Navigate Saudi Arabia's Personal Data Protection Law with Ease from the FileCloud Compliance Center

Try Free Now Payment details are not required
Gartner Per Insights Logo 2018
Gartner Per Insights Logo 2019
Gartner Per Insights Logo 2020
Gartner Per Insights Logo 2021
Gartner Per Insights Logo 2022

FileCloud has received the Gartner Peer Insights Customers’ Choice Distinction for the fifth consecutive time!

92% of our customers would recommend us to a friend.

Rating Stars Image 4.5

Saudi Arabia Vision 2030

As part of its Vision 2030 Roadmap, the Kingdom of Saudi Arabia is rapidly enabling digital transformation. This includes enacting appropriate legislation around data governance in businesses and government entities.

The PDPL was enacted on March 17, 2023. This is the first comprehensive data protection legislation in Saudi Arabia and its stringent requirements mean organizations must implement robust technical controls to comply. FileCloud has added the PDPL to its range of regulations you can seamlessly configure and monitor via its Compliance Center.

Measures should be put in place to secure personal data. These are required to ensure the preservation of personal data, including when it is transferred.

The new rights of the data subject under the PDPL include: 

  • Right to know the data controller’s contact details, the legal basis & reason for the data collection, data collection methods, and whether their personal data will be shared or sold.
  • Right to request access or copy of their data, free of charge and in a clear format that conforms with the records held by the data controller.
  • Right to request correction of any data about them that is inaccurate, incomplete, or obsolete.
  • Right to request destruction of their personal data by an organization and rescind consent for the collection of their data.
  • Right to restrict processing of their data for periods of time.

Scope of the PDPL

Regulatory Scope – Encompasses organizations’ activities in relation to the processing of personal data or sensitive personal data about individuals residing in Saudi Arabia. This includes deceased individuals’ personal data if the processing of this data could result in the identification of the deceased or their family members.

Territorial Scope – Applies to all public and private organizations that collect and process personal data and sensitive personal data related to individuals residing in Saudi Arabia. This includes entities outside the country that collect and process the personal data of individuals residing there.

Organizations’ Obligations under the PDPL

Controlling authorities and data controllers must ensure personal data is accurate, complete, and relevant before processing it. They are bound by the following principles:

  • Collection limitation
  • Purpose limitation
  • Data security
  • Accountability
  • Retention limitation

FileCloud Compliance Center Screenshot

Penalties for Non-Compliance with the PDPL

The PDPL imposes heavy penalties for non-compliance on the part of data controllers with its requirements, including:

  • Disclosure or publication of sensitive personal information: Up to 2 years and/or a fine of up to SAR 3 million ($800,000). This applies to individuals and organizations.
  • Violation of cross-border data transfer stipulations: Up to one year in prison and/or a fine of up to SAR 1 million ($267,000).
  • Other provisions include a warning notice or a fine of up to SAR 5 million ($1.3 million), with the court having freedom to double the fine for repeat offences.
  • Penalties can also be imposed for the absence of robust mechanisms to protect individuals’ personal data.

How Can FileCloud Help with PDPL Compliance?

With an entire tab dedicated to the PDPL, containing detailed instructions on configurations that map to vital aspects of the legislation, FileCloud’s Compliance Center contains all the features you need to comply seamlessly with its requirements. Features available include content classification, retention policies, custom metadata, anonymization of personal data, built-in pattern searching, powerful audit capabilities, and numerous security protections.

Explore FileCloud’s powerful compliance capabilities by scheduling a call with our Sales team! Contact us.

FileCloud Compliance Center Screenshot


Prior to processing personal data, organizations must obtain explicit consent from the data subject, with certain exceptions stipulated in the legislation. Data subjects are owners of their personal data and can withdraw their consent at any time. Consent cannot be a prerequisite to obtaining a service/benefit unless that service/benefit is related to the data processing itself.


Organizations must register on a dedicated portal and pay annual fees. This functions as the national record of data controllers. Organizations outside of the jurisdiction that process data of Saudi residents must appoint a representative in the Kingdom to communicate with the regulatory authorities about compliance.

Privacy Notification and Privacy Policy

Organizations must have a privacy policy regarding personal data for individuals to review before data collection. This should include the purpose, method, storage, processing, and destruction of the data. It should also outline the rights of the data subject and the organization’s commitment to upholding these rights.

Security Measures

All organizations must put measures in place to secure personal data. These are required to ensure the preservation of personal data, including when it is transferred.

Notification of Data Breaches

Organizations must notify the regulatory authority within 72 hours of becoming aware of a data breach. The data controller must outline the breach and steps being taken to prevent a recurrence. The controller must also inform the data subject if the breach puts them at significant risk.

Impact Assessment

The PDPL requires all organizations to conduct a thorough impact assessment regarding the processing of personal data.

Appointment of Data Protection Officer

Organizations must appoint or more Data Protection Officers to ensure that the provisions of the PDPL are implemented comprehensively throughout all departments.


Record-keeping must include: the organization’s contact details, the purpose of the processing, categories of data subjects, parties to whom the data has been (or will be) disclosed, whether the data has been transferred or disclosed outside Saudi Arabia, and the data retention period.

Vendor Assessment and Third-Party Processing

Organizations must choose a processing party that complies with the PDPL. In addition, they must verify this third-party compliance on an ongoing basis.

Cross-Border Data Transfer

Personal data can be transferred only if a strict impact assessment has been done to ensure the security of the external location. Written consent from the regulatory authority must be obtained. Exceptions are made when the transfer vitally serves the public interest and if it is necessary to save the data subject’s life abroad.


13785 Research Blvd, Suite 125
Austin TX 78750, USA

Phone: +1 (888) 571-6480
Fax: +1 (866) 824-9584


FileCloud Technologies Limited
Hamilton House 2,
Limerick, Ireland

Copyright © FileCloud. All Rights Reserved.