Skip to main content

Saudi Arabia Confirms Amendments to the Personal Data Protection Law

Content updates

The Kingdom has issued in 2021, Royal Decree No. (M/19) of 1443H regarding the Personal Data Protection Law. A series of changes to the law were published and implemented by Royal Decree No. (M/147) of 1444H; Personal Data Protection Law (PDPL) to enter into force in September 2023. The executive regulations supplementing the PDPL should be issued prior to this date. 

Key changes to the PDPL:

  1. The controller may transfer personal data or disclose it to a party outside the Kingdom, to achieve any of the following purposes:
  • If it is in implementation of an obligation under an agreement to which the Kingdom is a party.
  • If it is to serve the interests of the Kingdom.
  • If it is in implementation of an obligation to which the owner of the Personal Data is a party.
  • If it is in implementation of other purposes as specified by the regulations.

Controllers will need a specific purpose to transfer or disclose data outside Saudi Arabia. It shall not prejudice national security or the vital interests of the Kingdom. There shall be an appropriate level of protection for personal data outside the Kingdom; not less than the level of protection stipulated in the law and regulations, in accordance with the results of an evaluation conducted by the competent authority in this regard. However, the executive regulations should determine the cases of exempting the controllers from compliance with this condition.

  1.  The controller may disclose personal data if the processing is necessary to achieve his legitimate interests, unless it prejudices the rights of the owner of Personal Data or conflicts with his interests, and unless such data is not sensitive data.
  2. There is no requirement for a controller to register the processing activities. However, the Saudi Authority for Data and Artificial Intelligence (SDAIA) has been authorized to establish the requirements for practicing commercial, professional, or non-profit activities related to the data protection, in coordination with the concerned authorities. SDAIA may also license entities that undertake auditing or examination of personal data processing activities, according to the nature of the activity practiced by the controller. Moreover, SDAIA has the authority to create a national register if it determines that it would be an appropriate tool and mechanism for monitoring and following up the compliance of the controller with the provisions of the law and regulations.
  3. A penalty of imprisonment for a period not exceeding two years and/or a fine not exceeding three million SAR shall be imposed on anyone who discloses or publishes sensitive data in violation of the provisions of the law if it is made with the intention of harming the owner of the data or with the intention of achieving a personal benefit. The competent court may double the fine penalty for repeat offenses.
Pascale Dona
By Pascale Dona
Senior Legal Editor

Pascale Dona joined Thomson Reuters in 2014 as Content Specialist. In 2007, Pascale graduated from the Lebanese University with a Bachelor’s Degree in Law, then moved to France and completed her Master’s degree in International Law from Nice Sophia Antipolis University. Pascale has more than 10 years of experience as legal Specialist in Lebanon and UAE. She is a native Arabic speaker and proficient in English and French.

Pascale is currently a Senior Legal Editor for Thomson Reuters MENA. She is based in Dubai and is responsible for maintaining and providing the latest legal content for the MENA region.

Speak to a consultant

Can't find an answer to your question?
Contact our support team.

Request training

Contact our team to arrange training.

Tell us what you think

We'd love to hear what you think
of our products and support.