Enforcement in the Kingdom is live, and it has teeth.
Saudi Arabia's PDPL, supervised by SDAIA, is fully in force with active enforcement. It combines GDPR-familiar structures with distinctly Saudi requirements around consent, data transfers, and registration, and it carries criminal exposure for unlawful disclosure of sensitive data.
At a glance
Who it catches
Any processing of Saudi residents' personal data, including by companies outside the Kingdom
Penalties
Fines up to SAR 5 million (roughly €1.2m), doubled for repeat violations, plus criminal liability for unlawful disclosure of sensitive data
Regulator
Saudi Data & Artificial Intelligence Authority (SDAIA)
Key concepts
Consent-centric processing, transfer restrictions with defined exceptions, controller registration
What it requires
The obligations that matter in practice.
- Consent as the default lawful basis, with narrow alternatives
- Privacy notices and processing records aligned to the implementing regulations
- Transfer assessments before personal data leaves the Kingdom
- Breach notification to SDAIA within the prescribed window
- A named privacy function where thresholds are met
FAQ
Common PDPL (Saudi Arabia) questions.
Yes. Processing the personal data of Saudi residents from abroad brings you into scope, and the transfer rules apply to data leaving the Kingdom regardless of where the recipient sits.
Start here
Tell us what you're dealing with.
Pick the service that sounds closest, or just describe the situation. You'll get an honest reply within 24 hours: where you stand, what actually needs doing, and whether we're the right fit for it.
Prefer to talk? Book a free 30-min callEmail: abhishek.adv@yahoo.com
LinkedIn: linkedin.com/in/abhishekbansiwal
Working with clients across the EU, UK, US, India, and beyond. See the privacy notice for how enquiries are handled.