Side-by-side comparison of the UAE Personal Data Protection Law (PDPL) and the Saudi Arabia Personal Data Protection Law (PDPL). Covers scope, consent, data localisation, breach notification, penalties, and enforcement.
| Aspect | 🇦🇪 UAE PDPL | 🇸🇦 Saudi PDPL |
|---|---|---|
| Law / Instrument | Federal Decree-Law No. 45 of 2021 (UAE PDPL) | Royal Decree No. M/19 of 2021 (Saudi PDPL) |
| Enforcement body | Ministry of Industry & Advanced Technology (MoIAT) — UAE Data Office | Saudi Data & AI Authority (SDAIA) |
| Territorial scope | All processing in the UAE; excludes ADGM and DIFC (separate regimes) | All processing of personal data of individuals in Saudi Arabia, including by offshore entities |
| Lawful basis for processing | Consent, contract, vital interests, legal obligation, or legitimate interests | Consent, contract, vital interests, legal obligation, or legitimate interests (sensitive data: explicit consent only) |
| Sensitive data categories | Health, genetic, biometric, criminal, financial, political, religious, and ethnic origin data | Health, genetic, biometric, criminal, financial, ethnic origin, and religious data |
| Data localisation | Not required — cross-border transfers allowed with adequate safeguards ↑ Key practical difference for multinationals | Sensitive data of Saudi nationals must be stored within the Kingdom of Saudi Arabia |
| Cross-border transfer | Permitted to countries with adequate protection or with contractual safeguards approved by MoIAT | Permitted if recipient country has comparable protection or with SDAIA approval; localisation required for sensitive data |
| Breach notification | Notify the Data Protection Authority within 72 hours of becoming aware of a breach | Notify SDAIA within 72 hours of a breach that may cause harm to data subjects |
| Data subject rights | Access, correction, erasure, restriction of processing, objection, portability, and right to human review of automated decisions | Access, correction, erasure, restriction, and right to request human review of automated decisions |
| Data Protection Officer | Required for high-risk or large-scale processing; details set by implementing regulation | Required for entities processing large volumes of sensitive data or for government-related entities |
| DPIA requirement | Required for high-risk processing activities as defined by MoIAT | Required for high-risk or large-scale processing as determined by SDAIA |
| Maximum penalty | AED 5 million (≈USD 1.4M) for administrative violations; criminal sanctions for intentional misuse of sensitive data | SAR 5 million (≈USD 1.3M), doubled for repeat offences; criminal prosecution possible |
| Free zone carve-outs | Yes — ADGM and DIFC have their own data protection regimes; UAE PDPL does not apply within these zones | No free zone carve-outs — Saudi PDPL applies throughout the Kingdom |
| AI / automated decisions | Data subjects may request disclosure of logic behind automated decisions with significant effects | Right to human review of significant automated decisions; SDAIA AI Ethics Principles apply as soft guidance |
| Effective date | In force since September 2022 (enforcement from January 2023) | In force since September 2023 (two-year transition from enactment) |
What is the key difference between UAE PDPL and Saudi PDPL?
The UAE PDPL (Federal Decree-Law No. 45/2021) applies to all UAE-based processing but excludes ADGM and DIFC free zones, which have their own laws. The Saudi PDPL (Royal Decree M/19, 2021) applies nationally and adds a data localisation requirement for sensitive data of Saudi nationals, which the UAE PDPL does not have.
Does the UAE or Saudi Arabia have stricter data localisation rules?
Saudi Arabia has stricter data localisation rules. The Saudi PDPL requires that sensitive personal data of Saudi nationals (including health and financial data) must be stored within the Kingdom. The UAE PDPL allows cross-border transfers with appropriate safeguards but does not require in-country storage.
Which law has higher penalties — UAE PDPL or Saudi PDPL?
Both laws carry significant penalties. The UAE PDPL provides for administrative fines up to AED 5 million (≈USD 1.4 million). The Saudi PDPL provides for fines up to SAR 5 million (≈USD 1.3 million) with doubling for repeat offences. Both also allow criminal prosecution for intentional misuse of personal data.
This comparison is for informational purposes only and does not constitute legal advice. Regulatory requirements may be updated by implementing regulations and guidance issued after the date of this page. Always consult the official texts and qualified legal counsel.