The Saudi Personal Data Protection Law (PDPL) and its regulations issued by the Saudi Data and AI Authority (SDAIA) touch nearly every company, not just tech firms. Any business collecting customer, employee, or user data — through a CRM, an online store, an app, or a marketing campaign — is within scope, and compliance belongs before launch, not after. This page sets out the practical basics as stated in the Implementing Regulation and the cross-border transfer regulation, as part of Hala Law's business section.

Start with a data map, not a privacy policy

The first practical rule: a company needs a data map before it needs a polished privacy policy. A policy not grounded in what the company actually collects becomes a formality. The data map answers three questions: what data do we collect, where does it come from, and why do we process it? Every other compliance decision — legal basis, retention, which vendors touch the data — flows from those answers.

Consent: when is it valid, and when must it be explicit?

Consent is not the only legal basis for processing, but it is the most common one in marketing and digital services. Where consent is the legal basis, the Regulation requires it to be free, specific, clear, and based on defined purposes. A vague blanket consent buried in long terms of use does not meet that description.

There are also cases where explicit consent is specifically required, including sensitive data, credit data, and decisions based entirely on automated processing. A company that fully automates a decision about a user — such as automated scoring or classification — falls within these cases.

Data minimization and destruction

The Regulation affirms the principle of data minimization: collect what the processing actually requires, not everything that can be collected. A form demanding twenty fields for a service that needs three is a compliance burden before it is a user burden.

The Regulation requires destruction of data in cases including:

  • A request by the data subject.
  • The end of the need for the data.
  • Withdrawal of consent, where consent was the sole legal basis for processing.
  • Processing that violates the law.

The practical question many skip: who can prove the deletion happened? A documented destruction mechanism is part of compliance, not a technical luxury.

Records of processing activities

The Regulation requires records of processing activities to be maintained during the processing period and for five years from the date it ends. Closing a project or a campaign does not close the documentation obligation attached to it.

Core compliance questions

| Area | Compliance question | | --- | --- | | Data map | What data do we collect? From where? And why? | | Legal basis | Are we relying on consent, contract, legal obligation, or legitimate interest? | | Privacy policy | Does it explain purpose, retention period, rights, and contact channels? | | Marketing | Is consent clear and separate where required? | | Vendors | Does the CRM, hosting, or payment provider process data on our behalf? | | Transfers outside the Kingdom | Is there a receiving country, safeguards, and a risk assessment where required? | | Incidents | Who decides on notification? What is the breach containment plan? | | Destruction | When is data deleted? And who can prove the deletion? |

Cross-border transfers and vendors

Using international cloud providers or marketing tools raises two linked questions. First: does the vendor process data on your company's behalf? Your contracts with CRM, hosting, and payment providers are part of the compliance map. Second: does the data leave the Kingdom? Transfers are governed by a separate regulation, and the questions examined include the receiving country, the safeguards, and a risk assessment where required.

An important editorial caution: much of the PDPL material circulating online is outdated. The current reference is SDAIA and the Data Governance Platform, together with the Implementing Regulation and the transfer regulation as in force — not articles written before they were issued or amended.

When Do You Need a Licensed Lawyer or Adviser?

This page is a general framework, not an assessment of any specific company. The matter calls for a licensed lawyer or an accredited data protection adviser when:

  • Your company processes sensitive or credit data or makes fully automated decisions, and needs the correct legal basis mapped for each processing activity.
  • You plan a transfer of data outside the Kingdom and need the arrangement assessed against the current transfer regulation.
  • A data breach occurs, or you receive an inquiry or complaint concerning personal data.
  • You need data processing agreements with vendors drafted or reviewed, or a privacy policy that reflects your actual processing rather than a copied template.

In these situations, the position depends on the facts of the processing, its documents, and the texts of the regulations in force at the time of review — not on a single general rule.