What is the maximum fine for violating the Personal Data Protection Law?

The fine reaches up to SAR 5 million for general violations and may be doubled for repeat offenses. Disclosing sensitive data with intent to harm carries imprisonment of up to two years and/or a fine of up to SAR 3 million.

Which authority supervises the law?

The Saudi Data and AI Authority (SDAIA) is the competent body responsible for supervising the application of the Personal Data Protection Law and its implementing regulations.

Saudi Personal Data Protection Law (PDPL): A Practical Guide for Businesses

Q: Does the Personal Data Protection Law include small businesses?

Yes, there is no exemption based on business size; any entity that processes the personal data of individuals inside the Kingdom is subject to the law, whether small or large.

If your business collects any data about your customers — name, mobile number, email, location, or photo — you are subject to the Personal Data Protection Law (PDPL). The law has been fully enforceable since September 14, 2024, supervised by the Saudi Data and AI Authority (SDAIA), and violations can carry fines of up to SAR 5 million. This guide explains, in plain terms, what your business must do, what rights your customers have, and how to prepare without unnecessary complexity.

What is the Personal Data Protection Law?

It is a Saudi law issued by Royal Decree No. (M/19) that regulates how personal data is collected, processed, stored, and shared within the Kingdom. Its goal is to protect individuals' privacy and ensure businesses handle their data responsibly and transparently. The law came into force on September 14, 2023, with a one-year grace period for compliance that ended on September 14, 2024, after which it became fully binding.

Who does the law apply to?

It applies to any entity — public or private — that processes the personal data of individuals inside the Kingdom, by any means. This includes online stores, apps, clinics, restaurants, real estate firms, and any business that maintains a customer base. Its reach even extends to entities outside the Kingdom if they process the data of residents. In short: if you hold customer data, the law concerns you.

What rights does the data subject (your customer) have?

The law grants individuals a clear set of rights over their data, most notably:

Right to be informed: to know why their data is collected and how it will be used.
Right of access: to view the data you hold about them and obtain a copy of it.
Right to correction: to request that their data be amended, updated, or completed.
Right to destruction: to request deletion of their data when it is no longer needed.

What are the business's (data controller's) obligations?

A legal basis for processing: do not collect data without justification; the default is to obtain the individual's consent.
A clear privacy policy: publish a policy explaining what you collect, why, and how you protect it.
Data minimization: collect only what you need to achieve the purpose — no more.
Breach notification: notify the Authority (and the data subject where required) of any leak that threatens privacy.
Cross-border transfer controls: in line with the Regulation on Personal Data Transfer outside the Kingdom.

What are the penalties for violations?

Penalties escalate based on the type of violation:

Disclosing or transferring sensitive data with intent to harm or for personal benefit: imprisonment of up to two years and/or a fine of up to SAR 3 million.
Other violations: a warning or a fine of up to SAR 5 million, which may be doubled for repeat offenses.

More importantly, the financial penalty is not the only risk; losing your customers' trust after a data leak can cost your business far more than the fine itself.

How do you prepare your business for compliance?

Know your data: map what data you collect, where it is stored, and who can access it.
Publish a clear privacy policy on your website and app, in plain, understandable language.
Implement explicit consent before collecting data, with an option to withdraw consent later.
Secure storage: encryption, limited access permissions, and deletion of what you no longer need.
Prepare a process to respond to customer requests (access, correction, deletion) and to report breaches.

How Origami helps you

At Origami, we build systems and apps on a privacy-by-design principle: encryption of sensitive data, consent management, access logging, and built-in deletion and correction mechanisms. Whether you are building a new system or aligning your existing one with data protection requirements, we handle the technical side so you can rest assured about your business's compliance.

Frequently Asked Questions

Does the law include small businesses? Yes, there is no exemption by size; any business that processes individuals' data is subject to the law.

Is a privacy policy on the website enough? A privacy policy is an important step but not sufficient on its own; what is required is genuine compliance in collecting, protecting, providing access to, and deleting data under the law.

What do I do if my customers' data is leaked? Fix the vulnerability immediately, document the incident, notify the Authority as required, and inform affected individuals where necessary.

Protecting your customers' data is no longer just a competitive advantage; it is a legal obligation whose neglect brings fines and lost trust.

If you want to assess your business's readiness for data protection compliance, or build a system that respects privacy by design, book a short call with the Origami team or reach out to us on WhatsApp.