DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

๐Ÿ‡ธ๐Ÿ‡ฆ Saudi Arabia

PDPL KSA

Personal Data Protection Law

In short
Saudi Arabia's PDPL generally requires consent before processing personal data unless a defined exception applies. Consent must be freely given and informed, with stricter conditions for sensitive data and marketing.
Region

Saudi Arabia

Status

Enforced from September 2024

Group

Asia & Africa

Who must comply

Any entity that processes personal data of individuals residing in Saudi Arabia, including controllers based abroad that process such data.

Penalties

Fines up to SAR 5 million, which can be doubled for repeat violations, plus imprisonment for unlawful disclosure of sensitive data.

Key obligations

  • Obtain consent before processing unless an exception applies
  • Provide a privacy notice of purpose and rights
  • Honor access, correction and deletion rights
  • Register with the authority and appoint a data protection officer where required
  • Meet conditions for cross-border transfers and report breaches

How ConsentX helps

Consent capture before processing

Geo-aware banner for visitors in Saudi Arabia

Rights request workflow with evidence

Consent receipts for audit

Region rule engine tuned for Saudi Arabia

Get PDPL KSA ready with ConsentX

Get started free Book a demo

This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.

How to comply with PDPL KSA using ConsentX

  1. 1

    Scan your website

    Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under PDPL KSA.

  2. 2

    Show a geo-aware consent banner

    Add the ConsentX banner. It detects each visitor region and shows the consent experience that PDPL KSA requires, automatically.

  3. 3

    Block trackers until consent

    Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.

  4. 4

    Record tamper-evident proof

    Every choice is stored as a tamper-evident consent receipt you can produce in a PDPL KSA audit.

  5. 5

    Handle data requests on time

    Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.

Frequently asked questions

Does Saudi Arabia require consent for processing?+

Consent is generally required before processing unless a defined legal exception applies, and is stricter for sensitive data.

Who enforces Saudi Arabia's PDPL?+

The Saudi Data and Artificial Intelligence Authority, SDAIA, is the competent authority during the current phase.

Countries under PDPL KSA

๐Ÿ‡ธ๐Ÿ‡ฆ ุงู„ู…ู…ู„ูƒุฉ ุงู„ุนุฑุจูŠุฉ ุงู„ุณุนูˆุฏูŠุฉ

Other regulations

๐Ÿ‡ช๐Ÿ‡บ GDPR๐Ÿ‡ฌ๐Ÿ‡ง UK GDPR๐Ÿ‡บ๐Ÿ‡ธ CCPA / CPRA๐Ÿ‡บ๐Ÿ‡ธ VCDPA๐Ÿ‡บ๐Ÿ‡ธ Colorado CPA๐Ÿ‡บ๐Ÿ‡ธ CTDPA๐Ÿ‡บ๐Ÿ‡ธ UCPA๐Ÿ‡บ๐Ÿ‡ธ TDPSA๐Ÿ‡บ๐Ÿ‡ธ Oregon OCPA๐Ÿ‡บ๐Ÿ‡ธ Montana MCDPA๐Ÿ‡บ๐Ÿ‡ธ Florida FDBR๐Ÿ‡ง๐Ÿ‡ท LGPD๐Ÿ‡จ๐Ÿ‡ฆ PIPEDA๐Ÿ‡ฎ๐Ÿ‡ณ DPDPA๐ŸŒ PDPA๐Ÿ‡ฟ๐Ÿ‡ฆ POPIA๐Ÿ‡จ๐Ÿ‡ญ FADP๐Ÿ‡จ๐Ÿ‡ฆ Law 25๐Ÿ‡ฒ๐Ÿ‡ฝ LFPDPPP๐Ÿ‡ฆ๐Ÿ‡ท PDPL๐Ÿ‡จ๐Ÿ‡ฑ Law 21.719๐Ÿ‡จ๐Ÿ‡ด Law 1581๐Ÿ‡ต๐Ÿ‡ช Law 29733๐Ÿ‡บ๐Ÿ‡พ Law 18.331