PDPL (نظام حماية البيانات الشخصية) is Saudi Arabia's Personal Data Protection Law — the national data privacy regulation requiring Saudi organizations to obtain explicit consent before collecting personal data, process data only for stated purposes, ensure data accuracy, implement appropriate security controls, and notify the Saudi Data and Artificial Intelligence Authority (SDAIA) of data breaches within 72 hours. PDPL applies to all organizations processing personal data of Saudi residents — including foreign organizations operating in the Kingdom. Crux implements PDPL compliance programs covering data inventory, consent management, privacy notices, data subject rights, and breach response procedures.

Q: What are the main requirements of PDPL for Saudi organizations?

PDPL's main requirements include — lawful basis for processing (consent, contract, legal obligation, or legitimate interest), transparent privacy notices in Arabic, data subject rights (access, correction, deletion, portability), data minimisation and purpose limitation, appropriate technical security controls, data localisation (personal data of Saudi residents must remain in Saudi Arabia unless approved exceptions apply), data breach notification to SDAIA within 72 hours, and appointing a Data Protection Officer for large-scale personal data processors. Crux implements every PDPL requirement as a complete compliance program.

Q: What is NDMO data governance in Saudi Arabia?

NDMO (National Data Management Office) establishes Saudi Arabia's data governance framework — data classification standards (from public to strictly confidential), data sovereignty requirements for government data, data quality standards, metadata management, and open data policies. Saudi government entities and organizations processing government data must comply with NDMO frameworks. Crux implements NDMO data governance programs including data classification taxonomy, data lineage documentation, quality frameworks, and data sovereignty controls.

Q: What penalties does PDPL impose in Saudi Arabia?

PDPL penalties for Saudi organizations include fines up to SAR 5 million for data protection violations, up to SAR 3 million for unauthorized disclosure of sensitive personal data, and additional penalties for repeated violations. Senior executives can face personal liability for serious PDPL violations. The reputational damage of a public PDPL enforcement action — particularly in Saudi Arabia's business community — significantly exceeds the financial penalties. Crux PDPL compliance programs are designed to eliminate enforcement risk entirely.

Crux implements PDPL data protection frameworks for Saudi organizations — Saudi Personal Data Protection Law compliance, NDMO data governance, and privacy risk management programs that protect Saudi citizens' data and protect your organization from penalties up to SAR 5 million.

حماية البيانات الشخصية · PDPL السعودية · خصوصية البيانات · SDAIA · NDMO

Build PDPL Compliance Program PDPL Services

SAR 5M

Max PDPL penalty · Avoid it

72 hours

Breach notification deadline

SDAIA

Regulator · تنظيم SDAIA

KSA Only

Data localisation requirement

PDPL Compliance Dashboard

نظام حماية البيانات الشخصية · لوحة الامتثال

86% Compliant

PDPL REQUIREMENTS · متطلبات الامتثال

📋

Privacy Notice (Arabic)

Arabic-language notice published · SDAIA format ✓

✓

✅

Consent Management

Explicit consent collected · Withdrawal option ✓

✓

🗂️

Data Inventory (RoPA)

142 processing activities mapped ✓

✓

⚠️

Data Subject Rights

Access/deletion portal · In progress · 85%

⋯

🔐

Technical Security

Encryption · Access controls · Audit logs ✓

✓

🌐

Data Localisation

AWS me-south-1 · KSA region only ✓

✓

🚨

Breach Response

72hr notification procedure · DPO assigned ✓

✓

📊

NDMO Data Classification

Classification ongoing · 68% complete

⋯

PDPL COMPLIANCE SCORE 86%

14% gap · Estimated completion: 3 weeks

🛡️

SAR 5M Penalty Risk: ELIMINATED

PDPL compliance program active · SDAIA audit ready

SAR 5M

Max PDPL Penalty

PDPL (نظام حماية البيانات الشخصية) imposes fines up to SAR 5 million for data protection violations — plus reputational damage in Saudi Arabia's business community that far exceeds financial penalties

72hrs

Breach Notification

PDPL requires Saudi organizations to notify SDAIA of personal data breaches within 72 hours — Crux builds automated breach detection and notification procedures that meet this mandatory Saudi deadline

SDAIA

Saudi Regulator

Saudi Data and Artificial Intelligence Authority (SDAIA) enforces PDPL in Saudi Arabia — Crux PDPL compliance programs are designed to satisfy SDAIA audit requirements and enforcement criteria

KSA Only

Data Localisation

PDPL requires personal data of Saudi residents to remain in Saudi Arabia — Crux designs all cloud and data architectures to meet PDPL localisation requirements from day one

Privacy Regulations · اللوائح التنظيمية

Every Saudi and international privacy regulation covered.

🇸🇦

PDPL

Saudi Personal Data Protection Law — the primary Saudi privacy regulation. Consent, data subject rights, localisation, breach notification, and SDAIA enforcement.

🏛️

NDMO

National Data Management Office — data classification, government data sovereignty, data quality standards, and open data governance for Saudi public sector.

🏦

SAMA PDPL

SAMA-specific data protection requirements for Saudi financial institutions — customer data handling, cross-border restrictions, and banking data governance.

🛡️

NCA Data Security

NCA cybersecurity controls for data protection — encryption standards, access management, and security controls protecting Saudi personal and sensitive data.

