Saudi Arabia’s PDPL (2025): A Deep Dive for Controllers, Processors & Compliance Leaders

Executive summary

Saudi Arabia’s PDPL is now fully enforceable and backed by detailed implementing regulations and transfer rules. It applies inside and outside the Kingdom (when processing data of individuals residing in the Kingdom), introduces breach-notification within 72 hours, requires registration of many controllers, mandates DPOs in defined cases, and sets structured gateways for cross-border data transfers. Penalties include administrative fines up to SAR 5 million and criminal sanctions for certain sensitive-data offences.

Successful compliance demands mapping processing, updating notices, setting up rights workflows, registering properly, and building a cross-border-transfer playbook.

1) What is the PDPL and who enforces it?

The PDPL was issued by Royal Decree M/19 (2021) and amended by M/148 (2023). It took effect 14 September 2023 with a 12-month grace period ending 14 September 2024.

The competent authority is the Saudi Data & AI Authority (SDAIA), which administers the framework (including the National Data Governance Platform (NDGP) for registrations).

Territorial scope. The law applies to:

• Processing of personal data in Saudi Arabia, by any means.
• Processing of personal data of individuals residing in Saudi Arabia, even if handled by entities outside Saudi Arabia.

Thus, non-Saudi controllers who process data of Saudi residents are in scope.

2) Roles, principles and lawful bases

Roles. The PDPL distinguishes between Controller and Processor:

• Controller: entity that decides the purpose and manner of processing.
• Processor: entity that processes on behalf of the controller.

Principles & transparency. While the PDPL text and guidance do not replicate the full GDPR principle list, controllers should operate on familiar bases: fairness, purpose limitation, minimisation, security, storage limitation, accountability.

Lawful bases. Entities must rely on one of the following for processing:

• Consent
• Contract (or pre-contract)
• Legal obligation
• Vital interests
• Legitimate interests — note: legitimate interests basis is not available for processing of sensitive data.

3) Data subject rights you must enable

Individuals’ rights under PDPL include:

• Right to be informed (purpose, categories, recipients, transfers, retention)
• Right of access
• Right to rectification / update
• Right to erasure / deletion (when retention no longer justified)
• Right to withdraw consent
• Right to portability / copying of their data (where applicable)

Controllers should maintain procedures: verification of identity, timely responses, documentation of decisions.

4) Registration and the “representative” concept

Controllers must register on the NDGP if they fall under the trigger categories (e.g., processing sensitive data, main activity is personal-data processing).

As part of registration, a representative (often a local entity or authorised person) must be appointed. For foreign controllers, representation obligations are evolving, so plan for a Saudi-based representative or authorised local agent.

Registration gives controllers access to services such as breach-notification submission, compliance-self-assessment tools, breach-reporting interface.

5) Do you need a Data Protection Officer (DPO)?

Yes — in specified cases defined by SDAIA’s “Rules for Appointing a Personal Data Protection Officer”. Typical triggers: large-scale processing, core business activity includes regular monitoring, core processing of sensitive data, or public entity.

Even where not mandatory, appointing a DPO is best practice and may help demonstrate accountability in audits.

6) Breach notification (timelines and thresholds)

Controllers must notify SDAIA of a “reportable incident” within 72 hours of becoming aware — the notification must include description of nature of breach, likely consequences, measures taken.

Controllers must also notify data subjects without undue delay if the breach is likely to result in high risk to individuals’ rights or freedoms.

Processors must notify their controller without undue delay; controllers should ensure contract terms reflect that duty.

7) Cross-border transfers: how to do them lawfully

Transfers/disclosures of personal data outside Saudi Arabia require compliance with the Regulation on Personal Data Transfer Outside the Kingdom (the “Transfer Regulation”). Key points:

• A lawful basis for processing must exist.
• A lawful basis for transfer/disclosure must exist (per Article 29 of PDPL).
• The destination country must either be deemed adequate (i.e., offers protection no less than PDPL) or the controller must implement appropriate safeguards: Standard Contractual Clauses (SCCs), Binding Common Rules (BCRs), certificates.
• The adequacy list has not yet been published by SDAIA as of mid-2025; thus transfers currently rely on safeguards and risk assessment.
• In certain cases (continuous or large-scale transfers of sensitive data) a Transfer Risk Assessment (TRA) is mandatory before transfer. The TRA must document purpose, nature, scope, safeguards, risks and mitigation.

