The Regulations of the Personal Data Protection Law, namely the Implementing Regulations and the Regulations on Personal Data Transfer outside the Geographical Boundaries of the Kingdom Saudi Arabia (KSA) were made available on the 7th of September 2023. Collectively they are referred to as ‘The Regulations’. Enforcement of the law will start from 14th of September 2024 onwards. As such, organizations and businesses that fall under the Kingdom’s PDPL (Personal Data Protection Law), have a one-year timeframe to align their processing activities with the requirements of the PDPL and its implementing regulations to ensure compliance.

The Regulations represent a notable advancement in the data protection framework of the Kingdom, as they provide valuable elucidation and essential particulars that complement the KSA PDPL.  The clauses and stipulations within their legislation showcase a strong convergence with not only other Middle Eastern nations but also international data protection standards, notably the EU GDPR. In particular, the PDPL governs the handling of an individual’s personal data within the KSA, even when such processing is conducted by entities located outside the country. The primary objective of the PDPL is to safeguard the privacy of personal data, oversee data sharing practices, and thwart any misuse of personal information. The Implementing Regulations serve the purpose of providing further clarification and detailing the practical application of the PDPL and thereby complementing the PDPL.

Implementing Regulations

The Implementing Regulations clarify key elements, such as information on the data subject rights, the specifications for the register of processing activities, obligations of the involved parties in case of a data breach – when to report to the competent authority and data subjects – and specifications about the information such a notification should entail.  Notably, a data protection impact assessment must be undertaken by controllers in nine different situations to assess the risks and address those risks. Other interesting core elements of the PDPL are purpose limitation and data minimization, conditions for when to appoint a data protection officer, rules concerning the disclosure of personal data to others (being third parties, such as the authorities), obligations- and responsibilities of the controller, processors and sub-processers and material requirements for the agreements to be concluded between the parties (data processing agreements). As demonstrated, it is a rather comprehensive and extensive piece of legislation. The practical application of these elements shows great resemblance to the GDPR, a very welcomed approach.

The Data Transfer Regulations

The PDPL also addresses the transfer of personal data between different countries. The Data Transfer Regulations provide further practical clarification and describe the situations when the controller is permitted to transfer or disclose personal data to an organization located outside the boundaries of the KSA. Once again, the requirements and obligations demonstrate close alignment with the GDPR.

What can DPO Consultancy do for you?

Does your organization have any questions about the obligations and requirements set forth by the PDPL and The Regulations? Contact us via for assistance.

Source: Kingdom of Saudi Arabia’s New Personal Data Protection Law and Implementing Regulations—Key Obligations, Responsibilities and Rights | Akin Gump Strauss Hauer & Feld LLP

Saudi Arabia publishes final Personal Data Protection Law (