Legal Updates
5 min read

Data Protection | Kingdom of Saudi Arabia

Written by
JP Legal Team
Published on
June 18, 2024

The Kingdom of Saudi Arabia (KSA) made great developments in protecting personal data and has been influenced by the EU General Data Protection Regulation (GDPR), reflecting many of their key concepts, including the seven principles governing (GDPR), and the key rights that (GDPR) gives to data subjects.[1]

The Personal Data Protection Act (PDPL) implemented by Royal Decree M/19 of 9/2/1443H[2], which came into force on March 23, 2022, was the first data protection legislation introduced in the Kingdom of Saudi Arabia that goes beyond the principles of personal privacy, and data listed in Shariah Law.

The rights granted to the data subjects under the (PDPL) are consistent with the rights granted to the data subject under the (GDPR) Rights, such as the right to be informed, the right to data portability, the right to object, and not to be subject to automated decision making.

The Personal Data Protection Act applies to (i) the processing of personal data by businesses or public authorities within KSA, and (ii) the processing of personal data of Saudi residents by foreign companies.

Therefore, any (KSA) based company that sells goods or services to customers may be subject to “PDPL”, and this applies to companies that are not located in KSA through a subsidiary or branch office if their goods or services target KSA-based clients.

Accordingly, the controllers (of the KSA entity) must comply with “PDPL” within one year from the effective date.

While Companies located outside the (KSA), are required to comply with the “PDPL” and to assign a representative for them in (KSA) within five years from the effective date, controllers are required to upload a record of processing activities to a new online portal that forms a (KSA) national record, indicating the purpose of processing, the entity to which or will the personal data be shared, and whether personal data has been or will be transferred outside of (KSA), including the expected retention period, in addition of the requirement of paying the annual registration fee.

“PDPL” defines "personal data" as any form of information that can directly or indirectly identify an individual. This includes a person's name, identification number, address, contact number, photo, and video recordings.

Organizations need to consider that (PDPL) is stricter when transferring personal data across national borders, since “Controllers” are not allowed to transfer personal data outside of (KSA), unless they comply with an agreement involving (KSA) or serve the interests of the Kingdom of Saudi Arabia, or for other purposes specified in the PDPL's regulations.

In addition to that, other requirements must be met, such as data transfer or disclosure to parties outside the Kingdom not affecting national security or Saudi Arabia's interests and obtaining approval from the “Saudi Arabia Data & Artificial Intelligence Authority” (SDAIA).

Penalties for non-compliance with any aspect of (PDPL) regulations include imprisonment for up to 2 years and a fine of up to 3 million SAR (about $ 800,000). Repeated cases may result in higher fines and the party affected can claim losses.

(PDPL) is expected to evolve in the first five years from the effective date, with further details expected to be introduced regarding the processing of health and credit data.

In conclusion, (GDPR) principles have become the global standard for data protection and have inspired several countries to follow including GCC countries. However, controllers operating under GCC must consider the peculiarities of different jurisdictions specially when stricter safeguards are needed. This is particularly true if local law prohibits the cross-border transfer of all or certain categories of data.

_________________________________________

For further information, please get in touch by sending your query to admin@j-plegal.com.

Disclaimer: This publication is for informational purposes only and does not provide any legal advice.

Authors:   Anas Jeser, Partner, J&P Legal   |   Layan Al Fatayri, Paralegal, J&P Legal

[1] ("Data subject") means a natural person who holds personal data and can be directly or indirectly identified from that personal data by the data controller ("administrator").[2] Implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021)

Latest posts

Legal Updates
5 min read

The Middle East is Not Just Adopting Fintech, It's Defining Its Future.

The Middle East is rapidly positioning itself as a global hub for fintech innovation, propelled by strategic government initiatives, significant funding, and a digitally fluent population. Key countries like the UAE and Saudi Arabia are leading this transformation through: Regulatory support via fintech-friendly frameworks like DIFC and ADGM Investment momentum, with over $4.2 billion raised in 2023 by regional fintech startups High digital adoption, driven by widespread smartphone use and a young, tech-savvy demographic The UAE is home to over 329 active fintech companies and is projected to grow its market from $3.16B in 2024 to $5.71B by 2029. Meanwhile, Saudi Arabia is driving progress through its Financial Sector Development Program and global events like LEAP. With fintech revenues in the region expected to reach $4.5B by 2025, the Middle East is emerging as a major player in the global financial services arena—underpinned by innovation, robust legal infrastructure, and cross-border scalability.
Services
5 min read

Uniqus Enters Saudi Arabia with JP Legal by Its Side

How Strategic Legal Counsel Supports Seamless Market Entry in the GCC In this case study, JP Legal showcases its role in supporting Uniqus — a global ESG and Accounting advisory platform — with their successful entry into the Saudi market, a key milestone in their regional expansion. JP Legal provided end-to-end legal support for Uniqus' establishment in the Kingdom, covering entity structuring, regulatory compliance, registration, and licensing. The focus was not just on process, but on strategic scalability and long-term success. The blog highlights JP Legal’s expertise in: Guiding professional service firms through GCC market entry Providing on-the-ground support and regulatory insight Delivering tailored legal solutions for fast-growing, tech-enabled companies With the Kingdom of Saudi Arabia (KSA) continuing to open its doors to international firms, JP Legal positions itself as a trusted legal partner for sustainable growth in the GCC. 📩 Reach out to explore how JP Legal can support your next expansion.
Services
5 min read

Strategic Growth Needs Strategic Counsel:

Inside JP Legal’s $1B+ M&A Practice Across the GCC JP Legal has advised on mergers, acquisitions, and joint ventures exceeding $1 billion in value, serving clients across Saudi Arabia, the UAE, and the wider GCC. Their approach goes beyond deal execution — offering end-to-end legal support that spans: Deal Structuring: Aligning transactions with business goals while ensuring cross-jurisdictional compliance Due Diligence: Identifying legal and regulatory risks to protect client interests Regulatory Compliance: Navigating Zakat, tax, investment, and competition frameworks Post-Acquisition Integration: Supporting operational alignment and long-term success Serving sectors from tech and logistics to retail and manufacturing, JP Legal combines regional insight with global execution. Their M&A practice is built on clarity, strategy, and trust, offering tailored legal guidance at every stage of the transaction. Thinking M&A in the GCC? JP Legal is ready to guide your next move.
Services
5 min read

Navigating Mergers & Acquisitions with Confidence: How JP Legal Supports Every Step

At JP Legal, we offer end-to-end legal support for mergers, acquisitions, and strategic investments across the GCC. Our M&A team is known for its practical, goal-aligned approach—helping clients navigate the legal, regulatory, and strategic complexities of each transaction. From structuring and due diligence to negotiation, closing, and post-deal integration, we guide every stage with clarity and precision. With deep regional insight and a strong emphasis on collaboration, we don't just provide legal support—we become a trusted partner in achieving successful, compliant, and strategically sound outcomes.