🇸🇦 Live Workplace Safety & WHS/OHS

Saudi Personal Data Protection Law

Regulates the collection, processing, disclosure, and retention of personal data in Saudi Arabia, establishing data subject rights and controller obligations. Applies to organizations processing personal data of individuals within the Kingdom of Saudi Arabia.

View official source document

10

Rules extracted

135

Obligations decomposed

13.5x

Avg obligations per rule

🇸🇦 Saudi Arabia

Jurisdiction

About this regulation

Royal Decree M/19 dated 9/2/1443H (2021), amended by Royal Decree M/148 (2023). Implementing regulations issued September 2023. Establishes comprehensive data protection framework for processing personal data in Saudi Arabia, covering lawful basis, data subject rights, consent, cross-border transfers, DPO requirements, breach notification, and penalties. Enforced by SDAIA with a one-year compliance grace period from September 2023 to September 2024. Applies to both public and private sector entities processing personal data of individuals residing in the Kingdom.

What AuditDSS covers

Source

1

Regulation

Extracted

10

Rules

Decomposed

135

Obligations

13.5x

Decomposition ratio

Each rule is decomposed into an average of 13.5 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 135 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in PDPL is scored across independent risk dimensions:

W

Obligation Weight

How critical within the regulatory framework

L

Violation Likelihood

How often breached in practice

E

Enforcement Evidence

Regulator enforcement history and penalties

C

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title
Saudi Personal Data Protection Law
Regulatory body
Saudi Data and AI Authority
Jurisdiction
🇸🇦 Saudi Arabia
Document type
law
Effective date
September 14, 2023
Issuing authority
Saudi Data and AI Authority (SDAIA)
Industry
Workplace Safety & WHS/OHS
Official source
View source document ↗

Who this applies to

data controllersdata processors

Key requirements

  • lawful basis for processing
  • data subject rights
  • consent requirements
  • cross-border transfer restrictions
  • data protection officer
  • breach notification
  • 72-hour notification deadline

Frequently asked questions about PDPL

What is PDPL?
Royal Decree M/19 dated 9/2/1443H (2021), amended by Royal Decree M/148 (2023). Implementing regulations issued September 2023. Establishes comprehensive data protection framework for processing personal data in Saudi Arabia, covering lawful basis, data subject rights, consent, cross-border transfers, DPO requirements, breach notification, and penalties. Enforced by SDAIA with a one-year compliance grace period from September 2023 to September 2024. Applies to both public and private sector entities processing personal data of individuals residing in the Kingdom.

Who does PDPL apply to?
PDPL applies to data controllers, data processors.

How many obligations does PDPL contain?
AuditDSS has decomposed PDPL into 135 atomic obligations from 10 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of PDPL?
The key requirements include: lawful basis for processing, data subject rights, consent requirements, cross-border transfer restrictions, data protection officer, breach notification, 72-hour notification deadline.

How can I assess my PDPL compliance?
Upload your compliance policy to AuditDSS. The platform maps your document against all 135 PDPL obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces PDPL?
PDPL is enforced in Saudi Arabia by Saudi Data and AI Authority.

When did PDPL come into effect?
PDPL became effective on September 14, 2023.

What industry does PDPL apply to?
PDPL is primarily relevant to the Workplace Safety & WHS/OHS industry. AuditDSS covers 45 regulations in this industry sector.

Build a PDPL compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for PDPL — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering PDPL requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine PDPL with other regulations into a single unified compliance pack for your business.

Build PDPL compliance pack

Already have a policy? Assess it against PDPL

1

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

2

AI maps against 135 obligations

Your document is scored against every obligation in PDPL. Each claim is mapped to the obligation tree and evaluated for coverage.

3

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.

Related regulations in Workplace Safety & WHS/OHS

🇦🇺 Live

AU Climate Disclosure

10 rules, 52 obligations
🇦🇺 Live

Fair Work Act 2009

16 rules, 260 obligations
🇦🇺 Live

Modern Slavery Act 2018

9 rules, 135 obligations
🇦🇺 Live

Privacy Act 1988

29 rules, 203 obligations
🇦🇺 Live

Model WHS Act

10 rules, 41 obligations
🇺🇸 Live

CCPA/CPRA

46 rules, 572 obligations
🇺🇸 Live

EPA Lead RRP

47 rules, 1,220 obligations
🇺🇸 Live

ERISA Fiduciary

26 rules, 920 obligations

Assess your PDPL compliance

Upload your document and get a risk-scored gap analysis against 135 PDPL obligations in under 5 minutes.

Start assessment Browse all regulations