# [PDPL: Saudi Arabia’s Personal Data Protection Law](https://www.cookiebot.com/en/saudi-arabia-personal-data-protection-law-pdpl/) **Enable compliance with Saudi Arabia data protection law and the Personal Data Protection Law (PDPL) with Cookiebot’s data protection solutions. Get started now.** · [Check website's compliance today](https://www.cookiebot.com/en/compliance-test/) · [Start a free 14-day trial of Cookiebot CMP](https://manage.cookiebot.com/en/signup) --- ## The Saudi Arabia Personal Data Protection Law (PDPL) Saudi Arabia has officially introduced the PDPL, its data protection law. Published in the Official Gazette, the country's online English language newspaper, this legal framework was unveiled on September 24, 2021. Subsequently, amendments were confirmed in March 2023, paving the way for the law to come into effect in September of the same year, with enforcement beginning a year after that. This regulation is set to have a significant impact on businesses operating within the Saudi Arabian jurisdiction. It is important for organizations to comprehend its nuances and implications to achieve and maintain compliance in their operations when processing personal data. --- ## What is Saudi Arabia’s Personal Data Protection regulation? The Saudi Arabia Personal Data Protection Law (PDPL) is the first data privacy law passed in the country. Jurisdictionally, it also covers the United Arab Emirates. It was passed by a royal decree in September 2021, with amendments passed March 23, 2023. It will officially come into effect on September 14, 2023, with enforcement beginning after a year, on September 13, 2024. The PDPL is designed to protect the privacy of consumers’ personal data, prevent unauthorized use of it, and regulate how it can be shared. The PDPL takes inspiration from the European Union’s [General Data Protection Regulation (GDPR)](https://www.cookiebot.com/en/gdpr/) and is aligned with other international protection regulations. It has the standard principles and responsibilities, like purpose limitation, data minimization, data controller responsibilities, data subjects’ rights, and penalties for violations. The PDPL also requires prior consent for data processing of personal information. --- ## Key definitions in the Saudi Personal Data Privacy Law While some specific terminology in the PDPL may look different from other privacy laws, this may be a function of translation, and the definitions themselves are largely standard. ### How the PDPL defines adequacy list The regulatory body prepares a list of countries deemed to provide adequate protection for personal data and data subjects’ rights. Regular reviews and updates to the list are required. ### How the PDPL defines anonymization *“Removing any direct or indirect characteristics from the Personal Data, that may make the Personal Data Subject specifically identified.”* ### How the PDPL defines personal data subject A private person/individual who resides in Saudi Arabia or the UAE, who has rights regarding their personal data, its privacy and protection, and whose information may be processed by organizations. ### How the PDPL defines child Any person under the age of 13, and consent to process their personal data must be obtained by a parent or legal guardian. ### How the PDPL defines codes of conduct *“Set of general rules and specific responsibilities approved by the Regulatory Authority, which Controllers and Processors are obligated to comply with, to face the challenges relating to protection of Personal Data in a specific sector, in order to establish a system of proper practices in that sector and to comply with that system.”* ### How the PDPL defines regulatory authority Authorities responsible for regulation or oversight of the law. Any government entity with an “independent public personality” and powers, duties, and responsibilities over a certain sector of the Saudi Kingdom. ### How the PDPL defines consent Consent must be obtained before or at the time of processing. It must be “clear and unambiguous”. Explicit consent:“*Verbal or written consent that is express, specific and given freely by the Data Subject, proofing that the Data Subject agrees to process their Personal Data.”* The PDPL specifies that the *“Controller shall obtain consent by any appropriate means or in any appropriate form, including by means of written consent forms, electronic forms, settings in applications, verbal consent or Implied Consent if allowed.”