kb-data-privacy-ksa-pdpl
Rating is derived from the repo's GitHub stars and shown for reference.
network_accessfilesystem_access
name: kb-data-privacy-ksa-pdpl
description: Use when a matter involves personal data processing, privacy obligations, or data-breach response in Saudi Arabia. Covers the KSA Personal Data Protection Law (Royal Decree M/19 2021, effective 2022–2023) and NDMO implementing regulations, lawful bases, sensitive data categories, cross-border transfer restrictions, data subject rights, and PDPL penalties up to SAR 5 million. Triggers on questions about PDPL KSA, Saudi data privacy, SDAIA, NDMO compliance, or data controller obligations in Saudi Arabia.
license: MIT
metadata:
id: kb.data-privacy-KSA-PDPL
category: kb
practice_area: Data Privacy & Technology Law
jurisdictions: [KSA]
priority: P2
intent: [data-privacy, KSA-PDPL, NDMO, SDAIA, personal-data, compliance]
related: [kb-data-privacy-gdpr, kb-data-privacy-egypt, kb-data-privacy-uae-pdpl, kb-fintech-licensing-cma-ksa, kb-healthcare-regulation-mena]
source: Louis — HAQQ Legal AI (github.com/sboghossian/mini-claude-for-legal)
version: "1.0"
Knowledge Pack — KSA Personal Data Protection Law (PDPL)
Scope
Saudi Arabia's Personal Data Protection Law (PDPL) was enacted by Royal Decree M/19 dated 9/2/1443H (September 2021) and became operative for most entities in September 2023 following a phased rollout supervised by:
- SDAIA — Saudi Data and Artificial Intelligence Authority (policy and enforcement)
- NDMO — National Data Management Office (implementing regulations and technical guidance)
The PDPL applies to:
- Any entity (public or private) that processes personal data of individuals located in Saudi Arabia at the time of processing.
- Extra-territorial: foreign entities processing KSA residents' data to offer goods/services or to monitor behavior in KSA.
- Excluded: data processed for personal/family purposes; national security, crime, or judicial processing by competent authorities; deceased persons' data (except where linked to living persons).
Key Definitions
| Term | PDPL Definition |
|---|---|
| Personal data | Any data that identifies or allows identification of a natural person |
| Sensitive data | Health and medical data; genetic and biometric data; credit/financial data; location data of a continuous or systematic nature; data revealing racial, ethnic, religious, or political views |
| Controller | Entity that determines purpose and means of processing |
| Processor | Entity processing on behalf of a controller |
| NDMO | National Data Management Office — technical regulation |
| SDAIA | Saudi Data and AI Authority — enforcement and policy |
Lawful Bases for Processing
Unlike GDPR, the KSA PDPL uses a narrower set of lawful bases:
- Controller's legitimate interest — processing that does not override data subject's interests; proportionality required.
- Public interest — government and public sector tasks.
- Legal obligation — required by applicable Saudi law.
- Contract — necessary to perform a contract to which the data subject is a party.
- Vital interests — protect life or health.
- Consent — required specifically for sensitive data and for direct marketing; otherwise not the primary basis.
Sensitive data processing
Requires explicit consent of the data subject plus one of the following additional grounds:
- Legal obligation or judicial procedure
- Legitimate public interest established by regulation
- Protection of vital interests when data subject is unable to consent
Data Subject Rights
| Right | Mechanism |
|---|---|
| Access | Request copy of personal data held; no charge for first request annually |
| Rectification | Correct inaccurate or outdated data |
| Erasure | Delete when purpose fulfilled, consent withdrawn, or no longer legally required |
| Restriction / objection | Object to processing for direct marketing; request restriction during dispute |
| Portability | Receive data in portable format (limited to specific contexts under implementing regs) |
| Withdraw consent | At any time for consent-based processing |
- Response deadline: 30 days (extendable once with notice).
- NDMO may issue further guidance on specific rights implementation.
Consent Requirements
- Must be written (or electronic equivalent) when required.
- Explicit for sensitive data.
- Specific to the purpose — bundled/blanket consent does not satisfy the requirement.
- Withdrawable — controllers must maintain mechanisms for withdrawal.
- Consent from minors under 18 requires guardian consent.
