Saudi PDPL - Data Subject Rights
Understanding your privacy rights under the Kingdom of Saudi Arabia's Personal Data Protection Law
About Saudi PDPL
The Personal Data Protection Law (PDPL) is Saudi Arabia's comprehensive data protection regulation, issued under Royal Decree M/19. It establishes the legal framework for protecting personal data and defines the rights of data subjects. The law is regulated by the Saudi Data and Artificial Intelligence Authority (SDAIA) and became fully enforceable in March 2025.
Regulator
SDAIA
Full Enforcement
March 2025
Max Penalty
Up to SAR 5M
Your Data Subject Rights
Right to Access
You have the right to request a copy of all personal data that an organization holds about you. This includes information about how your data is being processed and who it may be shared with.
Article 17Right to Rectification
You have the right to request the correction of inaccurate personal data. Organizations must ensure that incomplete data is completed and errors are corrected without undue delay.
Article 18Right to Erasure
You have the right to request the deletion of your personal data. This applies when the data is no longer necessary, consent is withdrawn, or the processing was unlawful.
Article 19Right to Restriction
You have the right to request that the processing of your personal data be restricted. This means the data can only be stored but not processed further without your consent.
Article 20Right to Portability
You have the right to receive your personal data in a structured, commonly used format and to transmit that data to another organization.
Article 21Right to Object
You have the right to object to the processing of your personal data, including processing for direct marketing purposes and profiling.
Article 22Key Organizational Requirements
Explicit Consent
Organizations must obtain explicit consent before collecting or processing personal data. Consent must be specific, informed, and freely given.
Data Protection Officer
Organizations meeting certain criteria must appoint a Data Protection Officer to ensure compliance with PDPL requirements.
Cross-Border Transfer Restrictions
Personal data transfers outside Saudi Arabia are restricted. Organizations must ensure adequate protection levels in the receiving country.
Data Minimization
Organizations must collect only the personal data that is necessary for the specified purpose and retain it only for as long as needed.
Security Measures
Organizations must implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, or loss.
Response Timeline
Organizations must respond to data subject requests within the timeframes specified by SDAIA regulations. Complex requests may require an extension.
Cross-Border Data Transfers
Important Restrictions Apply
- •Personal data transfers outside Saudi Arabia are restricted by Article 29
- •Organizations must ensure adequate protection levels in the receiving country
- •Specific conditions and approvals from SDAIA may be required for certain transfers
Exercise Your Rights Today
Submit a data subject access request to understand how your personal data is being processed.