Data Privacy Rights (PDPL) in Saudi Arabia
Reviewed by the Commoner Law Editorial Team. Sourced from Saudi royal decrees, regulations, and ministerial decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards
What is this right?
Saudi Arabia's Personal Data Protection Law (PDPL) has been fully enforceable since 14 September 2024 (after the one-year transition window closed). It is enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA) — a regulator that uniquely combines data privacy with AI governance. The PDPL gives you control over your personal data:
- Consent: Organizations must get your explicit consent before collecting, processing, or sharing your personal data (with limited exceptions for public interest, healthcare emergencies, and legal compliance).
- Right to know: You can request information about what data is collected, why, and who it is shared with.
- Right to access: You can request a copy of your personal data held by any organization.
- Right to correction: You can demand that organizations correct inaccurate data about you.
- Right to deletion: You can request deletion when there is no legal basis for keeping it.
- Cross-border transfers: Personal data cannot be transferred outside Saudi Arabia unless the receiving country provides adequate protection or the transfer meets specific exemptions approved by SDAIA.
- Data breach notification: Organizations must notify SDAIA and affected individuals of data breaches posing serious risk.
Penalties reach SAR 5,000,000 for violations and imprisonment for intentional misuse of personal data.
When does it apply?
- A company is collecting your personal data — name, national ID, phone number, location, health records, or financial information.
- You want to access, correct, or delete your data held by a company.
- Your personal data was leaked, sold, or misused.
What to Do If a Company Has Misused or Leaked Your Personal Data in Saudi Arabia
- Read privacy notices before agreeing to data collection — understand what you are consenting to.
- Submit a data access request in writing to the organization's data protection officer.
- If the organization ignores your request, file a complaint with SDAIA through their official channels.
- Report data breaches or misuse to SDAIA through their portal.
What should you NOT do?
- Do not share your national ID or financial data with untrusted websites or apps — verify the entity's registration first.
- Do not ignore data breach notifications — change your passwords immediately and monitor your financial accounts.
- Do not assume consent is permanent — you can withdraw consent at any time for future processing.
Common Questions
When does it apply — data privacy rights (pdpl)?
A company is collecting your personal data — name, national ID, phone number, location, health records, or financial information.You want to access, correct, or delete your data held by a company.Your personal data was leaked, sold, or misused.
What should I do if a company in Saudi Arabia collected or shared my personal data without my consent?
Read privacy notices before agreeing to data collection — understand what you are consenting to.Submit a data access request in writing to the organization's data protection officer.If the organization ignores your request, file a complaint with SDAIA through their official channels.Report data breaches or misuse to SDAIA through their portal.
What should you NOT do — data privacy rights (pdpl)?
Do not share your national ID or financial data with untrusted websites or apps — verify the entity's registration first.Do not ignore data breach notifications — change your passwords immediately and monitor your financial accounts.Do not assume consent is permanent — you can withdraw consent at any time for future processing.