Saudi Arabia PDPL

Personal Data Protection Law (Royal Decree M/19)

Saudi Arabia's comprehensive personal data protection law with extraterritorial scope, DPO requirements for sensitive processing, and National Data Governance Platform registration.

Jurisdiction

Saudi Arabia

Enacted

Sep 14, 2021

Effective

Sep 14, 2024

Enforcement

Saudi Data and Artificial Intelligence Authority (SDAIA)

Extraterritorial application; complements SDAIA Framework

SDAIA Official Website

Why It Matters

Saudi Arabia's PDPL with extraterritorial scope and National Data Governance Platform creates comprehensive compliance framework for AI chatbots serving Saudi users globally. Complements existing SDAIA AI Framework.

Recent Developments

Effective September 2024 after 3-year implementation period

At a Glance

Applies to

AI CompanionMental Health AppGeneral Chatbot

Requires

Transparency User Rights Data Minimization

Who Must Comply

Data controllers and processors in Saudi Arabia
Entities outside Saudi Arabia processing Saudi residents' data
Sensitive data processing including health

Obligations fall on:

Safety Provisions

Extraterritorial application to data of Saudi residents
Data Protection Officer for sensitive data processing
National Data Governance Platform registration
Data Protection Impact Assessment for high-risk processing
Cross-border transfer restrictions

Compliance & Enforcement

Penalties

SAR 3M

Primary Source

SDAIA Official Website

https://sdaia.gov.sa/

View on map

Saudi Arabia

Focus Areas

Mental health & crisis

Algorithmic accountability

Cite This

APA

Saudi Arabia. (2021). Personal Data Protection Law (Royal Decree M/19).

Related Regulations

In Effect SA

SDAIA AI Framework

Comprehensive AI governance from Saudi Data & AI Authority: Ethics Principles (Sep 2023), Generative AI Guidelines (Jan 2024), AI Adoption Framework (Sep 2024). Combined with PDPL creates binding + guidance framework.

In Effect IL

Israel Privacy Amendment 13

Israel's most significant privacy reform in 40 years, explicitly covering AI systems. Requires Data Protection Officers (DPOs) for entities processing sensitive data at scale, mandates Data Protection Impact Assessments (DPIAs) before AI deployment, and enhances Protection of Privacy Authority enforcement powers. One of first data protection laws to explicitly require DPIAs before AI development or deployment.

In Effect JO

Jordan PDPL

Jordan's data protection law with medical data processing exceptions, data portability rights, and oversight including security services.

In Effect KW

Kuwait Decision 26/2024

Kuwait's data privacy regulation requiring guardian consent for minors under 18, 72-hour breach notification, and automated decision restrictions.

In Effect EG

Egypt AI Strategy 2025

Ambitious national strategy positioning Egypt as regional AI hub for Africa and Middle East. Targets 7.7% ICT sector GDP contribution by 2030, training 30,000 AI specialists, establishing 250 AI companies. Built on six strategic pillars: governance, infrastructure, technology, data, ecosystem, and talent. Accompanied by Egyptian Charter for Responsible AI (April 2023) with ethics principles.

In Effect QA

Qatar QCB AI Guidelines

Binding AI governance requirements for Qatar's financial sector. Mandates board-level accountability, risk assessments, human-in-the-loop for high-impact decisions, and prior QCB approval for high-risk AI systems.

All regulations Check if this applies to you

Last updated January 22, 2026. Verify against primary sources before relying on this information.