Data NuanceData>Nuance

These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.

All checklistsScope review
Back to Checklists
Kingdom of Saudi Arabia

Personal Data Protection Law2023

Comprehensive compliance checklist for the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL) 2023, covering data subject rights, controller and processor obligations, and cross-border data transfers.

Key Provisions

Article 1: Key Definitions

Personal Data: Data identifying an individual (e.g., name, ID, contact details, biometric data).

Processing: Any operation on data (collection, storage, sharing, destruction).

Controller: Entity determining purpose of processing.

Sensitive Data: Includes racial, health, genetic, or credit data.

Articles 2–3: Scope and Application

Applies to all processing in KSA, including data of residents processed abroad. Exempts personal/family use if not disclosed. Does not override better protections in other laws or international agreements.

Article 4: Rights of Data Subjects

Rights include:

  • Informed about data collection purpose
  • Access, correct, or destroy data
  • Obtain data in readable format

Article 5: Consent Requirements

Consent required for processing or changing purpose, unless exempted. Consent must be explicit in cases defined by Regulations. Consent can be withdrawn.

Article 6: Exemptions from Consent

Consent not required if processing serves Data Subject's interests (contact impossible) OR required by law, security, judicial needs, or legitimate interests (no Sensitive Data).

Article 7: Data Processing Requirements

Consent cannot be a condition for services unless the service directly relates to the processing.

Articles 8–11: Controller Obligations

  • Must ensure processors comply with PDPL (Article 8)
  • May restrict data access for security or harm prevention (Article 9)
  • Collect data directly from subjects unless exceptions apply (Article 10)
  • Ensure data minimization and accuracy (Article 11)

Article 8: Processor Duties

Processors must act on behalf of the Controller and comply with PDPL.

Article 29: Cross-Border Data Transfer

  • Transfers allowed for legal obligations, Kingdom's interests, or Data Subject's obligations
  • Recipient countries must ensure equivalent data protection
  • Exemptions for emergencies (e.g., life-threatening situations)

Article 20: Data Breach Notification

Controllers must notify Competent Authority and Data Subjects of breaches causing harm. Timelines and methods specified in Regulations.

Articles 35–36: Punishments

  • Sensitive Data breach: Up to 2 years imprisonment or SAR 3M fine (Article 35)
  • General violations: Fines up to SAR 5M, doubled for repeat offenses (Article 36)
  • Courts may order compensation for damages (Article 40)

Compliance Checklist

Article 8: Selection of Processors

For Controllers:

Vet and contractually bind Processors to comply with PDPL. Regularly audit Processor compliance.

For Processors:

Sign agreements guaranteeing adherence to PDPL. Cooperate with Controller audits and monitoring.

Article 19: Data Security

For Controllers:

  • Implement technical (encryption, access controls) and organizational measures
  • Secure data during transfers (e.g., VPNs, encryption)

For Processors:

Follow the Controller's security instructions. Report breaches or vulnerabilities to the Controller promptly.

Article 20: Data Breach Notification

For Controllers:

  • Establish incident response protocols
  • Notify the Competent Authority and affected Data Subjects of breaches

For Processors:

Assist Controllers in breach investigations. Provide breach details to Controllers without delay.

Article 29: Cross-Border Transfers

For Controllers:

  • Ensure recipient countries provide adequate data protection
  • Limit transfers to minimum necessary data

For Processors:

  • Process data only in jurisdictions approved by the Controller
  • Avoid unauthorized transfers unless instructed

Article 31: Record-Keeping

For Controllers:

Maintain records of processing activities (purposes, categories, transfers, retention periods). Submit records to the Competent Authority upon request.

For Processors:

Assist Controllers in maintaining accurate records (e.g., logs of processing activities).

Article 11: Data Minimization

For Controllers:

  • Collect only necessary data for specified purposes
  • Destroy data when no longer needed (Article 18)

For Processors:

Process data strictly per Controller instructions. Avoid storing excess data beyond contractual terms.

Article 5, 7: Consent Management

For Controllers:

  • Obtain explicit consent for Sensitive Data or changes in processing purpose
  • Avoid tying consent to unrelated services

For Processors:

Process data only as authorized by the Controller's consent framework.

Article 4, 21: Data Subject Rights

For Controllers:

  • Create mechanisms for Data Subjects to access, correct, or delete data
  • Respond to requests within timelines specified in Regulations

For Processors:

Assist Controllers in fulfilling Data Subject requests (e.g., retrieving, modifying, or deleting data).

Article 41: Confidentiality

For Controllers:

  • Train employees on confidentiality obligations
  • Include confidentiality clauses in employment/contractor agreements

For Processors:

  • Ensure staff handling data sign NDAs
  • Restrict access to authorized personnel only

Article 6, 10: Lawful Processing

For Controllers:

  • Validate legal bases for processing
  • Document exceptions for non-consent processing

For Processors:

  • Process data only for purposes specified by the Controller
  • Alert Controllers if processing instructions conflict with PDPL

Article 14: Data Accuracy

For Controllers:

Verify accuracy and relevance of collected data. Update/correct data upon request.

For Processors:

  • Flag inaccuracies in data received from Controllers
  • Avoid processing outdated or incorrect data

Article 8: Processor Contracts

For Controllers:

Include clauses in contracts requiring Processors to follow PDPL, assist with audits, notify breaches, and delete/return data post-contract.

For Processors:

Adhere to contractual obligations with Controllers. Securely delete or return data after contract termination.

Article 18: Retention & Destruction

For Controllers:

  • Define retention periods aligned with purposes
  • Destroy data irreversibly (e.g., shredding, cryptographic erasure)

For Processors:

Follow Controller instructions for data retention and destruction. Certify data destruction post-processing.

Need Help with KSA PDPL Compliance?

Our expert team can guide you through the Kingdom of Saudi Arabia's Personal Data Protection Law requirements and ensure your organization stays compliant.

Schedule a Consultation

Book a call with our data protection experts to discuss your specific compliance needs.

Schedule Call

Get in Touch

Have questions? Reach out to our team for personalized assistance with KSA PDPL compliance.

Contact Us

Checklist to implementation

Need a fact-specific view?

Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.

Book a consultationSend structured brief