KSA PDPL

Personal Data Protection Law (Royal Decree No. M/19 of 2021, amended by Royal Decree No. M/148 of 2023)

Flag of SA
Kingdom of Saudi ArabiaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
September 14, 2023
Enacted
September 16, 2021
Enforcing Authority
Saudi Data & Artificial Intelligence Authority (SDAIA)
Consent Model
Opt-in
Applies To
All organizations processing personal data within Saudi Arabia; extraterritorial application to foreign entities processing Saudi residents' data

Overview

The KSA PDPL is Saudi Arabia's first comprehensive data protection law, enacted in 2021 and amended in 2023. SDAIA has been remarkably active in enforcement, issuing 48 decisions in its first year alone. The law imposes the strictest cross-border data transfer restrictions in the Middle East, requiring National Register registration for public entities and sensitive data processors.

What This Means for Your Website

  • Consent is required before processing personal data of Saudi visitors
  • Cross-border data transfers face the strictest restrictions in the region
  • Penalties up to SAR 5,000,000 per violation are doubled for repeat offences
  • Criminal penalties including imprisonment apply for sensitive data misuse
  • 72-hour breach notification is required
  • SDAIA's active enforcement record makes compliance a high priority

Key Requirements

SDAIA enforces the law with penalties up to SAR 5,000,000 per violation, doubled for repeat offences. Criminal penalties include up to 2 years imprisonment and SAR 3,000,000 for sensitive data disclosure. Organizations processing sensitive data or transferring data cross-border must register in the National Register. The 72-hour breach notification window applies to all controllers.

How ConsentStack Handles This

ConsentStack applies opt-in consent collection for Saudi visitors, supporting compliance with the PDPL's strict consent requirements and helping navigate the region's most restrictive cross-border transfer rules.

Penalties

Warning or fine up to SAR 5,000,000 per violation (doubled for repeat offences). Up to 2 years imprisonment and/or SAR 3,000,000 for sensitive data disclosure.

Maximum Fine
SAR 10,000,000 per violation

Key Requirements

  • Consent required for personal data processing
  • National Register registration mandatory for public entities and sensitive data processors
  • Cross-border transfers subject to the strictest restrictions in the region
  • 72-hour breach notification required
  • DPO appointment required for certain processing activities
  • Data subjects have rights of access, correction, deletion, and portability

Notable Provisions

  • Very active enforcement: 48 decisions in first year
  • Strictest cross-border transfer restrictions in the Middle East
  • Criminal penalties including imprisonment for sensitive data misuse
  • Doubled fines for repeat offences

Other Middle East & North Africa Regulations

UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.
Morocco Loi 09-08Morocco
Among the first data protection laws in Africa, modeled after the French Data Protection Act. The CNDP is an autonomous supervisory authority. All processing activities must be declared to the CNDP prior to implementation. The CNDP takes a graduated enforcement approach with warnings before fines or criminal referrals.

Frequently Asked Questions

How active is enforcement of the KSA PDPL?

Very active. SDAIA issued 48 enforcement decisions in the first year alone, signaling that compliance is taken seriously.

What are the penalties under the KSA PDPL?

Up to SAR 5,000,000 per violation, doubled for repeat offences. Criminal penalties include up to 2 years imprisonment for sensitive data disclosure.

Does the KSA PDPL apply extraterritorially?

Yes. The law applies to foreign entities processing the personal data of Saudi residents.

Stay compliant with KSA PDPL

ConsentStack helps you implement Opt-in consent for Kingdom of Saudi Arabia automatically.

Get started free