Data Protection & Privacy 2026 Comparisons

Data protection and privacy issues in the Kingdom of Saudi Arabia (KSA) are governed by a robust set of laws, regulations, policies, procedures, standards and guidelines.

The most notable of these laws is the Personal Data Protection Law of 16 September 2021, issued by Royal Decree M/19, and its amendments (together with the Implementing Regulations, the PDPL) came into force on 14 September 2023.

Other significant laws and regulations relating to the protection and privacy of data in KSA include, among others:

• Telecommunications and Information Technology Law no. M/160 of 2022 (the “TCIT Law”);
• Electronic Transactions Law no. M/18 of 2007 (the “ET Law”);
• Anti-Cyber Crime Law no. M/17 of 2007 (the “ACC Law”); and
• Electronic Commerce Law no. M/126 of 2019 (the “EC Law”).

Also, in August and September 2024, the Saudi Data & AI Authority (SDAIA) issued several new regulations to enhance and streamline the data privacy framework in KSA. These regulations are:

• regulation on personal data transfer outside KSA;
• rules for appointing personal data protection officer;
• data sharing policy;
• elaboration and developing privacy policy guideline;
• minimum personal data determination guideline;
• guidelines for binding common rulesBCR for personal data transfer;
• standard contractual clauses for personal data transfer;
• personal data destruction, anonymisation and pseudonymisation guideline;
• personal data disclosure cases guideline;
• personal data processing activities records guideline; and
• personal data breach incidents procedural guide.

The PDPL covers processing of personal data that (i) takes place in KSA or (ii) relates to individuals residing in KSA, by any means, by any party outside KSA. The TCIT Law covers communication services and protection of client and customer data and privacy. The ET Law covers electronic transactions, creating and keeping electronic records, electronic signatures and electronic authentication certificates. The ACC Law addresses cybersecurity crimes and their punishment. The EC Law covers the usage of customers’ data in electronic commerce transactions.

The policies, procedures, standards and guidelines are vast; however, those that are most relevant to data protection and privacy are:

• general principles for protecting users’ personal data privacy;
• procedures for launching services or products based on a customer’s personal data or regarding the sharing of personal data;
• national data governance policies;
• data management and personal data protection standards;
• general standards for personal data transfer beyond the geographical limits of KSA;
• children and incompetents’ privacy protection policy; and
• guidelines and specifications on data management governance and personal data security.

In KSA, the PDPL provides the baseline legal regime for any processing of personal data, while SDAIA’s National Data Management Office (NDMO) instruments govern government and non-personal data (including classification, sharing and de-identification standards), so mixed datasets are handled by applying the PDPL to the personal elements and NDMO governance to the rest, with the PDPL still attaching if re-identification is reasonably possible.

The PDPL’s security, breach notification and processor oversight duties operate alongside prescriptive cybersecurity controls from the National Cybersecurity Authority’s (NCA) Essential Cybersecurity Controls and sectoral frameworks (eg, the Saudi Central Bank (SAMA) for finance and the Communications, Space and Technology Commission (CST) for telecom/cloud).

The Anti-Cyber Crime Law adds criminal penalties for unlawful access, interception or misuse, meaning a single incident can trigger PDPL compliance, sectoral supervisory action and criminal exposure.

For AI, SDAIA’s national AI strategy and ethics principles guide responsible development, but the PDPL governs whenever AI systems train, tune or infer on personal data (lawful basis, transparency, minimisation, data protection impact assessments (DPIAs) for high-risk uses, heightened safeguards for sensitive data), while robust NDMO-aligned de-identification is required to move processing outside the PDPL, and cross-border PDPL transfer conditions and any localisation mandates under NDMO/CST/SAMA must be respected for cloud and AI pipelines, with organisations generally applying the strictest applicable rule across these overlapping frameworks.

Under the PDPL, personal data must be processed lawfully, fairly and transparently for specified purposes, limited to what is necessary, accurate, retained only as required, and protected by appropriate technical and organisational measures. Controllers are accountable through governance arrangements, records of processing, and oversight of processors.

Sensitive personal data is subject to heightened safeguards and, in some cases, additional conditions or approvals. Cross-border transfers are permitted only where PDPL requirements are met, with stricter rules for certain data types and government data.

Organisations must identify a lawful basis for processing, provide clear privacy notices, manage vendors through contracts, conduct DPIAs for high-risk processing, implement security and breach-response measures aligned with applicable cybersecurity and sectoral requirements, and comply with any applicable data localisation obligations.

Data subjects have rights to be informed, to access and correct their data, and to request erasure where legally permitted, subject to statutory exceptions. The PDPL sets conditions, timelines and exemptions for these rights, requires documented handling of requests, and provides avenues for complaints to the competent authority, with sector regulators offering parallel remedies where applicable.

As a general checklist, organisations should operationalise the PDPL by inventorying and classifying data, documenting lawful bases (using compliant consent where required), publishing privacy notices and maintaining records of processing. They should establish governance (policies, roles, training), implement processor contracts and third-party controls, and align security and breach response with the NCA, SAMA and CST requirements, meeting the shortest applicable notification timeline.

Under the PDPL, “sensitive personal data” (including categories designated by law and regulation such as health, genetic and biometric data) may be processed only where a valid lawful basis exists and with heightened safeguards proportionate to risk, including stricter access controls, purpose limitation, minimisation, secure storage and transmission (eg, encryption), documented risk assessments for high-risk uses, tighter breach notification triggers, and additional conditions for disclosure and cross-border transfers. Certain unlawful disclosures of sensitive data can attract criminal liability.

