PDPL Article 35 outlines the criminal penalties for individuals who unlawfully disclose or publish sensitive personal data, with intent to harm the data subject or gain a personal benefit. It also establishes who investigates and prosecutes, the role of the court, and how penalties can be increased in repeat offenses.
Sensitive data includes health, biometric, genetic, religious, or criminal records—and its unlawful use is treated as a serious offense under the PDPL.
Saudi PDPL Article 35 (1)
Criminal Penalty for Disclosure
The Competent Authority shall set the requirements for practicing commercial, professional or non-profit activities related to Personal Data protection in the Kingdom, in coordination with the competent authorities, and without prejudice to the other requirements set by those authorities in their domain of competence.
Saudi PDPL Article 35 (2)
Public Prosecution Oversight
The Competent Authority may grant licenses to entities that issue accreditation certificates to Controllers and Processors. The Competent Authority shall set the rules to regulate the issuance of such certificates.
Saudi PDPL Article 35 (3)
Court Jurisdiction for Penalties
The Competent Authority may grant licenses to entities that conduct audits or checks of Personal Data Processing activities related to the Controller’s activity, in accordance with the provisions stipulated in the Regulations. The Competent Authority shall set the conditions and criteria to grant such licenses, and the rules regulating them.
Saudi PDPL Article 35 (4)
Double Fine for Repeat Offenses
The Competent Authority shall specify the appropriate tools and mechanisms to monitor compliance of Controllers and Processors outside the Kingdom in regard with their obligations as stated in the Law and the Regulations when Processing personal data related to individuals residing in the Kingdom by any means, and shall define procedures to enforce the provisions of the Law and the Regulations outside the Kingdom.
Explanation of Saudi PDPL Article 35
Unlawful disclosure of sensitive data can lead to imprisonment or fines
Saudi PDPL Article 35 (1) says that, anyone who discloses or publishes sensitive data in violation of the PDPL, with intent to harm or gain personally, can face up to 2 years in prison, a fine up to SAR 3 million, or both.
The Public Prosecution handles PDPL criminal investigations
Saudi PDPL Article 35 (2) says that, the Public Prosecution is responsible for investigating and prosecuting violations of Article 35 before the competent court.
Courts enforce PDPL penalties for this violation
Saudi PDPL Article 35 (3) says that, the competent court handles lawsuits under this article and is responsible for issuing penalties.
SDAIA will supervise and enforce PDPL for non-KSA entities processing Saudi data:
Saudi PDPL Article 35 (4) says that, If someone repeats the offense, the court may double the fine, even if it exceeds SAR 3 million, provided it does not go beyond double that limit (i.e., SAR 6 million max).
