Regulates the collection and processing of personal data, guarantees data subjects' rights, and penalizes violations.
This Law applies to any entity that collects or processes personal data of individuals inside the Kingdom.
Data subjects have the right to object to processing of their data for direct marketing purposes.
Collecting data without consent, or disclosing or selling it, carries a fine of up to five million riyals.
The National Cybersecurity Authority is the competent body for supervising implementation of this Law.
Data collected by an individual for personal or family purposes is exempt from this Law's provisions.
Personal data must not be retained after its collection purpose is fulfilled; it must be deleted or anonymized.
Entities processing data of persons with disabilities and sensitive groups must implement enhanced protection measures.
Personal data may not be collected or processed without explicit consent of the data subject, except in cases specified by the Law.
Data collection must be specific, explicit, and lawful; data may not be processed incompatibly with purposes of collection.
Data subjects have the right to access their collected data and obtain a copy.
Data subjects have the right to request correction of any inaccurate or misleading data concerning them.
Data subjects have the right to request deletion of their data when there is no longer a legitimate need to retain it.
Data controllers must implement adequate technical and organizational security measures to protect data from breaches or loss.
Security breaches affecting personal data must be reported within 72 hours of discovery.
Cross-border transfer of personal data is prohibited except in cases that ensure an adequate level of protection.