For example, data about minors requires age-appropriate transparency and a lawful basis that typically includes verifiable consent of a parent or legal guardian, with special care to avoid unfair profiling or marketing and to implement enhanced protection by design and default. In addition, processing data relating to criminal accusations or convictions is generally limited to situations expressly authorised by law and typically carried out by or under the control of competent authorities, consistent with the Law of Criminal Procedure’s constraints on the collection, access and disclosure of criminal case information and the Basic Law’s privacy guarantees.

Companies providing products or services used by healthcare providers may only anonymise patient data when acting on the provider’s documented instructions as the controller and on a valid lawful basis under the PDPL, with controller–processor roles, lawful bases and security/organisational measures set out in Article 1 (definitions), Articles 5–8 (lawful bases and consent) and Articles 10–12 (controller/processor obligations).

Once data is anonymised to a standard where an individual is not identifiable (and re-identification is not reasonably likely), they fall outside the PDPL’s scope, but organisations must apply recognised de-identification methods and safeguards to prevent re-identification, as reflected in Article 1 of the PDPL (definition of personal data) read with its implementing regulations on anonymisation standards, and the NDMO Government Data Classification Policy and Anonymisation/De-identification guidance.

Secondary use for product development or scientific research must either be within the original purpose/notice and lawful basis or meet sectoral research/secondary-use conditions (including approvals under health research ethics rules), and processors may not repurpose data without explicit controller authorisation, consistent with Articles 5–8 (purpose/lawful basis/consent) and Articles 10–12 (processor limits) of the PDPL, and KSA health sector privacy and research governance instruments (eg, Saudi Health Council/National Health Information Center policies; Law of Ethics of Research on Living Creatures Articles 11–18 on IRB approval and consent/waivers). If data remains personal, full PDPL obligations continue to apply.

For EU-sourced datasets, KSA life sciences firms must comply with the European Health Data Space (EHDS) rules in addition to the European General Data Protection Regulation (GDPR), including data permits from Health Data Access Bodies, use of secure processing environments, purpose limitations and prohibited uses including re-identification bans, and output-only access, materially raising governance and security expectations for research and discovery pipelines that access EU electronic health data.

Although there is no horizontal AI statute, SDAIA published the AI Adoption Framework, which offers a guiding framework that provides a comprehensive roadmap for the adoption of AI in all sectors. Its goal is to provide necessary guidance and instructions, outline critical steps and procedures, and align with best practices to ensure optimal and responsible AI adoption, thus achieving successful milestones in the transformation towards AI within the ecosystem.

In September 2023, SDAIA published the first version of its AI Ethics Principles. These principles were issued and published with the aim of:

• supporting KSA’s efforts towards achieving its vision and national strategies related to adopting AI technology, encouraging research and innovation, and driving economic growth for prosperity and development;
• developing and establishing AI ethics policies, guidelines, regulations and frameworks;
• governing data and AI models to limit the negative implications of AI systems and potential threats;
• helping entities adopt standards and ethics when building and developing AI-based solutions to ensure responsible use thereof; and
• protecting the privacy of data subjects and their rights with respect to the collection and processing of their data.

The AI Ethics Framework applies to all AI stakeholders designing, developing, deploying, implementing, using or being affected by AI systems within KSA, including, without limitation, public entities, private entities, non-profit entities, researchers, public services, institutions, civil society organisations, individuals, workers and consumers.

Seven principles are addressed in the framework:

• fairness;
• privacy and security;
• humanity;
• social and environment benefits;
• reliability and safety;
• transparency and explainability; and
• accountability and responsibility.

In addition, in November 2023, the government announced the establishment the International Center for Artificial Intelligence Research and Ethics, which aims to advance competencies and legislative frameworks in the field of AI and other advanced technologies.

Under SDAIA’s Personal Data Breach Incidents Procedural Guide, certain requirements must be adhered to in the event of a personal data breach, namely:

• Stage one: Notify SDAIA within 72 hours. Controllers must notify SDAIA via the Personal Data Breach Notification service on the National Data Governance Platform within no more than 72 hours of becoming aware of the breach, if the incident is expected to harm personal data or data subjects or conflict with their rights or interests, without prejudice to other NCA or sectoral reporting rules. The notification must include a description of the personal data breach (including timing, cause and discovery), the affected data subjects and data types, associated risks and mitigation measures taken and planned, whether data subjects have been or will be notified, and the relevant controller or data protection officer contact details.
• Stage two: Breach incident containment. Controllers must implement response and containment procedures for personal data breaches in line with international best practices and applicable regulations, including identifying the type and volume of affected data, determining and changing compromised data where possible, identifying affected individuals, and notifying data subjects without undue delay where their rights or interests may be harmed. Notifications must be made through appropriate communication channels, including direct and, where nationally widespread, public means, and must clearly explain the breach, associated risks, mitigation measures, controller and data protection officer contact details, and provide guidance to help affected data subjects mitigate potential harm such as fraud or identity theft.
• Stage three: Documentation. The controller must retain records of all personal data breach incidents, including documents submitted to SDAIA, corrective actions taken and related records, and must implement necessary corrective measures to contain breaches based on lessons learned.

KSA’s data protection and cybersecurity oversight is shared across several authorities with distinct mandates. SDAIA is the primary regulator for the PDPL, while the NDMO sets national data governance policies. NCA issues cybersecurity baselines and controls, and sectoral regulators including SAMA, CST and the Capital Market Authority (CMA) impose parallel requirements within their domains. The framework relies on co-ordinated supervision, complaint-driven and risk-based enforcement, and the alignment of data, cybersecurity and sectoral standards.

