PDPL Compliance for Saudi Websites & Apps: A Practical 2026 Guide

Almost any organization processing the personal data of people inside Saudi Arabia must comply with the Personal Data Protection Law (PDPL) — regardless of where the company itself is located. The law became fully enforceable on 14 September 2024, when the one-year transition grace period expired, so 2026 is firmly an enforcement era, not a preparation one.

PDPL's reach is deliberately broad. Unlike GDPR, which ties its extraterritorial scope to specific triggers like targeting or behavioral monitoring, PDPL applies to any processing of personal data of individuals in the Kingdom. If your website takes contact-form submissions from Riyadh, your Salla or Zid store ships to Jeddah, or your app authenticates Saudi users, you are in scope. SDAIA — the Saudi Data & AI Authority — is the regulator and operates the National Data Governance Platform that controllers interact with.

Your three foundational obligations are a clear legal basis for processing (usually consent), a transparent privacy notice, and a working way for people to exercise their rights. These are the areas SDAIA has actually penalized: a notable share of its first 48 enforcement decisions involved marketing and promotional messages sent without prior consent.

In practice this means consent must be specific, informed, and freely given — no pre-ticked boxes, and a genuine opt-in before you push WhatsApp Business API broadcasts, SMS, or email campaigns. Your privacy policy must state what data you collect, why, the legal basis, retention periods, and any third parties or sub-processors (payment gateways like Mada, STC Pay, Tamara, or Tabby; analytics; cloud hosting). Data subjects have rights to access, correct, request deletion, withdraw consent, and be informed — and your site or app needs a real channel to honor those requests, not a dead inbox.

You must notify SDAIA within 72 hours of becoming aware of a breach that may harm personal data or data subjects' rights — and there is no materiality threshold, so 'small' breaches still count. Affected individuals must also be informed where the breach could cause them harm. Treat 72 hours as a hard operational deadline: have an incident runbook, a named owner, and contact details ready before anything goes wrong.

Higher-risk controllers must register on SDAIA's National Data Governance Platform — this applies to public entities, organizations processing sensitive data, those conducting cross-border transfers, and those handling children's or vulnerable individuals' data. The same categories generally trigger a requirement to appoint a Data Protection Officer (DPO), particularly where core activities involve large-scale processing or regular and systematic monitoring. Once appointed, the DPO's details are submitted through the same platform.

As a default, the personal data of individuals in Saudi Arabia should be processed inside the Kingdom, and moving it abroad requires meeting specific conditions. This is the single point that most often forces a re-architecture for SaaS, analytics, and cloud-hosted apps that quietly default to data centers in the EU or US.

Transfers outside Saudi Arabia must not prejudice national security or public order, the destination must offer an adequate level of protection (as assessed by SDAIA) or rely on approved safeguards such as SDAIA Standard Contractual Clauses, and the data moved must be the minimum necessary. For sensitive or large-scale transfers, a documented risk assessment under SDAIA's February 2025 Risk Assessment Guideline is mandatory. Practically: prefer in-Kingdom hosting regions, map every sub-processor's data location, and keep the transfer paperwork on file.

SDAIA's specialized committees can issue warnings, impose fines of up to SAR 5 million (roughly USD 1.3M) per violation, double that for repeat offenders, and order public disclosure of the penalty. For unlawful disclosure of sensitive data, separate criminal penalties — including potential imprisonment — can apply.

The reputational dimension is as real as the financial one. SDAIA issued 48 enforcement decisions in its first substantive wave, covering unlawful collection, weak technical and organizational controls, and non-consented marketing. For a B2B brand selling to Saudi CXOs, a published penalty is a trust problem that outlasts the fine itself.

If an AI agent reads, stores, or reasons over customer personal data, every PDPL obligation still applies — plus SDAIA's AI governance layer on top. With 2026 positioned as Saudi Arabia's 'Year of AI' under Vision 2030, the regulator pairs the PDPL with its AI Adoption Framework and ethics principles, and has itself adopted ISO 42001 for AI management systems.

Concretely: an AI agent that drafts WhatsApp replies, a RAG system retrieving from a CRM or ERP, or an automation that enriches lead records all process personal data and need a lawful basis, purpose limitation, and minimization built in. Watch for data leaving the Kingdom via third-party model APIs, retention of prompts and conversation logs, and 'secondary use' — feeding personal data into model training or new purposes it was not collected for. Design for in-Kingdom processing where feasible, log what the agent accesses, and keep a human path for data-subject requests.

Start with these concrete steps and treat each as evidence you can show SDAIA. (1) Publish a clear Arabic-and-English privacy policy covering data, purpose, legal basis, retention, and sub-processors. (2) Implement genuine opt-in consent before any marketing across WhatsApp, SMS, or email. (3) Build a data-subject request channel for access, correction, deletion, and consent withdrawal. (4) Map where your data lives — hosting, payment gateways, analytics — and prefer in-Kingdom regions.

(5) Document cross-border transfers with a risk assessment and SDAIA SCCs where needed. (6) Stand up a 72-hour breach runbook with a named owner. (7) Register on the National Data Governance Platform and appoint a DPO if your processing triggers it. (8) Inventory every AI agent and automation touching personal data, with retention and access logging. Visperah Tech builds Saudi websites, apps, and AI agents with a compliance-aware posture — privacy-by-design, in-Kingdom hosting options, and consent and audit built into the product — but this is engineering guidance, not legal advice. For binding interpretation of your obligations, consult a qualified Saudi data-protection lawyer.