Your Rights Under the Saudi Personal Data Protection Law (PDPL)Saudi Arabia

Researched by , Head Researcher

Primary sources cited; not legal advice.

Last verified:

Source: Personal Data Protection Law (PDPL) — Royal Decree M/19 of 2021, amended Royal Decree M/148 of 2023; Implementing Regulations (7 Sept 2023); Transfer Regulation (re-issued 1 Sept 2024); Saudi Data and AI Authority (SDAIA); National Data Management Office (NDMO).

Sourced from Saudi royal decrees, regulations, and ministerial decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Saudi National Law

What is this right?

The Saudi Personal Data Protection Law (PDPL) — Royal Decree M/19 of 14 September 2021, amended by Royal Decree M/148 of 27 March 2023 — entered enforcement on 14 September 2023 with a 1-year grace period; full compliance has been required since 14 September 2024. The PDPL is the Kingdom's first comprehensive data-protection statute and applies to controllers and processors processing personal data inside KSA, plus controllers outside the Kingdom processing data of KSA residents (extraterritorial reach via the Implementing Regulations).

Key rights of data subjects: (1) right to be informed of the legal basis and purpose of processing; (2) right of access to data held about them; (3) right to request correction, completion, and update; (4) right to request deletion when the data is no longer necessary or the consent is withdrawn; (5) right to withdraw consent; (6) right to refuse use of personal data in direct marketing without consent.

Enforcement: SDAIA (Saudi Data and AI Authority) is the primary regulator, working with the NDMO (National Data Management Office). Administrative fines reach up to SAR 5,000,000 depending on violation severity. Certain serious offences (unauthorised disclosure of sensitive data, malicious use) carry criminal penalties up to 2 years' imprisonment. Cross-border transfer of personal data is governed by a separate Regulation on the Transfer of Personal Data Outside the Kingdom (re-issued 1 September 2024) which requires either an adequacy assessment, appropriate safeguards, or specific case-by-case derogations.

When does it apply?

  • A company / platform in KSA or processing data of KSA residents holds your personal data and refuses to disclose what it holds, correct an error, or delete it.
  • You withdraw consent for marketing / cookie / tracking but data continues to be processed.
  • You are a victim of a data breach — the controller has not notified you or SDAIA within the required time.
  • A bank, telecom, hospital, or government agency has disclosed your personal data to a third party without lawful basis.
  • A previous employer, school, or business refuses to delete records you believe should be removed.
  • You receive direct marketing without consent and want it stopped.

Using Your Rights Under the Saudi PDPL

  1. Start with a written request to the data controller. Many organisations operating in KSA now have a Data Protection Officer (DPO) or PDPL-compliance email. Cite the PDPL (Royal Decree M/19 of 2021) and the specific right you are exercising (access, correction, deletion, withdrawal of consent). Include identification (Iqama or National ID) and a reasonable response window.
  2. If the controller refuses or doesn't respond, escalate to SDAIA. SDAIA is the enforcement authority for PDPL violations. File via the SDAIA website's complaint channel or written correspondence.
  3. For banking data, file in parallel with the bank's complaint cell and SAMA Consumer Protection Department. SAMA's Banking Consumer Protection Principles apply to data-handling by licensed banks alongside the PDPL.
  4. For telecom data and SIM-related issues, file at CST (Communications, Space and Technology Commission). Telecom-sector privacy issues sit at the intersection of PDPL and the Telecommunications Law.
  5. For criminal-side disclosure offences, file the cybercrime complaint via Absher / Kolonna Amn under the Anti-Cyber Crime Law Article 6 (offences against privacy via electronic means).
  6. For damages, civil litigation goes through the Commercial Courts or General Court via Najiz. PDPL violations can support compensation claims; the operational maturity is still developing.
  7. Save all correspondence. The data controller's response (or non-response), screenshots, request copies all become evidence at SDAIA / civil court.

What should you NOT do?