Domestically, complaints are handled among the authorities in co-ordination with one another. Sector regulators impose domain-specific rules that intersect with data protection and cybersecurity. SAMA’s core competence includes prudential and conduct supervision of financial institutions, with enforceable frameworks on cybersecurity, outsourcing and third-party risk that capture data handling and protection. CST supervises telecommunications, digital and cloud markets, including data localisation or transfer conditions embedded in licensing and cloud regulatory frameworks. CMA oversees capital markets participants, including data and cybersecurity requirements tailored to market integrity and investor protection.

SDAIA conducts and co-ordinates cross-border matters using a combination of PDPL powers over KSA-established controllers/processors, co-operation instruments with foreign authorities, and government-to-government channels where compulsion abroad is required. Typical triggers include referrals from foreign regulators, breaches involving offshore vendors or group entities, suspected unlawful international transfers, and data subjects’ complaints with foreign elements.

In practice, significant privacy or security events often trigger multi-agency co-ordination. A personal data breach at a financial institution, for example, will require PDPL breach assessment and notifications under SDAIA’s remit, cyber-incident reporting and remediation under NCA controls, and sectoral reporting and corrective action under SAMA’s frameworks.

While the PDPL itself does not spell out detailed procedural steps for enforcement notices (such as how and when SDAIA must notify an organisation that it is under investigation), regulatory practice in KSA generally involves written notices or requests from the competent authority requiring production of documents or explanations.

How Cases Are Initiated

• Matters are commonly triggered by data subjects’ complaints, breach/incident notifications and regulator-initiated supervision. SDAIA has been actively requiring prompt controller responses to complaints.

Notice and Response

• Authorities issue information requests and decisions, and may require corrective actions (eg, to cease or adjust processing, implement controls or register). Controllers must respond to requests from the competent authority and expect the authority’s notice to set the deadline to respond. Failure to meet that deadline can trigger enforcement risk.
• Where a notification is required to SDAIA, the data controller must notify it within 72 hours of becoming aware of the breach. Where a notification is required to impacted data subjects, this must be made without undue delay.

Administrative Sanctions

• Warnings, corrective orders (including suspension/restriction of processing) and administrative fines up to SAR5 million, which may be doubled for repeat violations, may be issued. Decisions can include publication of a summary at the violator’s expense.
• Administrative sanctions are appealable.

In addition, enforcement is administered through specialised committees established to review PDPL violations and impose the legally prescribed sanctions.

The PDPL moved into active enforcement on 14 September 2024, under SDAIA, shifting the market from rulemaking to supervision and extending to non-KSA processors handling KSA residents’ data. Recent trends under this Law highlight an increased focus on privacy protection in the digital space. This includes increased enforcement and regulatory scrutiny for privacy violations, and the law continues to evolve in line with technological advancements. In 2024, the government enhanced its monitoring of online platforms, and enforcement activity has increasingly intersected with cybersecurity incidents, such as hacking, illegal data interception and online harassment. Expect scrutiny of transfers, disciplined 72-hour breach reporting to SDAIA and timely data-subject notices, and supervisory use of the National Register and data privacy officer responsiveness as audit touchpoints.

Recent enforcement activity has also been reflected in committee decisions issued under the PDPL framework. During the past year, the committees issued 48 decisions confirming violations and imposing the legally prescribed penalties on regulated entities subject to the application of the PDPL. The violations reviewed by the committees included a number of practices related to the collection and processing of personal data, the disclosure of personal data without a legal basis, and failure by controllers to adopt appropriate organisational, administrative and technical measures to protect personal data, as well as violations relating to sending advertising and marketing messages to personal data subjects without obtaining their consent in accordance with the provisions of the Law.

As of the time of writing, privacy-related litigation in KSA is still in its infancy. There have not been notable lawsuits related to the PDPL. However, complaints and regulatory actions relating to data breaches or violations of consent are starting to emerge, as highlighted in 1.9 Enforcement Trends. Claimants are primarily individuals (data subjects/consumers, employees) alleging unlawful collection/use or disclosure.

Where disputes reach the courts, they typically arise in the context of unlawful access or disclosure of personal content, reputational harm, employment monitoring disputes, or broader civil liability claims relating to misuse of personal data, alongside criminal exposure under the Anti-Cyber Crime Law.

Currently, most actions relating to privacy protection are managed by SDAIA and the NDMO, which investigate complaints and enforce compliance with the PDPL. Instead of litigation, regulatory fines and investigations have been the primary mechanisms used to address violations.

As data protection awareness continues to rise and the enforcement of the PDPL strengthens, it is likely that litigation will increase. Businesses are expected to face greater scrutiny regarding data breaches and violations of data subjects’ rights, which may lead to more litigation relating to compensation or damage claims in the future.

SDAIA is the primary authority for PDPL-related complaints, and its role will be critical in shaping the future of privacy-related litigation in KSA.

In addition, the Anti-Cyber Crime Law plays a significant role in privacy protection. Recent trends under this Law highlight an increased focus on privacy protection in the digital space. This includes heightened penalties for privacy violations, and the law continues to evolve in line with technological advancements. In 2024, the government enhanced its monitoring of online platforms, with an increasing number of cases involving cybercrime, such as hacking, illegal data interception and online harassment.

