Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 36 establishes the administrative penalties for general violations of the Personal Data Protection Law and its Implementing Regulations, excluding violations involving sensitive data, which are addressed under Article 35.
The Article introduces fines for non-criminal PDPL breaches, sets out the rules for doubling fines in the case of repeated violations, defines how the violation committee is formed, and clarifies the right to appeal administrative decisions before the competent court.
This Article strengthens accountability and ensures consistent administrative enforcement across all entities processing personal data in Saudi Arabia.
Saudi PDPL Article 36
- In cases that are not covered in Article (35) herein and without prejudice to any harsher penalty stipulated in another law, a warning or a fine not exceeding (five million) Riyals shall be imposed on every person with a special natural or legal capacity - covered by the provisions of the Law - who violates any of the provisions of the Law or the Regulations. The fine penalty may be doubled in the event of a repeat violation, even if it results in exceeding its maximum limit, provided that it does not exceed double this limit.
- A committee (or more) shall be formed by a decision of the president of the Competent Authority. The number of its members shall not be less than (three), and one of them shall be appointed as the committee head, and there shall be a technical specialist and a legal advisor among them. The committee is to examine violations and issue warnings or impose fines as stipulated in Paragraph (1) of this Article, considering the type of violation committed, its seriousness and the extent of its impact; provided that the decision of the committee is approved by the president of the Competent Authority or whomever they delegate. The president of the Competent Authority shall issue, by their decision, the rules of work of the committee, and the remunerations of its members shall be determined therein.
- Anyone against whom a decision has been issued by the committee mentioned in Paragraph (2) of this Article has the right to appeal against them before the competent court.
Explanation of Saudi PDPL Article 36
Article 36(1)
General Penalty Framework
This provision defines the administrative penalties that apply when a PDPL violation does not fall under Article 35, which deals with sensitive data misuse. Under this Article, entities or individuals subject to the PDPL may receive a formal warning or a financial penalty of up to SAR 5 million for violating any provision of the Law or its Regulations. The clause clarifies that these penalties apply unless a different law imposes a stricter sanction.
The paragraph also establishes the rule for repeat violations. If an individual or entity commits a second or subsequent violation, the committee may double the fine imposed. Even if the doubled fine exceeds the stated maximum penalty, it remains permitted as long as it does not exceed twice the legal maximum, effectively raising the upper limit to SAR 10 million for repeat offenses. This creates a structured mechanism for proportionate escalation in the case of recurring non-compliance.
Article 36(2)
Committee Formation Requirements
This provision mandates the creation of a violation review committee through a formal decision issued by the president of the Competent Authority. The committee must include at least three members, one of whom will act as the chair. It must also include both a technical specialist and a legal advisor, ensuring that decisions are informed by appropriate expertise.
The committee is empowered to investigate PDPL violations, assess their severity and impact, and decide whether to issue a warning or impose a fine under Article 36(1). However, no penalty takes effect unless the president of the Competent Authority, or an official delegate, approves the committee’s decision.
The same presidential decision will also set out the committee’s internal operating rules and define the remuneration paid to its members, ensuring procedural clarity and administrative accountability.
Article 36(3)
Right to Appeal Decisions
This provision guarantees that any party penalized by the committee has the right to appeal its decision before the competent court. This ensures judicial oversight over administrative enforcement actions.
The appeal mechanism enables individuals and entities to obtain an independent review of administrative penalties, protecting due-process rights and promoting fairness and transparency in PDPL enforcement.
