Skip to main content

Meet PDPL compliance minimise your legal risk

Automate consent management and align your business with regulatory compliance with our no-code, easy-to-use cookie consent solution.

Become PDPL Compliant

14-day free trial Cancel anytime

The #1 cookie consent solution, trusted by 1.5 Million+ websites

Brand logos of global companies that are CookieYes customers.

The Saudi Arabia Personal Data Protection Law (PDPL) is designed to regulate the processing of personal data by businesses and protect the privacy rights of individuals in the Kingdom of Saudi Arabia. It is the first-ever comprehensive data protection law in the Kingdom and came into effect on 17 March 2023.

PDPL Compliance Checklist for Websites

  • Obtain user consent for cookies and trackers
  • Include an accurate, up-to-date privacy policy
  • Limit data collection only for legitimate purposes
  • Keep a record of all data processing activities
  • Notify data breaches to supervisory authorities

Achieve PDPL Compliance with CookieYes

Display a cookie consent banner

The PDPL requires businesses to process personal data (including data collected through cookies) with user consent, except under limited circumstances.

With CookieYes you can

  • Scan your website against a 100,000+ cookie database
  • Display a cookie banner so users can provide opt-in consent
  • Show a consent revisit widget for users to withdraw consent

Automate consent management

PDPL places consent as a cornerstone for data processing – including obtaining consent, withdrawing consent and recording processing activities.

With CookieYes you can

  • Auto-block third-party marketing cookies prior to user consent
  • Schedule cookie scanning for continuous compliance
  • Record user consent logs for regulatory audits

Generate compliant privacy policy

Under the PDPL, businesses should implement a privacy policy that includes what personal data is collected, the purpose of collection, how to exercise user rights, and more.

With our legal policy generators, you can

  • Use our pre-built, legally-compliant policy templates
  • Generate a privacy policy and cookie policy in minutes
  • Simply copy-paste the legal policies to your website

Comply with PDPL and privacy regulations globally

Become PDPL Compliant

14-day free trial Cancel anytime

Learn more and take the first step towards compliance

What is PDPL ?

The Personal Data Protection Law (PDPL) is a first-of-its-kind law that covers data protection for residents and businesses operating in the Kingdom of Saudi Arabia. The PDPL will regulate any kind of processing of personal data including collecting, using, storing, sharing, transferring, or updating and aims to protect the rights of individuals concerning their personal data. The PDPL came into full enforcement on March 17, 2023.

Who does PDPL apply to ?

The PDPL applies to businesses or public entities that process the personal data of Saudi Arabia residents, including entities located outside the Kingdom. PDPL protects personal data that can be used to identify a natural person including a deceased person or their family members, but does not apply to the processing of personal data for personal and family use.

What are user rights in PDPL?

Right to be informed

The right to know about the personal data a business collects about them and how it is used and shared.

Right to access

The right to access personal data and to have it available in a clear and readable format, free of cost.

Right to correct

The right to request to correct, update, or complete personal data about them.

Right to delete

The right to request the deletion of personal data if it is no longer needed by a business.

What is the penalty for non-compliance?

The disclosure of sensitive data is subject to a maximum penalty of two years in prison and/or a fine not exceeding SAR 3 million (USD 800K). Violation of data transfer provisions is subject to maximum imprisonment of one year and/or a fine not exceeding SAR 1 million (USD 267K).

Violations of all the other provisions is subject to a warning or a fine not exceeding SAR 5 million (USD 1.3M). Any of the fines could also be doubled for repeat offences.

FAQ on PDPL Compliance

Yes, the Kingdom of Saudi Arabia (KSA) passed the Personal Data Protection Law (PDPL) on September 24, 2021, to protect the data and privacy of its residents. It is the first-ever comprehensive privacy law in the Kingdom and will regulate the collection and processing of personal data and set out principles that organizations must follow.

Saudi Arabia passed the Personal Data Protection Law (PDPL) in the government’s Official Gazette on September 24, 2021. The law came into full enforcement on March 17, 2023, with an expected grace period of one year for businesses to become compliant.

The PDPL defines personal data as any information that identifies a person specifically or could lead to their identification, including (but not limited to): name, driver’s license number, phone number, email address, or social security number. Personal data used for personal or household purposes are exempted from PDPL.The law also protects the personal data of deceased individuals if their information could lead to the identification of the deceased individual or their family members.

The PDPL also groups some types of personal data as “sensitive”. Sensitive personal data is any information inferred from an individual’s “ethnic or tribal origin, religious, intellectual or political belief, or indicates his membership in civil associations or institutions.” It also includes criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that an individual is unknown to one or both parents.

The transfer of personal data outside the Kingdom is permitted in limited circumstances. PDPL introduces the concept of adequacy, allowing personal data to be transferred to a country that can ensure appropriate protection of personal data and the rights of individuals. The law also recognises other grounds for transferring personal data outside the Kingdom, notably if the transfer is carried out in the performance of an obligation of the data subject.

The Saudi Data and Artificial Intelligence Authority (SDAIA) will be the primary authority that will oversee the implementation of PDPL for the first two years of its enforcement. The National Data Management Office (NDMO) will take over as the supervisory authority after this time period.

The SDAIA will oversee PDPL enforcement and is also expected to advise organisations regarding compliance with various provisions and consumer rights, among other responsibilities.

The Kingdom of Saudi Arabia (KSA) is not subject to the General Data Protection Regulation (GDPR) because GDPR protects data privacy rights of EU and EEA residents. However, suppose a business established in KSA collects the personal data of EU residents in exchange for goods and services or for monitoring their behaviour, in that case, GDPR will apply to those businesses.

Here are some links you can refer to for additional reading:

Fast-track your PDPL compliance in minutes

Set up a cookie consent banner in 3 simple steps and automate your compliance.

Become PDPL Compliant

14-day free trial Cancel anytime