🌍

GDPR Alignment

GDPR-compatible privacy programs for Saudi organizations with European customers or operations — enabling simultaneous PDPL and GDPR compliance.

📋

ISO 27701

Privacy Information Management System — ISO 27701 extension to ISO 27001 for Saudi organizations seeking internationally recognized privacy certification.

🤖

SDAIA AI Privacy

SDAIA AI ethics privacy requirements — personal data handling in AI training, algorithmic decision-making disclosure, and AI system privacy impact assessments.

☁️

NCA CCC Privacy

Cloud privacy controls — NCA cloud cybersecurity controls for personal data stored in Saudi cloud environments, ensuring PDPL localisation in cloud architectures.

Privacy Compliance Capabilities

Complete PDPL compliance for Saudi organizations.

PDPL Gap Assessment and Roadmap

Conduct a comprehensive PDPL gap assessment — mapping current Saudi data processing activities against all PDPL requirements, identifying compliance gaps, prioritising remediation, and building a 90-day PDPL compliance roadmap with actionable steps.

PDPL gap analysisData inventoryRisk prioritisation90-day roadmap

Data Inventory and RoPA

Build the Records of Processing Activities (RoPA) — mapping every Saudi data collection, processing, storage, and sharing activity, documenting lawful basis, data categories, retention periods, and third-party data flows in compliance with PDPL Article 4.

RoPA creationData mappingLawful basis3rd-party flows

Consent Management Platform

Design and implement PDPL-compliant consent management — Arabic-language consent interfaces, purpose-specific consent collection, consent withdrawal mechanisms, consent audit logs, and cookie/tracking consent for Saudi digital platforms.

Arabic consent UIPurpose consentWithdrawal rightsConsent audit logs

Data Subject Rights Implementation

Build Saudi data subject rights workflows — access requests, correction, deletion (right to be forgotten), data portability, and objection to processing — with Arabic-language interfaces, automated routing, and SDAIA-compliant response timelines.

Access requestsRight to deletionData portabilityArabic workflows

Privacy by Design Architecture

Embed privacy controls into Saudi digital systems from the start — data minimisation architecture, pseudonymisation, encryption at rest and in transit, access controls, retention automation, and Saudi cloud localisation (AWS me-south-1) meeting PDPL Article 19.

Data minimisationEncryption designKSA localisationRetention automation

Breach Response and SDAIA Notification

Build PDPL breach response procedures — incident detection, severity assessment, 72-hour SDAIA notification workflow (in Arabic), affected individual notification processes, and post-breach remediation documentation required by PDPL Article 28.

Breach detection72hr SDAIA notifyArabic notificationsPost-breach docs

PDPL FAQ · أسئلة شائعة

PDPL compliance questions answered.

QWhat is PDPL (Saudi Personal Data Protection Law)?

PDPL is Saudi Arabia's data privacy regulation requiring organizations to obtain explicit consent before collecting personal data, process data only for stated purposes, implement security controls, and notify SDAIA of breaches within 72 hours. PDPL applies to all organizations processing personal data of Saudi residents — including foreign organizations operating in the Kingdom. Crux implements complete PDPL compliance programs.

QWhat are the main requirements of PDPL for Saudi organizations?

PDPL requires: lawful basis for processing, Arabic-language privacy notices, data subject rights (access, correction, deletion, portability), data minimisation, technical security controls, Saudi data localisation, 72-hour SDAIA breach notification, and DPO appointment for large-scale processors. Crux implements every PDPL requirement as a complete compliance program.

QDoes PDPL require data to stay in Saudi Arabia?

Yes. PDPL includes data localisation requirements — personal data of Saudi residents must be stored in Saudi Arabia unless SDAIA approves a cross-border transfer to a country with adequate privacy protection. Crux designs all cloud architectures to meet PDPL localisation requirements — using AWS me-south-1 or Azure with appropriate Saudi agreements.

QWhat penalties does PDPL impose in Saudi Arabia?

PDPL penalties include fines up to SAR 5 million for data protection violations, up to SAR 3 million for unauthorized disclosure of sensitive personal data, and additional penalties for repeated violations. Senior executives can face personal liability for serious violations. Crux PDPL compliance programs are designed to eliminate enforcement risk entirely.

QWhat is NDMO data governance in Saudi Arabia?

NDMO establishes Saudi Arabia's data governance framework — data classification standards, data sovereignty requirements for government data, data quality standards, and open data policies. Crux implements NDMO data governance programs including data classification taxonomy, data lineage documentation, and quality frameworks.

PDPL Compliance · حماية البيانات الشخصية

PDPL compliant.
SAR 5M penalty risk:
eliminated.

Data inventory. Consent management. Arabic privacy notices. Data localisation. 72-hour breach response. Crux builds Saudi PDPL compliance programs that eliminate enforcement risk and build customer trust.

Start PDPL Compliance All Privacy Services

PDPL Compliant.Data Protected.Saudi Arabia.

Every Saudi and international privacy regulation covered.

Complete PDPL compliance for Saudi organizations.

PDPL compliance questions answered.

PDPL compliant.SAR 5M penalty risk:eliminated.

PDPL Compliant.
Data Protected.
Saudi Arabia.

PDPL compliant.
SAR 5M penalty risk:
eliminated.