* ### How the PDPL defines means of communication and notification The PDPL lists specific acceptable information for controller and data subject communication. Where possible, personal data subjects may change the preferred mode of communication. The acceptable means must be “valid and effective” and include: - text messages to authenticated mobile phones - accounts registered in government automated systems - postal mail - applications’ notifications and alerts - any other electronic means designated for that purpose and recognized in the Saudi Kingdom ### How the PDPL defines personal data Any information that can specifically identify a person or lead to their identification, alone or combined with other information. Examples include: name, phone number, email address, or driver’s license number. ### How the PDPL defines sensitive personal data Certain types of personal data, which, if damaged, lost, or misused, could cause harm to data subjects, including information inferred from: - ethnic or tribal origin - religious, intellectual or political beliefs - membership in civil associations or institutions - criminal and security data - credit data - genetic data - health data - location data - biometric data - data indicating an individual is unknown to one or both parents ### How the PDPL defines profiling *“Automated Processing of Personal Data and using such Personal Data to analyse and assess certain personal aspects of the Data Subject, and to forecast aspects relating to the Data Subject’s performance at work, financial status, health, personal preferences, interests, behaviour, location or movement, for the purpose of creating a profile of the Data Subject.”* ### How the PDPL defines scope of application *“Processing personal data by an individual within their family or within their limited social circle taking part in any social or family activity.”* It excludes public disclosure of personal data or using it for *“professional, non-profit or commercial activity.”* --- ## What organizations have to comply with the Saudi data privacy law? The PDPL is extraterritorial, and both private and public organizations processing personal data of Saudi Arabia’s or the UAE’s residents must comply, even if they are located outside of Saudi Arabia or the UAE. Processing refers to: collection, use, sharing, updating, transfer, or storage of personal data, whether done manually or automatically. Sensitive personal data is also a category included, requiring special protection and handling. For many organizations a Data Protection Officer will be appointed. They are responsible for compliance, personal data subject requests, data breaches, working with authorities, training, and more. --- ## What rights does the PDPL give consumers? The Saudi data privacy law does not overrule any other law or statute that provides data subjects with even more protection for privacy and personal data. The law also covers the personal data of deceased persons if it could be used to identify them or family members. Specific rights for personal data subjects under the PDPL: - **Right to know:** information about the controller and data processing - **Right to access**: confirmation if the controller is processing the consumer’s personal data and access to it with some exceptions - **Right to correction:** also completion or update of any inaccurate or outdated information the controller has on the data subject - **Right to deletion**: or destruction of any personal data the controller has about or from the consumer, with some exceptions - **Right to portability**: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a legible and clear format, with some exceptions --- ## What is required for consent to be valid under the PDPL? Consent is the main legal basis for data processing under the Saudi privacy law. Legitimate interest was added with the recommended amendments, but it does not apply for processing of sensitive personal data. PDPL requirements for valid data subject consent are: - notification of the reason(s) for the consent request and the legal justification or practical need for it - notification that data processing will be limited to the minimum amount of data needed to fulfill the stated purpose - notification of all purposes for data processing and consent options - notification of the right to withdraw consent at any time - establish procedures to enable withdrawal of consent - obtaining and documenting explicit consent in a provable and auditable way - obtain consent in writing for sensitive personal data processing - obtain consent from a legal guardian for processing of personal data of a person who is a child, legally incompetent, or deceased --- ## How does the PDPL require children’s data to be processed? Consent for processing the personal data of children must be obtained from a parent or legal guardian. --- ## What responsibilities do companies have