KSA courts may award compensation for material and non-material (moral) harm under general civil liability principles, assessed on a case-by-case basis. Relevant factors may include the nature and sensitivity of the data, the seriousness and duration of the violation, the extent of disclosure, the concrete impact on the individual (eg, distress or reputational injury), and the controller’s fault and remediation.

In cross-border transfer arrangements, contractual safeguards (including standard contractual clauses (SCCs)) may also allocate liability and compensation obligations between the contracting parties.

KSA courts publish selectively, and PDPL-specific private litigation is still nascent. As a result, the most influential privacy-related rules have emerged from: (i) criminal and quasi-criminal cases involving unauthorised access, disclosure or publication of personal content; (ii) defamation and reputational privacy decisions addressing online speech; (iii) labour and employment cases dealing with monitoring and employee data; and (iv) administrative/appeal rulings that review regulator measures on marketing, spam and data handling.

Given the limited publication of KSA judgments and the early stage of PDPL-specific private litigation, enforcement in practice has primarily been regulatory, through SDAIA and the committees reviewing violations under the PDPL framework.

Where claims are brought before courts, the PDPL recognises a right to seek proportionate compensation for material and moral damage before the competent court.

In addition, privacy-related disputes in the digital context may also involve criminal exposure under KSA’s anti-cybercrime framework, particularly in incidents involving unauthorised access to, interception of or unlawful disclosure of private data.

As of the time of writing, KSA does not have formal collective redress mechanisms for privacy-related violations, such as the class action system seen in some EU jurisdictions. The PDPL provides a robust framework for individual data protection, but it does not currently include provisions for collective actions or class actions for data privacy violations. Therefore, in privacy and data protection matters, collective redress is primarily sought through regulatory and administrative means rather than private, court-led class litigation.

Publicly available KSA case law specifically addressing “non-personal data” as a distinct category remains limited. Published jurisprudence generally addresses privacy or cybersecurity violations without parsing non-personal data as a separate doctrinal domain; disputes involving government open data, cloud data residency for non-personal content, or statistical disclosure control have not produced widely accessible precedent as of the time of writing. In practice, compliance assessments and dispute outcomes are guided by regulator-issued frameworks (SDAIA/NDMO, NCA, CST) and sectoral decisions rather than reported court opinions.

KSA does not maintain a single, comprehensive statute governing “non-personal data” as a distinct legal category. Instead, the treatment of non-personal data is shaped by a patchwork of sectoral and cross-cutting frameworks that regulate government and commercial data assets, cybersecurity and localisation, open data, data sharing and statistical data. While the PDPL governs personal data, non-personal data is principally governed through national data governance policies (issued by SDAIA/NDMO), open data and data sharing frameworks for public-sector information, cybersecurity baselines and cloud rules (NCA and CST), sector rules (notably statistics and some regulated industries), and general laws governing access to and protection of state or confidential information.

The PDPL seeks to regulate the collection, processing and storage of personal data in KSA, ensuring data privacy and security. This applies to all personal data, including data generated by Internet of Things (IoT) services, where the IoT is defined as sensors and devices (things) that are connected to the internet and/or other networks, which help to create value based on exchanged data such as easing jobs functions, as per the NCA’s Cybersecurity Guidelines for Internet of Things (“IoT Guidelines”). The IoT Guidelines aim to provide a comprehensive framework for organisations utilisng IoT technologies to mitigate cybersecurity risks. The primary objective is to ensure that IoT systems are secure, resilient, and compliant with the relevant laws and regulations.

The scope of the IoT Guidelines applies to all organisations in KSA that use IoT technologies, as well as IoT manufacturers developing products and services. The guidelines are non-mandatory but strongly recommended to minimise cybersecurity risks. They emphasise the importance of embedding cybersecurity into the governance, development, maintenance and management of IoT systems. The IoT Guidelines also encourage IoT manufacturers to adopt secure-by-design principles and provide consumers with transparent information about the cybersecurity features of their products. This dual focus on both users and manufacturers ensures a holistic approach to IoT cybersecurity.

From an international perspective, KSA has not enacted legislation comparable to the EU Data Act, nor has it announced plans to adopt a framework of similar scope.

Non-personal data is not subject to the PDPL’s lawful-basis regime. Its processing is governed by the NDMO’s National Data Governance Framework and standards, contractual obligations, sectoral rules and general KSA law. Entities must classify data, apply appropriate access controls and security measures, manage retention and disposal, and ensure data quality and integrity. To the extent that non-personal datasets derive from previously personal data, entities must document the anonymisation or aggregation process and maintain controls to prevent re-identification. Where non-personal data includes confidential business information or trade secrets, processing must comply with trade secret law and contractual confidentiality obligations. Cloud processing of non-personal data remains subject to the CST framework’s confidentiality, security and incident response requirements.

IoT service providers must ensure that users are informed and give explicit consent before their personal data is collected through IoT devices. The PDPL requires that individuals have the right to access their data and request corrections.

Both IoT providers and data processors must implement robust security measures to protect data against breaches and unauthorised access, as stipulated in the NCA’s guidelines. These obligations align with the PDPL’s security provisions to prevent data breaches.

The PDPL mandates that personal data be destroyed when it is no longer necessary, which interacts with IoT providers’ obligations to ensure that devices or systems do not retain unnecessary data. The interaction ensures that data protection is not overlooked as IoT technologies expand, balancing innovation with the protection of individuals’ rights to privacy and security.

