The Saudi Arabia Personal Data Protection Law (PDPL) governs how businesses operating in the country collect, use, store, transfer, share, and update data about residents of the kingdom. With few exceptions, personal data cannot be processed without the consent of the user/data owner, and the purpose of the processing cannot be changed. The Saudi Data and Artificial Intelligence Authority is responsible for issuing licenses to organizations whose activities fall under the purview of the PDPL.
To comply with PDPL, businesses need to manage:
Data handling policies:
Set clear policies for handling personal data
Consent:
Obtain clear consent before collecting data
Data protection:
Protect personal data from breaches
Transparency:
Provide transparency about data collection and usage
Consumer rights:
Allow individuals to exercise their rights regarding their data
Saudi Arabia’s PDPL applies to businesses that operate in the country and requires that they collect, use, share, store, update, or transfer data about Saudi Arabians only for the purpose of providing goods and services or for monitoring the behavior of website visitors.
Like most other data protection laws, the Saudi Arabia PDPL applies to businesses even if they do not have a physical presence in the country.
The PDPL grants Saudi residents very similar rights regarding their personal data as those set forth in other privacy laws, such as GDPR. Among these are:
Request access to their personal data and information on how it is being processed
Rectify inaccuracies in their data
Request the deletion of their personal data, with certain exceptions
Request to know the legal basis and purpose for collecting their data
Object to processing of their data under certain circumstances
The PDPL requires businesses to process personal data (including data collected through cookies) with user consent, except under limited circumstances.
Non-compliance with Saudi Arabia's PDPL can result in significant penalties, including fines, imprisonment, and compensation claims. Violations may lead to fines of up to SAR 5 million (1.3 million USD) per breach, with the possibility of doubling for repeat offenses. Intentional disclosure of sensitive data could result in imprisonment for up to two years. Affected individuals may also pursue compensation claims.
PDPL compliance and a consent-first approach can be sped along by following a number of best practices:
Conduct data audits:
Align data practices with PDPL requirements
Update privacy policies:
Ensure privacy notices make data practices, consumer rights, and how to exercise those rights clear to consumers
Implement consent management:
Control cookie consent and oversight with a comprehensive consent management platform like CookieHub
Employee training:
Make sure staff know the importance of data privacy and what steps they can take to support PDPL compliance
The PDPL applies to the processing of personal data by both public and private entities operating within Saudi Arabia. It also extends to entities outside the Kingdom if they process personal data related to individuals located in Saudi Arabia. The law aims to protect individuals’ privacy and regulate how personal data is collected, used, stored, and shared.
Under the PDPL, personal data refers to any information—regardless of its source or form—that can identify an individual directly or indirectly. This includes data such as names, identification numbers, contact details, and personal characteristics.
Sensitive data is a specific category of personal data that requires higher protection due to its nature. According to the PDPL, this includes data related to an individual’s racial or ethnic origin, religious or philosophical beliefs, political opinions, health, genetic and biometric information, and criminal records.
The Saudi Data & Artificial Intelligence Authority (SDAIA), through its National Data Management Office (NDMO), is responsible for overseeing and enforcing the PDPL. SDAIA issues regulations, monitors compliance, and provides guidance on best practices for data protection.
Certain exemptions apply under the PDPL. These include personal data processing for non-commercial personal use, and data handled for security or judicial purposes. Government entities may also be exempt in specific scenarios, especially where national security or public interest is involved.
For official information, resources, and regulatory guidance, you can visit the website of the National Data Management Office (NDMO). Updates and enforcement details are also available through the Saudi Data & Artificial Intelligence Authority (SDAIA).
©2025 CookieHub ehf.