Cross-Border Data Transfers
Transfer of personal data outside Saudi Arabia is prohibited unless:
- The destination country provides adequate protection — per NDMO adequacy list (currently being developed; GDPR-equivalent jurisdictions used as benchmark).
- Contractual safeguards approved by NDMO (model clauses or binding corporate rules).
- Explicit consent of the data subject for the specific transfer and its risks.
- Transfer necessary for contract performance, judicial proceedings, or legal claims.
- Transfer necessary to protect vital interests when data subject is unable to consent.
- The transfer is in the public interest established by law.
Controllers must document transfer basis and obtain NDMO approval for certain categories.
Data Breach Obligations
- Notify NDMO within 72 hours of becoming aware of a breach likely to harm data subjects.
- Notify affected data subjects without undue delay when the breach may directly affect their rights or interests.
- Maintain internal incident register.
- Implement preventive technical and organizational security measures.
Security Requirements
- Implement technical and organizational security measures proportionate to the nature and risk of processing.
- Physical, administrative, and technical safeguards required.
- Data Processing Agreements (DPAs) with processors mandatory; processors must provide equivalent security guarantees.
- Retention limitation: data must be deleted once the purpose is achieved unless retention is required by law.
Penalties
| Violation | Administrative Penalty |
|---|---|
| Transfer of personal data outside KSA without authorization | SAR 3,000,000 (up to SAR 5,000,000 for repeat) |
| Processing sensitive data without required consent/grounds | SAR 3,000,000 |
| Violating data subject rights | SAR 1,000,000 |
| Failure to implement security measures / breach notification | SAR 2,000,000 |
| General PDPL violation | SAR 1,000,000 (up to SAR 2,000,000 for repeat) |
- Criminal penalties possible for intentional violations causing harm.
- SDAIA may publish violator names publicly (naming and shaming).
- Repeat violations trigger doubled fines.
Sector-Specific Overlays
| Sector | Additional regulator |
|---|---|
| Financial / banking | SAMA (Saudi Central Bank) — data and cybersecurity guidance |
| Fintech / crypto | CMA + SAMA data governance requirements |
| Health data | Ministry of Health data governance standards |
| Telecom / cloud | CITC data localization and cybersecurity requirements |
| Government data | NCA (National Cybersecurity Authority) cloud and data policies |
Health data and financial data are sensitive data under PDPL and require heightened protections.
Data Localization
- KSA does not impose a blanket data-localization requirement under PDPL.
- However, sector-specific regulations (particularly SAMA, MOH, and CITC) impose localization requirements for certain categories of regulated data (financial records, health records, telecom data).
- Cloud computing and SaaS agreements must address localization obligations per sector.
Compliance Checklist
- Data mapping: inventory all personal data flows in KSA operations
- Identify and document lawful basis for each processing activity
- Obtain explicit consent for sensitive-data processing
- Review and update privacy notices (Arabic mandatory; bilingual recommended)
- Establish consent-withdrawal mechanisms
- Put Data Processing Agreements in place with all processors
- Assess cross-border transfer mechanisms for data leaving KSA
- Implement 72-hour breach notification procedure
- Establish data subject rights request-handling process
- Check sector-specific data localization obligations
Comparison with GDPR
| Feature | KSA PDPL | GDPR |
|---|---|---|
| Primary regulator | SDAIA / NDMO | National DPA (country-specific) |
| Consent model | Required for sensitive data / marketing; legitimate interest basis available | Six bases; consent one of six |
| DPO | Not specifically mandated (NDMO guidance may specify) | Mandatory in certain cases |
| Max fine | SAR 5M | €20M / 4% global turnover |
| Breach notification | 72 hours to NDMO | 72 hours to national DPA |
| Extra-territorial | Yes | Yes |
Caveats & Currency
The PDPL's implementing regulations and NDMO guidance have been issued in phases. The adequacy list, approved model clauses, and sector-specific guidance are still developing as of 2025. Consult current NDMO publications before advising. SAMA, CITC, and MOH layered obligations require separate verification per sector.
Related Skills
- [[kb-data-privacy-gdpr]]
- [[kb-data-privacy-egypt]]
- [[kb-data-privacy-uae-pdpl]]
- [[kb-fintech-licensing-cma-ksa]]
- [[kb-healthcare-regulation-mena]]
- [[draft-data-processing-agreement]]
- [[draft-privacy-policy]]