Under the PDPL, processing may rely on several bases, including consent, contractual or legal necessity, legitimate interests subject to a balancing test, vital and public interests, and research/statistics with appropriate safeguards. For each processing purpose, identify the primary legal basis, document the justification, apply purpose limitation and data minimisation, and maintain records of processing. Where relying on legitimate interests, complete and retain a written assessment demonstrating that the controller’s interests are not overridden by the data subjects’ rights and expectations and implement proportionate safeguards. For children’s data and sensitive personal data, apply heightened controls, document the necessity and ensure enhanced security. Cross-border transfers require adequacy or appropriate safeguards and a transfer assessment on file, with derogations used only where strictly necessary.

Non-Personal Data

With respect to non-personal data, organisations should align with the NDMO’s data governance instruments (including the National Data Governance Interim Regulations, the Data Classification Policy, the Data Sharing Policy, the Open Data Policy and the KSA Open Data Licence), which require data to be classified and managed according to sensitivity and business/mission impact, and shared only on a purpose‑limited, proportionate and secure basis. Access and reuse are governed by the applicable data classification and any sharing agreement or open data licence, with “open” datasets generally made available under standardised terms that require attribution, prohibit misrepresentation and preserve data integrity. Fairness, transparency and non‑discrimination principles apply to decisions on granting access, setting conditions or fees, and prioritising users, and charges (if permitted) should be objective and cost‑reflective.

Requirements for the Collection, Processing and Use of Personal Data

Article 10 of the PDPL stipulates that the controller may collect personal data only from the personal data subject. Such personal data may only be processed for the purpose for which the personal data is collected. However, the controller, on an exceptional basis, may collect personal data from a person other than the personal data subject or process personal data for a purpose other than that for which the personal data is collected, namely when:

• the personal data subject consents in accordance with the provisions of the PDPL.
• the personal data is publicly available or collected from a publicly available source.
• the controller is a public entity, and the personal data was not collected, or processed, as required either for security purposes or in order to implement another law or fulfil judicial requirements in accordance with the provisions set out in the regulations;
• compliance with this restriction may cause harm to the personal data subject or affect the vital interests of the personal data subject (as set out in the regulations);
• collection or processing of personal data is necessary to protect public health or safety or to protect the life or health of a specific individual. The regulations shall set out the rules and procedures applicable in this respect; and
• the personal data will not be recorded or stored in a form that makes it possible to identify the personal data subject directly or indirectly. The regulations set out the rules and procedures applicable in this respect.

Article 11 of the PDPL stipulates the following in relation to privacy, fairness and legitimate interest:

• The purpose for which personal data is collected must directly relate to the controller’s purposes and must not contravene any applicable legal provisions.
• The methods and means of collecting personal data must:
1. not conflict with any legal provisions;
2. be suited to the circumstances of the personal data subject;
3. be direct, clear and secure; and
4. not involve any deception, misleading or extortion.
• The content of the personal data must be appropriate and limited to the minimum amount necessary to achieve the purpose of the collection. The regulations shall set out the rules applicable in this regard.
• If the personal data collected is no longer necessary for the purpose for which it has been collected, the controller must cease the collection and destroy the previously collected personal data.

Article 15 of the PDPL’s implementing regulations also provides specifications relating to the collection of data from third parties, while Article 16 of the PDPL’s implementing regulations addresses the processing of data, other than sensitive personal data, for legitimate interests by private entities. A legitimate interest is defined as any necessary interest of the controller that requires the processing of personal data for a specific purpose, provided that it does not adversely affect the rights and interests of the data subject.

Legitimate interests include, among others, the disclosure of fraud operations and the protection of network and information security. The controller may process personal data to achieve a legitimate interest provided that the processing purpose is legal, but in so far as the processing of data balances the rights and interests of the data subject with the legitimate interests of the controller, and, in doing so, the controller does not adversely affect the rights and interests of the data subject. Processing shall be within the reasonable expectations of the data subject.

Internal or External Privacy Policies

Article 12 of the PDPL stipulates that the controller shall adopt a personal data privacy policy and make it available to personal data subjects for review prior to collecting personal data. The policy shall specify the purpose of collection, the personal data to be collected, the method of collection, the means of storage and processing, the manner in which the personal data shall be destroyed, and the rights of the personal data subject in relation to the personal data and how such rights shall be exercised.

Data Subjects’ Access Rights

Article 5 of the PDPL states that a data subject has the right to access their personal data available with the controller provided that such access does not negatively impact the rights of others, such as intellectual property rights or trade secrets. Article 6 also makes it clear that, subject to certain parameters, data subjects have the right to request a copy of their personal data in a readable and clear format from the controller.

Article 13 of the PDPL stipulates that when collecting personal data directly from the personal data subject, the controller shall take appropriate measures to inform the personal data subject of the following prior to collection:

• the legal basis and valid practical reasons for collecting their personal data;
• the purpose of the collection, whether collecting some or all of the personal data is mandatory or optional, and that the personal data collected will not be subsequently processed in a manner inconsistent with the collection purpose or in circumstances other than those stated in Article 10 of the PDPL;
• the identity of the person collecting the personal data and the address of such person’s representative, if necessary (unless the collection is for security purposes);
• the entities to which the personal data will be disclosed, the capacity of such entities, and whether the personal data will be transferred, disclosed or processed outside KSA;
• the potential consequences and risks that may result from not collecting the personal data;
• the rights of the personal data subject pursuant to Article 4 of the PDPL; and
• such other elements as set out in the regulations based on the nature of the activity performed by the controller.

For non-personal data, the NDMO leads data governance and classification (particularly for government datasets), alongside the Digital Government Authority (DGA) on public-sector data and open data. The CSA’s cloud and data localisation frameworks and the NCA’s baseline controls shape non-personal data handling across sectors, with sector regulators (SAMA, CMA, health regulators) embedding these standards in outsourcing, resilience and information-management rulebooks. Co-ordination relies on inter-agency standards alignment and cross-referrals where cloud, telecom and sector supervision overlap, and the General Authority for Competition (GAC) may engage where control of large non-personal datasets or infrastructure access raises competition concerns. Recent trends include heightened scrutiny of cloud and data localisation, deeper embedding of NCA controls in sectoral rulebooks, and continued standardisation of government data governance and open data practices through SDAIA/NDMO and DGA.

For personal data, SDAIA and its Personal Data Protection Authority (PDPA) are the primary regulators of the PDPL, with the CSA supervising telecom, digital and cloud frameworks (including data residency and anti-spam) and NCA overseeing cross-sector cybersecurity controls. Sector regulators – most notably SAMA and CMA – set complementary requirements on data security, outsourcing/cloud, operational resilience and third-party risk. In health, the Ministry of Health and national health information bodies govern health data handling and exchange. Public prosecution addresses criminal aspects of data offences. Co-ordination occurs via referrals, co-operation agreements, concurrent investigations and aligned guidance – for example, SDAIA/PDPA handling privacy compliance, NCA overseeing security baselines, CST supervising cloud/telecom obligations and sector regulators applying domain-specific controls – with GAC interfacing on digital-market issues and co-ordinating to ensure remedies respect privacy and sectoral rules. Recent trends include maturation of PDPL guidance and stepped-up supervisory engagement by SDAIA/PDPA, convergence of incident reporting expectations, and a growing GAC focus on data-driven theories of harm in digital and fintech markets.

Sector authorities (CST, SAMA, health regulators, others) typically cross-reference NDMO data governance standards for classification, sharing and life-cycle management and align security expectations with NCA controls. This creates a layered regime where sectoral enforcement incorporates national data governance baselines.

DGA government/open-data mandates align with NDMO standards for classification, metadata and sharing; where publication risks re-identification, DGA processes incorporate de-identification and licensing controls consistent with national guidance.

NCA co-ordinates cybersecurity oversight with sector regulators (harmonised audits and incident reporting) and aligns protection levels with national classification schemes.

CST co-ordinates with SDAIA on data residency, access by public authorities, and security obligations that apply across data types. CST also interfaces with GAC when telecom/information/communications/technology and cloud matters raise data-related competition issues.

GAC consults SDAIA and sector regulators on technical feasibility of data access, segregation, interoperability or de-identification in conduct cases and merger remedies involving datasets.

As of the time of writing, there are no specific requirements imposed in KSA for the use of cookies. For the general rules in relation to gaining consent in relation to cookies and SDKs, please see 3.3 Rights and Obligations Under Applicable Data Regulation under ‘Requirements for the Collection, Processing and Use of Personal Data’.

In KSA, personalised/targeted advertising is principally governed by the PDPL, together with CST rules on electronic marketing and anti‑spam, and the E‑Commerce Law and its Implementing Regulations. The PDPL generally requires explicit consent before personal data may be used for direct or targeted marketing, particularly where there is no prior interaction with the individual, and individuals must be given a clear and easy way to withdraw consent at any time, particularly when advertising is delivered through personal communication channels such as email or SMS, and individuals must be given a clear and easy way to withdraw consent at any time.

CST’s commercial communications and anti-spam framework requires prior opt-in for promotional SMS, calls and electronic messages, sender identification, and a free, effective opt-out that is promptly honoured, alongside suppression-list management. For online tracking, consent is expected for advertising cookies/SDKs and cross-site identifiers, delivered through a compliant consent interface that is granular, informed and reversible. Cross-border transfers must meet PDPL transfer conditions and be governed by appropriate contractual safeguards.

While the law does not expressly regulate “profiling” in the same way as the EU GDPR, any profiling or targeting that involves personal data must comply with the PDPL’s general principles of lawful processing, transparency and consent. The use of sensitive personal data (such as health, biometric, genetic or religious data) for marketing purposes is prohibited. Children’s personal data is protected under the general PDPL regime, and marketing involving minors requires valid consent, typically from a parent or legal guardian.

Under the PDPL, employers are considered controllers, and therefore employee and applicant data must be processed lawfully, fairly and transparently, and only for specific and legitimate purposes in accordance with the PDPL. Monitoring time or productivity tracking must be necessary and proportionate, explained in clear notices and grounded on a suitable lawful basis. High‑risk monitoring should be supported by documented risk assessments, and biometric time clocks involving sensitive data require enhanced safeguards.

Remote work should implement technical and organisational measures, respect localisation/transfer limits, and avoid excessive location/activity tracking beyond stated purposes. In remote-work settings, employers commonly apply technical and organisational safeguards, including access controls, encryption, secure connectivity and logging-in in line with NCA expectations, while taking care to limit location or activity tracking to what is reasonably required for defined purposes. Organisations should also ensure that any processing or storage outside KSA complies with PDPL cross-border transfer conditions (including where employee data is accessed remotely from abroad, which may constitute a cross-border transfer), and associated regulatory safeguards.

Bring Your Own Device (BYOD) programs warrant particular care: mobile device management or secure containers should segregate corporate from personal data; access to personal content should be tightly limited; and any device-level monitoring or telemetry must be clearly disclosed and confined to security-necessary data, reflecting the PDPL’s data-minimisation and purpose-limitation principles.

In addition to PDPL compliance, many KSA organisations are already aligning BYOD security controls with NCA standards, because insecure personal devices can expose personal data to breaches and lead to PDPL compliance violations. The use of corporate IT systems is best governed through cogent, well-publicised acceptable-use and monitoring policies that set expectations for permissible activities, monitoring scope and retention.

Regarding applications, employers may verify candidates’ education, employment history or other relevant records, but such processing must be lawful, transparent and limited to legitimate purposes. Sensitive data, such as criminal records or health information, generally requires explicit consent, and any third-party verification providers or processors must comply with PDPL standards.

SDAIA, the PDPL and the national cybersecurity baselines govern personal data handling across M&A from diligence through integration. Controllers must rely on a valid lawful basis, respect purpose limitation and minimisation, and implement safeguards (access controls, encryption, logging in).

During diligence, entities should stage and minimise disclosures and use redaction, aggregation or anonymisation, apply heightened controls for sensitive data, and consider a DPIA where risks are high. Cross-border disclosures must satisfy PDPL transfer conditions with contractual safeguards, and parties should clearly allocate roles including processors of such data.

At change of control, the buyer should confirm that personal data will continue to be processed for compatible purposes on a valid legal basis (eg, legitimate interests where applicable) and assess whether refreshed consents are needed if purposes or disclosures materially change. Controllers must ensure transparency by updating privacy notices and, where required, informing data subjects of any change to the data controller, processing purposes or material recipients.

Post-closing integration should be preceded by a DPIA for new or high-risk uses, alignment of retention schedules, migration and segregation controls, and the execution or novation of compliant data processing agreements with vendors. Buyers should also update records of processing activities, appoint or confirm a data officer if required, implement mechanisms to honour data subjects’rights, and ensure that any ongoing cross-border transfers after integration meet PDPL transfer conditions.

KSA regulates cross-border transfers through the PDPL for personal data, complemented by sectoral and horizontal frameworks that affect non-personal data, including rules issued by SAMA for financial services, CST regulations regarding cloud computing services for telecom and cloud, health sector regulations, NDMO frameworks for government and “official” data, and NCA controls. Together, these instruments function as approval, assurance or localisation frameworks depending on the data and the regulated entity.

For both personal and non-personal data, a “transfer” is understood broadly. It generally includes hosting or storing data outside KSA, enabling remote access to KSA-hosted data by personnel located abroad (for example, for support or shared services), making data available to or sharing it with foreign controllers, processors or sub-processors (including group affiliates), and any onward disclosure by a foreign recipient to another foreign party. Sectoral guidance, particularly for cloud and outsourcing, treats remote administration and sub-processing outside KSA as cross-border activity and therefore subject to transfer controls.

Transferring personal data outside KSA involves moving individuals’ personal data from KSA to another country or jurisdiction. This process is often necessary for global business operations, partnerships or service delivery (eg, while using cloud storage solutions). Such arrangements are subject to specified requirements of the PDPL.

The NDMO sets out general standards for personal data transfer beyond the geographical limits of KSA in order to specify the terms and conditions for cross-border transfer and storage of personal data for both public and private entities while pointing out the sovereignty of personal data. The standards also stipulate the rights of personal data owners, along with general guidelines and exceptions for personal data transfer beyond KSA’s borders – thereby creating secure processing for personal data.

The Regulation on Personal Data Transfer Outside the Kingdom (“Transfers Regulation”) imposes several restrictions on the international transfer of personal information to ensure that such transfers comply with KSA’s data protection standards. According to Article 29 of the PDPL, personal data may only be transferred outside KSA if the receiving country or entity provides an appropriate level of protection that meets or exceeds the standards set by KSA law. This requirement is further detailed in Article 3 of the Transfers Regulation, which mandates that the competent authority publish and maintain a list of countries or international organisations that meet these protection standards. If the receiving country is not on this list, the transfer is generally prohibited unless specific appropriate safeguards are implemented, such as SCCs, BCR, or approval certificates from a licensed body as outlined in Article 4. These safeguards ensure that the data is protected to a level consistent with KSA regulations, even when transferred internationally.

Before transferring personal data outside KSA, controllers are required to conduct a risk assessment under Article 7 of the Transfers Regulation. This assessment is mandatory for transfers involving sensitive data or when the transfer is made under the exemptions specified in Article 4 of the Transfers Regulation. The risk assessment must evaluate several factors, including the purpose and legal basis for the transfer, the nature of the data, and the appropriate safeguards in place to protect the data. Additionally, the assessment must consider the potential material or moral effects of the transfer and the likelihood of risks to data subjects. This ensures that controllers carefully weigh the necessity of the transfer against the potential risks to individuals’ privacy and data security. The risk assessment requirement underscores the importance of ensuring that international transfers are conducted responsibly and in compliance with the Transfers Regulation.

Furthermore, the Transfers Regulation allows for exemptions from the general restrictions on international data transfers in specific cases, as outlined in Article 4(2). For example, transfers are permitted for central operations within multinational entities, for scientific research, or to provide services to data subjects, provided that the appropriate safeguards are in place. However, even in these cases, the data must be limited to the minimum amount necessary to achieve the intended purpose, and the receiving entity must ensure compliance with KSA data protection standards. If the competent authority determines that the safeguards are inadequate, the transfer may be halted, and the controller must notify the relevant entities under Article 6 of the Transfers Regulation. These restrictions and requirements ensure that international data transfers are conducted in a manner that prioritises the protection of personal data and aligns with KSA’s legal and regulatory framework.

