Saudi PDPL Compliance Guide 2025: What Foreign Companies Must Know About Saudi Data Protection.

Saudi Arabia's Personal Data Protection Law (PDPL), enacted by Royal Decree M/19 in September 2021 and amended in March 2023, represents the Kingdom's first comprehensive data privacy legislation. Administered and enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA), the PDPL brings Saudi Arabia's data protection framework broadly in line with the EU's GDPR — but with significant differences that companies cannot address by simply replicating their European compliance programmes.

For foreign companies operating in Saudi Arabia — whether through MISA-licensed entities, branches, or processing Saudi personal data from abroad — PDPL compliance is not optional. SDAIA has enforcement authority including fines up to SAR 5 million (approximately USD 1.3 million), and the law applies extra-territorially to any entity processing the personal data of Saudi residents.

**Scope and Application**

The PDPL applies to every entity — public or private, Saudi or foreign — that processes the personal data of individuals in Saudi Arabia. This includes MISA-licensed companies and branches with Saudi operations, companies processing Saudi employee data (including for Saudisation compliance), cloud service providers storing Saudi data on international servers, e-commerce platforms serving Saudi consumers, and technology companies collecting Saudi user data through apps or platforms.

The extra-territorial reach means that a European company with no Saudi legal entity but with Saudi customers is subject to the PDPL. This is a fundamental shift from the previous regulatory environment, where data protection obligations were sector-specific and limited.

**Core Obligations**

The PDPL establishes seven core compliance obligations:

1. Lawful Basis: Processing requires a lawful basis — consent, contractual necessity, legitimate interest, vital interest, public interest, or legal obligation. Unlike GDPR, legitimate interest under the PDPL has narrower application and SDAIA guidance suggests consent remains the primary basis for most commercial processing.

2. Consent Requirements: Consent must be explicit, informed, and freely given. Pre-ticked boxes and bundled consent do not satisfy PDPL requirements. Consent for sensitive data (health, financial, biometric, genetic, ethnic, religious) requires express written consent.

3. Privacy Notice: Data controllers must provide clear, Arabic-language privacy notices disclosing the purpose of processing, data categories, retention periods, third-party sharing, and data subject rights before collecting personal data.

4. Data Subject Rights: Saudi data subjects have rights to access, correction, deletion, portability, objection to processing, and notification of data breaches. Response timeframes are shorter than GDPR — controllers must respond within 30 days.

5. Data Protection Impact Assessments: Required for high-risk processing activities, including large-scale processing, automated decision-making, and processing sensitive data.

6. Cross-Border Transfer Restrictions: Personal data may only be transferred outside Saudi Arabia if the receiving country provides adequate data protection (as determined by SDAIA) or under approved safeguards.

7. Data Breach Notification: Data controllers must notify SDAIA of personal data breaches that pose a risk to data subjects — and notify affected individuals if the breach is likely to cause significant harm.

**Data Localisation**

The PDPL's data localisation requirements are the most commercially significant provision for foreign companies. The Implementing Regulations require that personal data of Saudi nationals and residents be processed and stored within Saudi Arabia unless specific conditions are met for cross-border transfer.

For companies operating cloud infrastructure, SaaS platforms, or centralised HR systems from European or US data centres, this creates a fundamental compliance challenge. The options are: deploy Saudi-hosted infrastructure (AWS Bahrain region, Oracle KSA, or Azure UAE with data residency controls), obtain SDAIA approval for cross-border transfers under adequate safeguards, or restructure data processing to minimise the personal data leaving Saudi Arabia.

**SDAIA Enforcement**

SDAIA's enforcement approach in the initial compliance period has been primarily educational. However, enforcement actions are expected to intensify in 2025. SDAIA has the authority to issue warnings, impose fines up to SAR 5 million per violation, publish enforcement decisions, and order data processing cessation.

**Practical Compliance Steps**

Foreign companies operating in Saudi Arabia should: conduct a data mapping exercise, assess cross-border data flows, update privacy notices (including Arabic-language versions), implement consent mechanisms meeting PDPL standards, appoint a data protection officer, establish data breach response procedures, and review vendor agreements to include PDPL compliance obligations.

GSDA Legal Consultants' technology and data protection practice advises multinational companies on PDPL compliance — from initial assessment through implementation to ongoing monitoring. Our Riyadh office provides the local regulatory expertise, while our Paris and Dubai offices coordinate cross-border data transfer strategies across the GCC and Europe.