Personal data refers to any information that identifies an individual, either directly or indirectly. This includes:

• Name, ID numbers, email addresses, phone numbers, and IP addresses.
• Sensitive data such as health, biometric, financial, and religious information. Employee data is indeed considered personal data and must be handled in compliance with PDPL.

The list of countries with “adequate” data protection standards is anticipated to be released by SDAIA. However, there is currently no confirmed timeline. It is recommended for organizations to monitor updates directly from SDAIA or through official government announcements.

To ensure that your Binding Corporate Rules (BCR) comply with SDAIA guidelines:

• Compare your BCR against SDAIA’s published requirements (SCC Clause).
• Validate the BCR framework for transparency, accountability, security, and consent mechanisms.
• Consult legal/privacy experts to perform a compliance gap analysis.

A  Data Protection Officer (DPO) can be a dedicated role or an existing resource within the organization, depending on the size and complexity of the organization. If the role is assigned to an existing resource, departments such as legal, compliance, or IT are typically considered appropriate due to their alignment with privacy and governance requirements. The DPO must be adequately skilled and independent in overseeing compliance.

 If your organization processes a limited amount of personal data (e.g., only employee data) and does not handle sensitive or large-scale data, appointing a DPO may not be mandatory. However, having a point of contact for privacy-related matters is recommended to ensure compliance.

It is advised to register the organization with SADIA. To determine if your organization is required to register, it is best to verify this on the SADIA website.

Yes, the requirement to appoint a DPO depends on the organization’s data processing activities. Organizations should assess their size, data volume, and sensitivity to determine compliance obligations and check if their primary operations involve personal/sensitive personal data processing.

Yes, it is considered good practice to:

• Notify employees of the updated Privacy Policy.
• Obtain their acknowledgment to ensure transparency and compliance. This approach demonstrates accountability and aligns with PDPL requirements for lawful processing.

Yes, the PDPL document is publicly available and can be accessed on SDAIA’s official website or through government legal publications.

The PDPL applies to all personal data, including:

• Internal employee data (e.g., HR records, payroll data).
• External personal data (e.g., customer or client information).

Examples of sensitive and non-sensitive personal data include:

• Sensitive Personal Data: Health records, biometric data, financial information, religious beliefs, or political affiliations.
• Non-Sensitive Personal Data: Name, phone number, email address, or publicly available information.

Credit data refers to any information related to an individual’s financial status, such as:

• Credit scores and reports.
• Loan or repayment history.
• Credit card information.

Yes, the PDPL applies to any entity processing the personal data of individuals residing in Saudi Arabia, regardless of where the organization is located. If you handle such data, compliance with PDPL requirements is necessary.

The presentation file is attached to this email.

Our consultants possess extensive experience in data privacy, compliance, and cybersecurity. They are well-versed in global regulations such as KSA PDPL, UAE PDPL, Qatar PDPPL, GDPR, CCPA, and other data privacy regulations. We have a team with certified expertise across the GCC, Europe, and other international markets.

The effective date of the Personal Data Protection Law (PDPL) in Saudi Arabia is September 14, 2023.

The Saudi Personal Data Protection Law (PDPL) mandates that all “Controllers” (entities determining the purposes and means of processing personal data) must register with SDAIA through the NDMO Platform. This registration requirement, as outlined in Article 30, is not contingent on marketing activities but is a fundamental obligation for any entity processing personal data within the Kingdom. SDAIA, as the Competent Authority, is empowered to monitor compliance through various mechanisms, including a national register of Controllers.

Link: https://dgp.sdaia.gov.sa/wps/portal/pdp/home

Yes. Under Article 18 of the KSA PDPL, controllers are responsible for not keeping personal data beyond its intended use. There are, however, exceptions to this rule, such as when data is required for legal compliance or ongoing court cases.

With the PDPL’s publication in September 2023 and its enforcement date set for September 2024, businesses have a window to prepare. It’s crucial to begin implementing compliance measures now, rather than reacting to potential SDAIA scrutiny later.

SDAIA’s DPO appointment guidelines are available at this link:https://sdaia.gov.sa/en/SDAIA/about/Documents/RulesforAppointingPersonalDataProtectionOfficer.pdf

Public PDPL audits are not yet announced, as enforcement is still new.

You’ll receive a clear, high-level understanding of your KSA PDPL compliance level with Ahlan’s Assessment.

Despite the PDPL’s provision for SDAIA to license audit entities (Article 33(3)), no public information regarding these accredited bodies has been released.

The core enforcement tools of the PDPL, administered by SDAIA, are rooted in Articles 30–38. These include

• a mandatory Controller and Processor registry,
• the authority to request compliance evidence and conduct audits, and
• the power to impose administrative fines and pursue criminal prosecution.

This combined approach of registration, audits, and penalties ensures compliance.

The PDPL does not specify that a DPO must be a Saudi national. Article 30(2) refers to the Implementing Regulations for appointment situations, omitting nationality. Thus, expertise and capability are the current focus.

Failure to appoint a DPO when required by SDAIA thresholds constitutes a PDPL violation. For organizations below these thresholds, PDPL compliance can be managed by another qualified professional (e.g., CISO, legal counsel). Regardless, that professional must undertake all DPO functions to ensure full compliance.

• Legal basis for processing: As opposed to the private sector, the government entities often rely on “public interest or security purposes” (Article 6(3), Article 10(3)) for lawful processing. The former however, is dependent on consent, contractual necessity, or legitimate interest etc.

• Exemptions: Government entities may apply specific exemptions to restrict data subject rights when national security or public interest is at stake (Article 9 et al.) in contrast to the private sector.

• Audits: Government bodies may face supplementary audits from specialized regulatory agencies.

• Transparency vs. security: The government side is known to be focusing on balancing transparency and privacy with security/national interest, unlike the private sector.

Article 2(1) of the PDPL establishes broad protection for personal data within Saudi Arabia. This protection extends to the data of Saudi citizens, expatriates, and any individual physically present in the Kingdom, regardless of where the data processing occurs.

Yes, under the PDPL, a Security Operations Center (SOC) provider acting on behalf of a Controller is classified as a “Processor.” As such, it is obligated to comply with all PDPL requirements.

Regardless of size or data volume, the PDPL (Article 2) applies to all personal data processing within Saudi Arabia. While the Implementing Regulations (Article 32) establish thresholds for mandatory Data Protection Officer (DPO) appointments, all organizations, regardless of size, must comply with the PDPL’s core obligations.

PDPL compliance is typically managed by a cross-functional Data Protection Office, working with legal, IT/security, risk, and other relevant departments. In smaller organizations, this responsibility may fall to the Legal Department or the CISO, provided they can handle privacy-specific tasks like data-subject requests. Larger organizations often establish a dedicated Privacy Department or employ a dedicated privacy manager/DPO.

Article 29 of the PDPL allows for international data transfers under specific conditions. These include

• ensuring the transfer does not harm national security or vital interests,
• that the receiving country provides adequate data protection, and
• that only necessary data is transferred.

If the destination country lacks officially recognized adequate protection, explicit consent or a PDPL-approved exception (e.g., contract performance, public health) is required. Notably, even if a foreign company is the primary Controller, a local entity collecting data in Saudi Arabia remains subject to PDPL obligations when transferring data abroad.