  • Don't assume PDPL compliance is uniform across all controllers. Adoption is still maturing across the KSA private sector. Written requests citing specific rights (access, correction, deletion) work better than generic data-removal requests.
  • Don't skip the controller's internal channel. SDAIA expects the data subject to have first requested directly from the controller before escalation.
  • Don't disclose more identification data than necessary. Identity verification is required; controllers are not entitled to demand more than is strictly necessary.
  • Don't pay 'data removal services' demanding upfront fees. Statutory channels (controller → SDAIA → civil court) are the proper route.
  • Don't transfer sensitive personal data outside KSA without checking the Transfer Regulation. The re-issued 1 Sept 2024 Regulation governs cross-border flow; some transfers need SDAIA approval.

Common Questions

Is the Saudi PDPL fully in force?

Yes. The PDPL (Royal Decree M/19 of 16 September 2021, amended by Royal Decree M/148 of 27 March 2023) entered enforcement on 14 September 2023 with a 1-year grace period. Full compliance has been required since 14 September 2024. The Implementing Regulations were issued 7 September 2023; the cross-border Transfer Regulation was re-issued 1 September 2024. SDAIA has been actively enforcing since the grace period ended.

What is the maximum fine?

Administrative fines reach up to SAR 5,000,000 (approximately USD 1.3 million) depending on the severity of the violation. For certain serious offences — including unauthorised disclosure of sensitive personal data — there are criminal penalties of up to 2 years' imprisonment. SDAIA can also order corrective measures, prohibit specific processing activities, and require notification of affected data subjects.

Does the PDPL apply to foreign companies?

Yes — the PDPL has extraterritorial reach via the Implementing Regulations. It applies to controllers and processors processing personal data of KSA residents, regardless of where the controller is established. Foreign companies processing KSA data are subject to SDAIA enforcement and the cross-border Transfer Regulation, including any requirement for SDAIA approval before transferring data outside the Kingdom.

Can I sue for damages under the PDPL?

Civil litigation in Saudi Arabia for PDPL violations goes through the Commercial Courts (under the Board of Grievances / Diwan al-Mazalim) or the General Court depending on the dispute. Filings happen via Najiz (Ministry of Justice). The operational maturity of civil PDPL claims is still developing — most data-subject remedies happen through SDAIA's administrative process first. For corporate-scale data breaches, SDAIA fines are the most visible enforcement outcome to date.

When does it applyyour rights under the saudi personal data protection law (pdpl)?

A company / platform in KSA or processing data of KSA residents holds your personal data and refuses to disclose what it holds, correct an error, or delete it.You withdraw consent for marketing / cookie / tracking but data continues to be processed.You are a victim of a data breach — the controller has not notified you or SDAIA within the required time.A bank, telecom, hospital, or government agency has disclosed your personal data to a third party without lawful basis.A previous employer, school, or business refuses to delete records you believe should be removed.You receive direct marketing...

What rights do I have under Saudi Arabia's Personal Data Protection Law?

Start with a written request to the data controller. Many organisations operating in KSA now have a Data Protection Officer (DPO) or PDPL-compliance email. Cite the PDPL (Royal Decree M/19 of 2021) and the specific right you are exercising (access, correction, deletion, withdrawal of consent). Include identification (Iqama or National ID) and a reasonable response window.If the controller refuses or doesn't respond, escalate to SDAIA. SDAIA is the enforcement authority for PDPL violations. File via the SDAIA website's complaint channel or written correspondence.For banking data, file in parall...

What should you NOT doyour rights under the saudi personal data protection law (pdpl)?

Don't assume PDPL compliance is uniform across all controllers. Adoption is still maturing across the KSA private sector. Written requests citing specific rights (access, correction, deletion) work better than generic data-removal requests.Don't skip the controller's internal channel. SDAIA expects the data subject to have first requested directly from the controller before escalation.Don't disclose more identification data than necessary. Identity verification is required; controllers are not entitled to demand more than is strictly necessary.Don't pay 'data removal services' demanding upfron...

More in Data Privacy & Digital Rights

Removing Non-Consensual Intimate Imagery (NCII)NCII — non-consensual intimate imagery — in Saudi Arabia runs on three parallel paths. The criminal path is the Public S...Read more →Cyberstalking and Online Harassment in Saudi ArabiaCyberstalking and online harassment in Saudi Arabia are criminal under two layered statutes. The Anti-Cyber Crime Law 20...Read more →
← Browse all Data Privacy & Digital Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission