KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 35 – Penalties for Sensitive Data Misuse

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 11, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 35 defines the criminal penalties for disclosing, publishing, or misusing Sensitive Personal Data, including biometric, health, religious, genetic, or criminal data. The Article focuses on intentional acts meant to harm, defame, or obtain personal benefit from the misuse of sensitive data.

It clarifies how the Public Prosecution investigates such cases, how courts impose penalties, and how fines may increase for repeat violations. Article 35 signals that misuse of sensitive data is treated as a serious criminal offense under Saudi law, carrying the possibility of imprisonment, significant financial fines, and stricter sanctions for repeat offenders.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 35

  1. Without prejudice to any harsher penalty stipulated in another law, any individual discloses or publishes Sensitive Data, in violation of the provisions of the Law, with the intention of harming the Data Subject or achieving a personal benefit shall be punished with imprisonment for a period not exceeding (two years), or a fine not exceeding (three million) Riyals, or both.

  2. The Public Prosecution is responsible for investigating and prosecuting before the competent court for the violation stipulated in Paragraph (1) of this Article.

  3. The competent court shall be in charge of lawsuits arising from the implementation of this Article and issuing the prescribed penalties.

  4. The competent court may double the fine penalty stipulated in Paragraph (1) of this Article in the case of recidivism, even if it results in exceeding its maximum limit, provided that it does not exceed double this limit.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 35(1)

Criminal Penalty for Intentional Sensitive Disclosure

This provision makes it a criminal offense to disclose or publish Sensitive Personal Data when done intentionally to harm a Data Subject or obtain personal benefit. Sensitive Data includes biometric identifiers, health information, genetic data, religious data, criminal records, and other categories defined under the law.

 

The court may impose:

  • Up to two (2) years imprisonment, or
  • A fine up to SAR 3,000,000, or
  • Both penalties together

 

It signals the severity with which Saudi Arabia treats the intentional misuse of sensitive data, emphasizing deterrence and protection of individuals whose data carries higher privacy risks.

PDPL Article 35(2)

Investigation and Prosecution

This provision confirms that the Public Prosecution is solely responsible for investigating violations of Article 35(1) and initiating criminal proceedings before the competent court.

 

This centralizes the investigative process within a single enforcement authority, ensuring consistency, proper evidence handling, and uniform application of criminal procedure for all PDPL-related sensitive data crimes.

PDPL Article 35(3)

Competent Court Penalty

This provision clarifies that the competent court is responsible for hearing cases involving Article 35 violations and for issuing the appropriate criminal penalties.

 

This ensures:

  • Judicial independence in assessing the severity of the offense
  • Consistent application of penalties
  • Clear legal oversight over sensitive data misuse crimes

 

The courts, therefore, serve as the final arbiter determining guilt and assigning imprisonment or financial penalties.

PDPL Article 35(4)

Repeat Offense Penalties

This provision allows courts to double the fine for repeat offenders who again violate Article 35, even if the resulting amount exceeds the normal statutory maximum of SAR 3 million. The only limitation is that the total fine cannot exceed double the maximum, meaning it may reach up to SAR 6 million.

 

This clause is designed to deter habitual offenders and signal that repeated sensitive data misuse carries escalating consequences, reinforcing PDPL’s role in protecting high-risk categories of data.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), what counts as “Sensitive Personal Data” for Article 35 penalties?
Sensitive Personal Data includes categories that can create higher risks for individuals if misused. Article 35 imposes penalties specifically for misuse of these categories.
If a business accidentally exposes Sensitive Personal Data, does Article 35 still apply?
It can, because Article 35 addresses misuse regardless of intent. Accidental exposure involving Sensitive Personal Data may still fall within its scope.
In healthcare, does improper access to a patient’s record count as Sensitive Data misuse?
Yes, health information is generally considered Sensitive Personal Data. Unauthorized use or disclosure may be treated as misuse under Article 35.
Does using Sensitive Personal Data for marketing fall under Article 35 penalties?
It could, because using Sensitive Data for unrelated purposes is a form of misuse. Marketing use requires strict PDPL compliance, and Sensitive Data adds extra risk.
In HR, if an employee’s medical information is shared with colleagues, does Article 35 apply?
Yes, if the shared information qualifies as Sensitive Personal Data. Improper sharing is a common example of misuse.
Are Processors also at risk under Article 35 if they mishandle Sensitive Personal Data?
Yes, both Controllers and Processors must handle Sensitive Data properly. If a Processor misuses the data, Article 35 can still apply.
Does Article 35 only apply to large-scale misuse?
No, it applies to any misuse of Sensitive Personal Data. Scale may affect impact, but the rule applies regardless of size.
In fintech, does exposing detailed financial behavior qualify as misuse under Article 35?
It may, depending on whether the data is considered Sensitive. Financial information can be highly sensitive in practice and covered by Article 35’s intent.
Can a business rely on customer consent to avoid Article 35 penalties?
No, consent does not justify misuse. Article 35 focuses on the nature of the data and the improper handling, not user permission.
Common misconception, “Only intentional misuse triggers Article 35.” Is that correct?
No, misuse does not require malicious intent. Improper handling or unauthorized disclosure can still fall under Article 35.
If Sensitive Personal Data is anonymized, does Article 35 still apply?
If the data is fully anonymized and cannot be linked back to a person, Article 35 generally does not apply. If identification is still possible, it remains sensitive.
Does Article 35 cover internal misuse, such as employees accessing data without need?
Yes, internal misuse is still misuse. Unauthorized access within the organization may fall squarely under Article 35.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top