Table of Contents
Article 1
Article 2
Article 3
Article 4
Article 5
Article 6
Article 7
Article 8
Article 9
Article 10
Article 11
Article 12
Article 13
Article 14
Article 15
Article 16
Article 17
Article 18
Article 19
Article 20
Article 21
Article 22
Article 23
Article 24
Article 25
Article 26
Article 27
Article 28
Article 29
Article 30
Article 31
Article 32
Article 33
Article 34
Article 35
Article 36
Article 37
Article 38
Article 39
Article 40
Article 41
Article 42
Article 43
Article 39
Without prejudice to the provisions of Article (35) and Paragraph (1) of Article (36) of this Law, the Public Entity shall discipline any of its employees who violate any of the provisions of this Law and Regulations, in accordance with the disciplinary provisions and procedures prescribed by law.
FAQs
The PDPL applies to any entity inside or outside Saudi Arabia, processing personal data of individuals residing in Saudi Arabia
SDAIA is empowered to:
- Require foreign controllers to register and comply with PDPL obligations
- Audit and inspect their data processing systems and documentation
- Impose enforcement actions, including fines or seizure, even when the entity is based abroad
If a foreign Controller refuses to register or comply with SDAIA:
- SDAIA can block transfer of data originating from Saudi Arabia
- They may impose financial penalties (up to SAR 5 million, doubling for repeat violations) and corrective orders
- Severe breaches can also lead to criminal prosecution enforced by Saudi courts or public prosecutors
Yes, the PDPL includes measures to ensure fair treatment:
- SDAIA must follow formal procedures requests and inspections must be legally justified and transparently conducted
- Foreign entities are granted due process, including avenues to challenge enforcement actions, appeal fines, and ensure procedural fairness