under the Saudi data protection law? ### Notification requirements for personal data subjects Companies must comply with the PDPL if they process the personal data of Saudi Arabia or UAE residents. Organizations must notify data subjects about what data is processed and for what purpose. ### Requirements for international transfers of personal data Data controllers must process and store personal data they collect within the geographical boundaries of the Saudi Kingdom. If there is not a security risk, under some circumstances data can be stored or processed outside of the Kingdom. ### Data processing purpose limitations and data minimization Controllers must only collect and process the minimum amount of personal data that fulfills the stated and necessary purpose(s). ### Retention period for personal data Previously collected personal data should not be collected or stored any longer than necessary. ### Personal data processing for advertising Controllers must obtain valid and explicit consent from the data subject before they can be contacted for advertising purposes. ### Privacy notice or privacy policy Data controllers must supply an accessible and easy to read privacy notice on their website. ### Data Protection Officer (DPO) Controllers are required to appoint an employee as a Data Protection Officer in many cases. ### Data processors contracts Data controllers must ensure that data processing vendors and partners provide strong guarantees of PDPL compliance. --- ## Saudi Arabia’s data privacy act penalties and enforcement ### Complaint submission and enforcement authorities The Saudi Data and Artificial Intelligence Authority (SDAIA) will be primarily responsible for enforcing the PDPL. ### Notifications for data breaches A breach can include a leak or illegal access to, or damage or destruction of personal data. Organizations must notify the regulatory authority immediately. ### Fines and penalties The penalty can range from a warning to fines up to SAR 5 million. For repeat offenses, the court may double the fine. --- ## How can companies comply with the Saudi data privacy law? If an organization is already GDPR-compliant, much of the work toward PDPL compliance has been done. Organizations should implement data privacy best practices. *Used by: Pepco, Rural King, Orbico, Credit Exchange, Canon, Bauhaus* --- ## Product [Cookiebot™ Consent Solution](https://www.cookiebot.com/en/cookie-consent-solution/) · [Usercentrics for Wix](https://www.cookiebot.com/en/cookiebot-for-wix-by-usercentrics-app/) · [WordPress Plugin](https://www.cookiebot.com/en/new-wp-cookie-plugin/) · [Pricing](https://www.cookiebot.com/en/pricing/) ## Regulations [DMA (EU)](https://www.cookiebot.com/en/digital-markets-act-dma/) · [GDPR (EU)](https://www.cookiebot.com/en/gdpr/) · [CCPA (California)](https://www.cookiebot.com/en/what-is-ccpa/) · [VCDPA (Virginia)](https://www.cookiebot.com/en/virginia-vcdpa/) · [LGPD (Brazil)](https://www.cookiebot.com/en/lgpd/) · [TCF v2.3 (IAB)](https://www.cookiebot.com/en/tcf/) · [Google Consent Mode](https://www.cookiebot.com/en/cookiebot-cmp-google-consent-mode/) · [Microsoft UET Consent Mode](https://www.cookiebot.com/en/microsoft-consent-mode-cmp/) ## Partners [Become an affiliate](https://www.cookiebot.com/en/affiliates/) · [Become a partner](https://www.cookiebot.com/en/resellers/) · [Find a partner](https://www.cookiebot.com/en/cookiebot-reseller/) ## Resources [Blog](https://www.cookiebot.com/en/blog/) · [Digital Markets Act Hub](https://www.cookiebot.com/en/digital-markets-act-dma-resources/) · [Google Consent Mode Hub](https://www.cookiebot.com/en/google-consent-mode-resources/) · [Google Consent Mode V2 Certification](https://courses.usercentrics.com/course/google-consent-mode-v2) · [Google Consent Audit Fixes](https://www.cookiebot.com/en/google-consent-audit-fixes/) · [Developer documentation](https://www.cookiebot.com/en/developer/) · [Cookiebot vs CookieYes](https://www.cookiebot.com/en/cookiebot-best-cookieyes-alternative/) · [Cookiebot vs OneTrust](https://www.cookiebot.com/en/onetrust-alternative/) · [Cookie Banner Cost Calculator](https://www.cookiebot.com/en/cookie-banner-pricing-calculator/) ## Company [About us](https://www.cookiebot.com/en/about/) · [Careers](https://usercentrics.com/career/) · [Support](https://support.cookiebot.com/hc/en-us/) --- [Privacy Policy](https://www.cookiebot.com/en/privacy-policy/) · [Terms of Service](https://www.cookiebot.com/en/terms-of-service/) · [Cookie Declaration](https://www.cookiebot.com/en/cookie-declaration/) · [Data Processing Agreement](https://www.cookiebot.com/en/data-processing-agreement/) ©2026 Cookiebot™ by [Usercentrics](https://usercentrics.com/)