Saudi Arabia Enforces Data Protection Law: Companies Face Fines Up to 1.2 Million - News Directory 3

Saudi Arabia Enforces Data Protection Law: Companies Face Fines Up to 1.2 Million

May 17, 2026 Ahmed Hassan Business
News Context
At a glance
  • The Saudi Data and Artificial Intelligence Authority (SDAIA) has transitioned to the active enforcement phase of the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL).
  • SDAIA has moved from a period focused on guidance and awareness-building to taking direct regulatory action against non-compliant entities.
  • The enforcement process is managed by the Committees for Reviewing Violations of the Provisions of the Personal Data Protection Law and Its Implementing Regulations.
Original source: borncity.com

The Saudi Data and Artificial Intelligence Authority (SDAIA) has transitioned to the active enforcement phase of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL). This shift follows the conclusion of a one-year grace period that ended on September 14, 2024, which had previously been granted to organizations to align their operations with the regulatory requirements.

SDAIA has moved from a period focused on guidance and awareness-building to taking direct regulatory action against non-compliant entities. In early 2026, the authority announced through its official channels that it had issued 48 decisions over the preceding year against organizations found to be in violation of the PDPL.

The enforcement process is managed by the Committees for Reviewing Violations of the Provisions of the Personal Data Protection Law and Its Implementing Regulations. These Committees are appointed by the president of SDAIA and are composed of both technical and legal members. While the Committees are organizationally linked to SDAIA, they operate independently to review violations.

Organizations that operate within Saudi Arabia or process the personal data of individuals located in the Kingdom are subject to these regulations. The Committees possess the authority to impose a variety of penalties depending on the nature of the violation.

The available sanctions include:

  • The issuance of formal warnings.
  • Financial penalties of up to SAR 5 million, which is approximately $1.33 million.
  • The doubling of fines for organizations that commit repeat violations.
  • Orders for the public publication of final penalties.

The legal proceedings for PDPL violations are conducted largely through electronic means and follow a strict set of procedural rules. Once an indictment is registered, the respondent organization is given five days from the date of notification to provide a response.

Following the review, the Secretariat is required to notify all involved parties of the Committees’ decision within 15 days of its approval. Organizations that wish to contest a ruling have a window of 60 days from the date of notification to file an appeal.

The active enforcement of the PDPL indicates a heightened level of regulatory scrutiny for businesses handling personal data in the region. Organizations are now expected to prioritize compliance to avoid the significant financial and reputational risks associated with the Committees’ penalty powers.

, , , ,