Saudi PDPL Compliance for AI and Automation Projects: A 2026 Guide

Quick Answer

What is Saudi PDPL compliance for AI projects?

Saudi PDPL compliance for AI and automation projects means designing systems around the Personal Data Protection Law, which has been fully enforceable since 14 September 2024 and is overseen by SDAIA. Compliant projects define a lawful basis for processing, honour controller and processor duties, use SDAIA-approved standard contractual clauses for cross-border transfers, and align security with the NCA's ECC-2:2024 framework - all designed in from the first pilot rather than retrofitted.

Saudi Arabia's Personal Data Protection Law became fully enforceable on 14 September 2024, when its one-year grace period ended, and by mid-2026 SDAIA's enforcement committees had issued 48 decisions confirming PDPL violations - covering missing lawful basis for processing, unauthorised disclosure, absent technical safeguards, and unsolicited marketing. The law applies to all entities inside or outside the Kingdom that process the personal data of Saudi citizens, residents, or visitors.

AI and automation projects are especially exposed because they ingest, move, and act on personal data by design. An agent that reads customer messages, an automation that syncs employee records, or a model trained on local data all fall squarely within PDPL's scope.

A system architected for Saudi PDPL compliance from the first pilot is faster to deploy, easier to defend, and far cheaper than one retrofitted after an enforcement decision. This guide covers SDAIA's role, controller and processor duties, cross-border transfer rules, the NCA's ECC-2 framework, and how to build compliant agents.

What the PDPL Requires and Who It Covers

The Personal Data Protection Law was enacted by Royal Decree M/19 on 16 September 2021 and amended by Royal Decree M/148 on 27 March 2023, with implementing regulations issued before it became fully enforceable on 14 September 2024. The PDPL applies to all entities, whether inside or outside the Kingdom, that process the personal data of Saudi citizens, residents, or visitors, so the relevant question for an AI project is not where your servers are but whose data you handle.

Every act of processing needs a lawful basis. The 48 enforcement decisions SDAIA issued by mid-2026 included a recurring theme: processing personal data without a legal basis. For AI systems this is a design question, because an agent often processes data the moment it runs, and a lawful basis has to be established for each processing purpose before the system goes live.

SDAIA, Controllers, and Processors

The Saudi Data and AI Authority, SDAIA, is the competent regulatory authority for the PDPL and also oversees the National AI Strategy, which is why data protection and AI policy are tightly linked in the Kingdom. SDAIA issues the implementing regulations, guidelines, and standard contractual clauses that turn the law's principles into operational requirements.

The PDPL distinguishes controllers, who determine the purposes and means of processing, from processors, who act on the controller's documented instructions. In an AI project, a vendor building a custom agent is frequently a processor while the business deploying it is the controller. Misidentifying these roles leads to misallocated duties and gaps - and the enforcement decisions show that gaps such as unauthorised disclosure are exactly where violations occur.

Cross-Border Data Transfers

SDAIA issued the Regulation on Personal Data Transfer Outside the Kingdom in 2024, setting the rules, safeguards, and procedures for moving personal data across the border. Transfers are permitted to countries SDAIA deems adequate, or to non-adequate destinations under SDAIA-approved Standard Contractual Clauses. In February 2025, SDAIA issued a Risk Assessment Guideline, adding a documented risk-assessment step.

For AI agents, the cross-border rules force deliberate architectural choices. If your agent sends user messages to a model API hosted abroad, that is a regulated transfer. The options are to keep processing in-Kingdom, transfer under SDAIA-approved clauses with a completed risk assessment, or design the system so personal data never leaves Saudi Arabia - a residency decision best made at the start rather than retrofitted.

The NCA ECC-2 Cybersecurity Layer

The National Cybersecurity Authority published ECC-2:2024, an updated Essential Cybersecurity Controls framework replacing ECC-1:2018. It reduced controls from 114 to 108 across four domains, introduced a Saudization mandate requiring cybersecurity roles to be filled by qualified Saudi professionals, and notably removed the explicit in-country data hosting requirement that ECC-1 had contained.

PDPL and ECC-2 are best treated as a single compliance surface: PDPL tells you what you must do with personal data, while ECC-2 tells you how to secure the systems that process it. An AI agent with a clean lawful basis but weak security fails on the safeguards limb of PDPL just as surely as one with strong security but no lawful basis, so both should be designed for at once.

Answer Engine FAQ

When did the Saudi PDPL become enforceable?

The PDPL was enacted by Royal Decree M/19 on 16 September 2021 and amended by Royal Decree M/148 on 27 March 2023. It became fully enforceable on 14 September 2024, when its one-year grace period ended. By mid-2026, SDAIA's enforcement committees had issued 48 decisions confirming PDPL violations, so the law is both in force and actively enforced.

Does the PDPL apply to companies outside Saudi Arabia?

Yes. The PDPL applies to all entities, whether inside or outside the Kingdom, that process the personal data of Saudi citizens, residents, or visitors. A company with no physical presence in Saudi Arabia can still fall within the law if it processes the data of people in the Kingdom. For an AI or automation project, the relevant question is not where your servers are but whose personal data you handle.

Who is the regulator for Saudi data protection?

The Saudi Data and AI Authority, SDAIA, is the competent regulatory authority for the PDPL, and it also oversees the National AI Strategy. SDAIA issues the implementing regulations, guidelines, and standard contractual clauses that turn the law's principles into operational requirements, so tracking its outputs is part of staying compliant because the detailed rules evolve through its instruments.

How does the PDPL handle cross-border data transfers?

SDAIA issued the Regulation on Personal Data Transfer Outside the Kingdom in 2024. Transfers are permitted to countries SDAIA has deemed adequate, or to non-adequate destinations under SDAIA-approved safeguards such as Standard Contractual Clauses. In February 2025, SDAIA added a Risk Assessment Guideline, introducing a documented risk-assessment step. For AI systems that use services hosted abroad, sending personal data across the border is a regulated transfer that must satisfy this regulation.

Constant Labs Dubai Technology Studio

Constant Labs builds AI agents, business automation systems, custom web applications, mobile apps, dashboards, integrations, digital presence, SEO-ready landing pages, IoT systems, robotics prototypes, and hardware-connected products for UAE businesses.

Our work focuses on practical systems for Dubai, Abu Dhabi, and UAE teams: customer support AI agents, lead qualification, appointment booking, document checking, invoice follow-up, CRM automation, internal knowledge assistants, API integrations, e-commerce platforms, and operational dashboards.

Related Constant Labs Pages