Meet PDPL compliance minimise your legal risk
Automate consent management and align your business with regulatory compliance with our no-code, easy-to-use cookie consent solution.
The #1 cookie consent solution, trusted by 1.4 Million+ websites
The Saudi Arabia Personal Data Protection Law (PDPL) is designed to regulate the processing of personal data by businesses and protect the privacy rights of individuals in the Kingdom of Saudi Arabia. It is the first-ever comprehensive data protection law in the Kingdom and came into effect on 17 March 2023.
PDPL Compliance Checklist for Websites
- Obtain user consent for cookies and trackers
- Limit data collection only for legitimate purposes
- Keep a record of all data processing activities
- Notify data breaches to supervisory authorities
Achieve PDPL Compliance with CookieYes
Display a cookie consent banner
The PDPL requires businesses to process personal data (including data collected through cookies) with user consent, except under limited circumstances.
With CookieYes you can
Automate consent management
PDPL places consent as a cornerstone for data processing – including obtaining consent, withdrawing consent and recording processing activities.
With CookieYes you can
With our legal policy generators, you can
Comply with PDPL and privacy regulations globally
Learn more and take the first step towards compliance
What is PDPL ?
The Personal Data Protection Law (PDPL) is a first-of-its-kind law that covers data protection for residents and businesses operating in the Kingdom of Saudi Arabia. The PDPL will regulate any kind of processing of personal data including collecting, using, storing, sharing, transferring, or updating and aims to protect the rights of individuals concerning their personal data. The PDPL came into full enforcement on March 17, 2023.
Who does PDPL apply to ?
The PDPL applies to businesses or public entities that process the personal data of Saudi Arabia residents, including entities located outside the Kingdom. PDPL protects personal data that can be used to identify a natural person including a deceased person or their family members, but does not apply to the processing of personal data for personal and family use.
What are user rights in PDPL?
Right to be informed
The right to know about the personal data a business collects about them and how it is used and shared.
Right to access
The right to access personal data and to have it available in a clear and readable format, free of cost.
Right to correct
The right to request to correct, update, or complete personal data about them.
Right to delete
The right to request the deletion of personal data if it is no longer needed by a business.
What is the penalty for non-compliance?
The disclosure of sensitive data is subject to a maximum penalty of two years in prison and/or a fine not exceeding SAR 3 million (USD 800K). Violation of data transfer provisions is subject to maximum imprisonment of one year and/or a fine not exceeding SAR 1 million (USD 267K).
Violations of all the other provisions is subject to a warning or a fine not exceeding SAR 5 million (USD 1.3M). Any of the fines could also be doubled for repeat offences.
FAQ on PDPL Compliance
Yes, the Kingdom of Saudi Arabia (KSA) passed the Personal Data Protection Law (PDPL) on September 24, 2021, to protect the data and privacy of its residents. It is the first-ever comprehensive privacy law in the Kingdom and will regulate the collection and processing of personal data and set out principles that organizations must follow.
Saudi Arabia passed the Personal Data Protection Law (PDPL) in the government’s Official Gazette on September 24, 2021. The law came into full enforcement on March 17, 2023, with an expected grace period of one year for businesses to become compliant.
The PDPL defines personal data as any information that identifies a person specifically or could lead to their identification, including (but not limited to): name, driver’s license number, phone number, email address, or social security number. Personal data used for personal or household purposes are exempted from PDPL.The law also protects the personal data of deceased individuals if their information could lead to the identification of the deceased individual or their family members.
The PDPL also groups some types of personal data as “sensitive”. Sensitive personal data is any information inferred from an individual’s “ethnic or tribal origin, religious, intellectual or political belief, or indicates his membership in civil associations or institutions.” It also includes criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that an individual is unknown to one or both parents.
The transfer of personal data outside the Kingdom is permitted in limited circumstances. PDPL introduces the concept of adequacy, allowing personal data to be transferred to a country that can ensure appropriate protection of personal data and the rights of individuals. The law also recognises other grounds for transferring personal data outside the Kingdom, notably if the transfer is carried out in the performance of an obligation of the data subject.
The SDAIA will oversee PDPL enforcement and is also expected to advise organisations regarding compliance with various provisions and consumer rights, among other responsibilities.
The Kingdom of Saudi Arabia (KSA) is not subject to the General Data Protection Regulation (GDPR) because GDPR protects data privacy rights of EU and EEA residents. However, suppose a business established in KSA collects the personal data of EU residents in exchange for goods and services or for monitoring their behaviour, in that case, GDPR will apply to those businesses.
Here are some links you can refer to for additional reading:
Fast-track your PDPL compliance in minutes
Set up a cookie consent banner in 3 simple steps and automate your compliance.