PDPL & Saudi data protection, defined.
Every term a Saudi merchant needs to know about PDPL and compliance. Short definitions, authoritative sources, cross-linked.
PDPL & Privacy
Cross-Border Data Transfer
Under PDPL, moving personal data outside Saudi Arabia needs explicit authorization, safeguards, or adequacy determination. Unauthorized transfers carry fines up to SAR 1M plus up to 1 year in prison.
Data Breach Notification
PDPL requires controllers to notify SDAIA of any personal data breach within 72 hours of detection. Affected individuals must also be informed if the breach poses significant risk to their rights.
Data Controller
Under PDPL, the entity that decides why and how personal data is processed. Controllers bear primary legal responsibility for compliance and must register on the National Data Governance Platform.
Data Processor
Under PDPL, any party that processes personal data on behalf of a controller — payment processors, POS vendors, cloud providers. Bound by a written processing agreement with the controller.
Data Protection Officer (DPO)
An individual designated by a data controller to oversee PDPL compliance, handle data subject requests, and liaise with SDAIA. Required for high-risk processing or large-scale operations.
Data Subject Rights
The rights PDPL grants individuals over their personal data: access, correction, deletion, objection to processing, and data portability. Controllers must respond to requests within 30 days.
PDPL
Saudi Arabia's Personal Data Protection Law. The national framework governing how businesses collect, store, and transfer personal data. In full force since September 2024.
Sensitive Personal Data
A protected category under PDPL covering health data, biometrics, genetic data, religious beliefs, and criminal records. Mishandling carries fines up to SAR 3M plus up to 2 years in prison.