saudi-pdpl.com

Table of Contents

Article 1

Article 2

Article 3

Article 4

Article 5

Article 6

Article 7

Article 8

Article 9

Article 10

Article 11

Article 12

Article 13

Article 14

Article 15

Article 16

Article 17

Article 18

Article 19

Article 20

Article 21

Article 22

Article 23

Article 24

Article 25

Article 26

Article 27

Article 28

Article 29

Article 30

Article 31

Article 32

Article 33

Article 34

Article 35

Article 36

Article 37

Article 38

Article 39

Article 40

Article 41

Article 42

Article 43

Article 39

Without prejudice to the provisions of Article (35) and Paragraph (1) of Article (36) of this Law, the Public Entity shall discipline any of its employees who violate any of the provisions of this Law and Regulations, in accordance with the disciplinary provisions and procedures prescribed by law.

FAQs

The PDPL applies to any entity inside or outside Saudi Arabia, processing personal data of individuals residing in Saudi Arabia 

SDAIA is empowered to: 

  • Require foreign controllers to register and comply with PDPL obligations 
  • Audit and inspect their data processing systems and documentation 
  • Impose enforcement actions, including fines or seizure, even when the entity is based abroad 

If a foreign Controller refuses to register or comply with SDAIA: 

  • SDAIA can block transfer of data originating from Saudi Arabia 
  • They may impose financial penalties (up to SAR 5 million, doubling for repeat violations) and corrective orders 
  • Severe breaches can also lead to criminal prosecution enforced by Saudi courts or public prosecutors

Yes, the PDPL includes measures to ensure fair treatment: 

  • SDAIA must follow formal procedures requests and inspections must be legally justified and transparently conducted  
  • Foreign entities are granted due process, including avenues to challenge enforcement actions, appeal fines, and ensure procedural fairness
Scroll to Top