Government approval for certain international data transfers is required under the Transfers Regulation. Transfers to countries or organisations on the competent authority’s approved list under Article 3(1) do not need additional approval, but transfers to non-listed countries require appropriate safeguards, such as SCCs or BCR, which may need to be reviewed or approved. As of the time of writing, such a list of countries is yet to be published.

For specific cases such as scientific research or providing services to data subjects, the receiving entity must hold an approval certificate from a licensed body under Article 4(2)(E), provided that the transferred data is not sensitive data. Additionally, controllers must conduct a risk assessment for sensitive data transfers per Article 7.

While not all transfers require explicit approval, the Transfers Regulation ensures oversight through conditions such as exemptions from such approvals and the potential revocation of such exemptions if the instated safeguards are inadequate. Controllers must ensure compliance with the Transfers Regulation, which may involve notifying or seeking approval from the competent authority, particularly for sensitive data or transfers to non-approved jurisdictions. This framework prioritises data protection while allowing international transfers under strict safeguards.

The PDPL does not stipulate that data must be localised provided that the transfer and processing of personal data outside KSA is performed in accordance with the PDPL and any other applicable law or regulation applicable to such personal data in KSA. In addition, accessing data remotely would still constitute a transfer under the Standard Contractual Clauses For Personal Data Transfer.

When transferring personal data outside KSA, there are special rules and regulations, however, that may apply in addition to, and exclusive of, the PDPL depending on the type of data (eg, health data) or sector (eg, financial), or if the localisation of data is in the national security, or public, interest of KSA. Under such circumstances, the transfer and/or processing of personal data may be restricted or prohibited altogether.

From a PDPL perspective, per the Transfers Regulation, there are no distinct rules for transferring data relating to particular sectors; instead, the Transfers Regulation categorises certain types of data as sensitive, which are subject to stricter transfer requirements. Otherwise, data transfers outside KSA may be permitted subject to certain circumstances. For example, Article 4(2)(C) allows the transfer of sensitive data for central operations within multinational entities, provided that the controller adheres to BCR or SCCs to ensure data protection. Similarly, Article 4(2)(E) permits the transfer of sensitive data for scientific research and studies, but only if the data is limited to the minimum amount required and the receiving entity has an approval certificate from a body licensed by the competent authority.

Additionally, Article 7 addresses the transfer of sensitive data on a continuous or widespread basis, requiring controllers to conduct a risk assessment before such transfers. This risk assessment must evaluate the purpose and legal basis of the transfer, the nature of the data, and the appropriate safeguards in place to ensure compliance with the Transfers Regulation. While the Transfers Regulation does not explicitly differentiate between sectors, it imposes stricter requirements for sensitive data, which often includes sector-specific information such as health records or financial data. By requiring SCCs, BCR or approval certificates, the Transfers Regulation ensures that all sensitive data, regardless of its sector, is transferred outside KSA only under conditions that guarantee an appropriate level of protection.

The Transfers Regulation sets out the provisions in cases where controllers are exempted from the requirements to comply with the level of protection and the minimum level of transfer of personal data stipulated in subparagraphs (b) and (c) of paragraph (2) of Article (29) of the PDPL and provisions of the Transfers Regulation, namely that there is an adequate level of protection for personal data outside KSA and the transfer is limited to the minimum amount of personal data needed.

KSA has no single “blocking statute”, but it has various relevant legal authorities on internet censorship which are primarily aimed at controlling online content to align with the country’s cultural, religious and legal norms. Key legislation on web censorship includes:

• ACC Law: Article 6 of the ACC Law prohibits, and prescribes imprisonment and fines as penalties for, the publication, dissemination or promotion of content deemed offensive to public order, religious values or national security. This includes content relating to pornography, gambling, blasphemy, defamation and political dissent.
• TCIT Law: Article 24 of the TCIT Law stipulates that, after co-ordination with the competent authorities, the Commission must:
1. introduce internet filtering and limit access to specific content on the internet; and
2. prevent or restrict access to internet services by using internet gateways.

It is prohibited to by-pass or swindle internet filtering or to provide the means to do so. In addition, the Commission shall set the regulating controls and requirements.

Foreign subpoenas and discovery orders are not self‑executing in KSA and ordinarily must proceed through letters rogatory or treaty channels. Applications for the enforcement of foreign judgments and arbitration awards under the Execution Law must be submitted to the judge of the Execution Court with jurisdiction over such matters, to ensure their enforceability.

For sanctions compliance, internal screening is generally feasible, but outward disclosures – especially to foreign public authorities – must rely on a PDPL legal basis and a permitted transfer mechanism and, in regulated sectors (notably financial services), must use KSA-mandated domestic reporting gateways rather.

Since 2023, there have been no significant changes to KSA’s data protection laws and regulations, with the primary framework still largely governed by the PDPL, which was designed to align with international data protection standards. Nevertheless, the most notable development in KSA’s data protection regime occurred on 14 September 2024, when the PDPL finally became fully enforceable, marking a significant milestone for businesses operating in KSA. This full enforcement deadline required organisations to ensure compliance with the Law’s provisions, including implementing robust data protection measures, appointing data protection officers and adhering to strict data transfer requirements. On 27 April 2025, SDAIA launched its third public consultation on the PDPL and its regulations proposing some amendments, but as of the time of writing nothing has been finalised.

KSA has shifted to a modern, safeguards-based cross-border regime under the PDPL, with transfers permitted via adequacy, appropriate safeguards or narrow derogations, subject to risk assessment and accountability. The most impactful next step will be publication of an adequacy list further defining the role of a data protection officer.