Enforcement of the Saudi Personal Data Protection Law

This development confirms that the PDPL has entered a phase of active enforcement, significantly increasing regulatory and enforcement risk for entities that collect, process, or use personal data in Saudi Arabia. If they haven’t already, entities subject to the PDPL should reassess their compliance frameworks in light of this growing scrutiny.

Background to the PDPL

The PDPL is Saudi Arabia’s statute governing the protection of personal data. It applies broadly to both public and private entities that process personal data within the Kingdom and, in certain circumstances, extends to entities located outside Saudi Arabia where they collect, store, or use the personal data of individuals in the Kingdom.

While the PDPL came into force in September 2023, its enforcement was subject to a transitional grace period, during which entities were expected to align their internal practices, policies, and systems with the requirements of the law and its implementing regulations. That grace period expired in September 2024, and the enforcement mechanisms provided for under the PDPL are now being exercised in practice.

The enforcement framework

Article 36 of the PDPL establishes a mechanism for regulatory enforcement through specialized committees authorized to consider violations of the PDPL and its implementing regulations. These committees have wide investigatory powers, including the ability to request information and documents from data controllers and to summon relevant individuals where necessary.

Where a breach is established, the committees may impose penalties, including warnings and financial fines of up to SAR5 million per violation, with the possibility of increased penalties in the event of repeat offenses. These powers exist without prejudice to any criminal liability or civil claims that may arise under other applicable laws.

Recent enforcement activity

According to recent Saudi press reports, the PDPL enforcement committees issued 48 decisions during the past year, confirming violations and imposing the statutory penalties on data controllers falling within the scope of the PDPL.

The violations under review covered a range of common data-processing practices. These included the collection and processing of personal data without a valid legal basis, the disclosure of personal data in the absence of lawful justification, and failures to implement appropriate organizational, administrative, and technical safeguards to protect personal data. The committees also considered breaches relating to the sending of promotional and marketing communications without obtaining the required consent from data subjects.

The breadth of these violations demonstrates that enforcement is not limited to isolated or technical breaches, but extends to core compliance obligations under the PDPL, including consent, security, and marketing practices.

Practical implications

These developments confirm that PDPL compliance is now subject to active regulatory scrutiny. Organizations in data-driven sectors may face increased exposure to investigation, enforcement action, and associated risks, including administrative fines, operational disruption, reputational harm, and potential civil claims.

The most effective mitigation strategy remains a clear and demonstrable compliance framework, supported by documented processing activities, lawful bases for processing, appropriate security measures, and compliant marketing practices. With enforcement powers now being exercised in practice, entities that have not undertaken a PDPL compliance review should treat this as an urgent priority.

For more information, please contact a member of our team.