection Policy aligned with the PDPL and the Regulations, including relevant procedures relating to data-subject rights, data retention, and data minimisation.
  • Conducting data protection impact assessments for high-risk data processing activities.
  • Maintaining personal data records documenting all processing activities, purposes, and legal bases. These records must be retained for five years after the relevant processing activity ceases
  • Providing regular training to employees, particularly in data-heavy departments such as HR, marketing, and IT, on PDPL requirements, internal policies, and best practices for handling personal data securely and lawfully.

Looking ahead

  • Countries for international data transfers have not yet been confirmed.
  • SDAIA has not yet issued any public notice of sanctions for violations.
  • Further guidance for overseas controllers may be issued.
  • Enforcement may evolve from reaction to complaints to pro-active investigations and audits.

Organisations should remain agile and adopt a mindset of continuous improvement. By aligning with SDAIA’s evolving expectations and embedding robust data governance into their operations, businesses can not only reduce legal, financial, and reputational risks but also position themselves to build trust and unlock opportunities for innovation and growth in an increasingly digital and data-driven economy.

To support compliance, organisations are encouraged to complete the CMS PDPL Health Check Questionnaire below, which provides a practical tool to assess current compliance and identify areas for enhancement. 

Data Protection Health Checklist

For more information on data protection regulations in Saudi Arabia, contact our CMS experts.

Article co-authored by Hannah Torpey.

More insights
TMT - Technology, Media & Telecommunications

Explore more

Publication United Arab Emirates

CMS toolkit series

02 Jul 2025 1 min read
Event United Arab Emirates

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

Data protection and cybersecurity laws in the United Arab Emirates

37 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.