Marketing & cookies: While the PDPL doesn’t have a standalone cookie law, controllers must seek prior consent for direct electronic marketing (especially when sensitive data is involved), provide opt-out mechanisms and align with related e-commerce/telecom regulation.

8) Penalties and enforcement

• Administrative fines up to SAR 5,000,000 (and can be doubled for repeat violations).
• Criminal liability applies only to the unlawful disclosure or publication of sensitive personal data (intent to harm or gain) — up to 2 years’ imprisonment and/or fine (SAR 3 000 000).
• SDAIA has powers to issue corrective orders, suspend processing, require publication of decision, revoke registration and cooperate with other regulators.

9) A practical PDPL compliance playbook (checklist)

Immediate (foundation):

• Map all processing activities: create a Records of Processing Activities (RoPA) listing categories, lawful bases, recipients, cross-border flows, retention.
• Localise/upgrade privacy notices: include purpose, legal basis, recipients, transfers, rights of data subjects under PDPL.
• Stand up rights-handling workflow: Define receipt, identity verification, timeframe, communication templates for access/correction/erasure.
• Implement security controls: ensure technical and organisational measures (encryption, access controls, logging) proportionate to risk.

Governance & people:

• Determine registration obligation; if triggered, register Your Controller on the NDGP platform and appoint local representative.
• Assess whether you must appoint a DPO; document the decision and maintain job description, mandate, reporting line.
• Update contracts with processors: include protocols for instructions, breach notification, return/deletion, sub-processing, audits.

Operational controls:

• Build a breach-notification playbook: triage, risk assessment, 72-hour SDAIA submission, data-subject communications, lessons-learned review.
• Build a cross-border transfer playbook: identify flows, check if destination country has “adequacy” (currently none), implement SCCs/BCRs, run TRA when required, maintain documentation of each transfer.
• Marketing consent: ensure consent appropriately captured, opt-out offered, sensitive data not used for marketing unless strict conditions met.
• Retention/destruction: define holds, anonymisation/de-identification where feasible, secure destruction when data no longer needed.

Evidence & culture:

• Maintain auditable evidence: DPIAs/PIAs, transfer risk assessments, breach logs, training records, board-level reporting.
• Set up periodic compliance review (e.g., annual internal audit, update contracts, refresh controls).
• Implement training and awareness for staff especially those handling data subjects or cross-border flows.

10) PDPL vs EU General Data Protection Regulation (GDPR) — key differences (at a glance)

‍

11) Timeline recap (important dates)

• 14 Sept 2023: PDPL came into force.
• 14 Sept 2024: General grace-period ended and enforcement began.
• 2024-25: SDAIA published key rules & guidelines: DPO rules, registration rules, transfer risk assessment guidance.

12) Who needs a “local representative”?

Controllers registered under NDGP must appoint a representative for the registration process. For foreign controllers processing data of Saudi residents, while the law does not yet publish detailed extra duties beyond registration, best practice is to assume a Saudi-based authorized representative or local agent. DNS-style obligations are still evolving.

Final thoughts

For organisations operating in or processing data of Saudi residents, PDPL compliance is no longer optional — it is a strategic priority. Starting with a solid foundation (mapping, notices, rights processes), then layering registration, DPO, breach and transfer workflows, and maintaining robust evidence will position your organisation to meet SDAIA expectations and mitigate risk of enforcement.

‍

‍

Sources

• SDAIA – Guide to the Saudi PDPL for Controllers and Processors (Dec 2023) and official PDPL text / Implementing Regulation. DGP+2SDAIA+2
• DLA Piper – Data Protection Laws of the World – Saudi Arabia (updated 2025) – scope, transfers, 72-hour breach, penalties. DLA Piper Data Protection
• SDAIA platform – breach reporting service (72 hours) and National Register links. DGP
• Bird & Bird – controller registration & representative requirement; private-sector onboarding; note on non-KSA controller rules forthcoming. Bird & Bird
• Baker McKenzie / CMS – 2025 guidance on transfer risk assessment and enforcement ranges. Global Compliance News+1