saudi-pdpl.com

SAUDI PDPL

BLOG

Menu

FAQ

Table of Contents

Article 1

Article 2

Article 3

Article 4

Article 5

Article 6

Article 7

Article 8

Article 9

Article 10

Article 11

Article 12

Article 13

Article 14

Article 15

Article 16

Article 17

Article 18

Article 19

Article 20

Article 21

Article 22

Article 23

Article 24

Article 25

Article 26

Article 27

Article 28

Article 29

Article 30

Article 31

Article 32

Article 33

Article 34

Article 35

Article 36

Article 37

Article 38

Article 39

Article 40

Article 41

Article 42

Article 43

Article 36

  1. In cases that are not covered in Article (35) herein and without prejudice to any harsher penalty stipulated in another law, a warning or a fine not exceeding (five million) Riyals shall be imposed on every person with a special natural or legal capacity – covered by the provisions of the Law – who violates any of the provisions of the Law or the Regulations. The fine penalty may be doubled in the event of a repeat violation, even if it results in exceeding its maximum limit, provided that it does not exceed double this limit.
  2. A committee (or more) shall be formed by a decision of the president of the Competent Authority. The number of its members shall not be less than (three), and one of them shall be appointed as the committee head, and there shall be a technical specialist and a legal advisor among them. The committee is to examine violations and issue warnings or impose fines as stipulated in Paragraph (1) of this Article, considering the type of violation committed, its seriousness and the extent of its impact; provided that the decision of the committee is approved by the president of the Competent Authority or whomever they delegate. The president of the Competent Authority shall issue, by their decision, the rules of work of the committee, and the remunerations of its members shall be determined therein.
  3. Anyone against whom a decision has been issued by the committee mentioned in Paragraph (2) of this Article has the right to appeal against them before the competent court.

FAQs

If a Controller transfers your personal data outside Saudi Arabia without meeting legal conditions (i.e., no adequacy, safeguards like SCCs/BCRs, emergency exception, or SDAIA approval), this is considered an unlawful cross-border transfer. As per Article 36 of the PDPL: 

  • They may face up to 1 year imprisonment and/or a fine of SAR 1 million (~USD 267,000) for this violation

Yes. The PDPL allows for enhanced sanctions under Article 36: 

  • A repeat offense can result in doubling the fine, raising it up to SAR 2 million. 
  • Importantly, the law does not limit the prescribed imprisonment term, allowing penalties to increase for ongoing or repeated non-compliance.

A violation occurs when a cross-border transfer is made without following the lawful pathways: 

  • No adequate decision by SDAIA for the destination country. 
  • No use of approved safeguards, such as Standard Contractual Clauses, Binding Corporate Rules, or accredited certification. 
  • No presence of an emergency justification (e.g., for vital interests or health emergencies). 
  • No required approvals or risk assessments conducted where mandated under the transfer regulations.
Article 35
Article 37
Scroll to Top