Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 43 establishes the formal enforcement date of the Personal Data Protection Law (PDPL). The Law becomes fully effective 720 days after publication...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 42 defines the mandatory timeline for issuing the Implementing Regulations of the Personal Data Protection Law (PDPL). The president of the...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 41 establishes that the duty to maintain the confidentiality of personal data continues even after a person’s employment, contractual engagement,...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 40 grants individuals the legal right to claim compensation if they suffer material or moral harm due to a violation of the Personal Data...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 39 clarifies that government entities are responsible for disciplining their own employees when they violate the Personal Data Protection...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 38 empowers the competent court to confiscate any financial gains obtained unlawfully through violations of the Personal Data Protection Law...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 37 defines SDAIA’s inspection and enforcement powers under the Personal Data Protection Law (PDPL). The Article authorizes the Competent Authority...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 36 establishes the administrative penalties for general violations of the Personal Data Protection Law and its Implementing Regulations, excluding...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 35 defines the criminal penalties for disclosing, publishing, or misusing Sensitive Personal Data, including biometric, health, religious,...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 34 establishes the individual right to submit complaints to the Competent Authority, such as SDAIA, whenever they believe that their...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 33 authorises SDAIA, acting as the Competent Authority, to regulate the licensing, accreditation, and oversight of entities providing data...
SDAIA’s Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 31 requires controllers to maintain accurate records of their Personal Data Processing activities. These records, often called a Record of...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 30 explains the powers of the Competent Authority, SDAIA, and outlines how supervisory oversight is carried out across all sectors in the...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 29 establishes the comprehensive legal framework for transferring or disclosing Personal Data outside the Kingdom of Saudi Arabia.
It permits...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 28 establishes clear restrictions on copying official documents that can identify an individual. Copies of passports, national IDs, and similar...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 27 explains when personal data may be processed for scientific, research, or statistical purposes without requiring the Data Subject’s consent....
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 26 establishes a clear legal boundary for the marketing use of Personal Data, ensuring that individuals have meaningful control over how their...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 25 establishes restrictions on how Controllers may send advertising or awareness-raising materials through personal communication channels....
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 24 establishes specific controls for Processing Credit Data given the sensitive nature of financial information and its connection to an individual’s...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 23 establishes special rules and heightened safeguards for Processing Health Data because it is classified as Sensitive Personal Data under...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 22 establishes a mandatory requirement for conducting a Personal Data Protection Impact Assessment (DPIA) before a Controller initiates any...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 21 requires Controllers to provide timely and compliant responses when Data Subjects exercise their rights (DSR) under the Law. These rights...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 20 requires Controllers to notify the Competent Authority (SDAIA) and, in certain situations, affected individuals when a personal data breach...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 19 requires Controllers to apply all necessary organizational, administrative, and technical measures to protect Personal Data during its...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 18 sets out the rules governing when Personal Data must be deleted and when it may be retained. The Article requires Controllers to destroy...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 17 requires Controllers to notify all entities that previously received a Data Subject’s Personal Data whenever that data is corrected, completed,...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 16 identifies the situations where a Controller is strictly prohibited from disclosing Personal Data, even when an exception under Article...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 15 defines the limited situations where a Controller may disclose personal data to another party in accordance with the Personal Data Protection...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 14 establishes the Controller’s obligation to ensure that personal data is accurate, complete, up to date, and relevant before it is processed....
Overview
Saudi Personal Data Protection Law (KSA PDPL) 13 defines what information a Controller must provide to the Data Subject when collecting personal data directly. These disclosures include the purpose...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 12 requires Controllers to publish a clear and accessible privacy policy before collecting personal data. The policy must describe why personal...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 11 establishes the rules governing why personal data may be collected and how much may be collected. It requires that data be collected only...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 10 defines the specific cases where personal data may be collected indirectly rather than directly from the Data Subject and the cases where...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 9 establishes the limits and restrictions that may apply to an individual’s right to access their personal data. It defines when a Controller...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 8 sets out the responsibilities of Data Controllers when selecting and supervising Processors. It requires Controllers to choose Processors...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 7 establishes that consent cannot be made a condition for obtaining a service or benefit unless the processing of personal data is directly...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 6 defines the specific situations where personal data may be processed without obtaining consent. These exceptions apply when contacting the...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 5 establishes consent as a core requirement before processing personal data or changing its purpose. It sets the conditions for obtaining...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 4 establishes the core Data Subject Rights (DSR) under the PDPL. These rights give individuals control by allowing them to access their personal...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 3 ensures that the PDPL does not reduce or override any stronger rights or protections granted under other Saudi laws or international agreements....
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 2 defines when the PDPL applies, focusing on processing connected to individuals (data subjects) in Saudi Arabia, including processing conducted...
Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 1 provides the foundational definitions that apply across Saudi Arabia’s Personal Data Protection Law. These definitions determine the...