PDPL Compliance for HR Teams in Saudi Arabia (2026 Guide)
PDPL Compliance for HR Teams in Saudi Arabia (2026 Guide)
Of every department in your company, HR probably handles the most sensitive personal data: national IDs, salaries, bank details, medical certificates, biometric attendance records, and performance reviews. Under Saudi Arabia's Personal Data Protection Law (PDPL), that makes HR one of the highest-risk functions for compliance failures, and the enforcement era has firmly arrived.
The PDPL took effect on 14 September 2023 with a one-year grace period. That grace period ended on 14 September 2024, after which the law became fully enforceable. There is no transition cushion left. SDAIA, the Saudi Data and Artificial Intelligence Authority, is now actively enforcing the regime, and HR teams need to treat employee data the same way finance treats company money.
This guide breaks down what PDPL compliance actually requires of an HR function in 2026.
Why HR Sits at the Center of PDPL Risk
The PDPL governs how organizations collect, process, store, and share the personal data of individuals in Saudi Arabia. Employees are data subjects, and almost every HR process touches their personal data.
Two categories matter especially. Health data and biometric data are classified as sensitive data under the PDPL, which means they attract stricter handling rules and the highest penalty tier. HR routinely processes both: sick-leave medical certificates are health data, and fingerprint or facial-recognition attendance systems are biometric data. If your function relies on either, your exposure is higher than average.
Enforcement is not theoretical. In the first year of enforcement, SDAIA's committees issued 48 decisions confirming PDPL violations. The confirmed violations included processing personal data with no valid legal basis and unauthorized disclosure of personal data, both of which are exactly the kinds of mistakes that happen inside HR teams that have not adapted their processes.
The Legal Basis Problem: You Cannot Just Collect Data
A recurring theme in the confirmed violations is processing personal data with no valid legal basis. Under the PDPL, you need a lawful reason to process each piece of personal data you hold.
A 2023 Royal Decree amendment (M/148, 27 March 2023) introduced legitimate interest as a lawful basis, which gives employers more flexibility than relying on consent alone. However, there is a hard limit that matters directly to HR: legitimate interest cannot be used as a basis for processing sensitive personal data. Because health and biometric data are sensitive, you cannot lean on legitimate interest to justify collecting medical certificates or running a fingerprint clock-in system. Those require a stronger basis and more careful handling.
The practical takeaway is to map every category of employee data you hold against its lawful basis, and treat sensitive data as a separate, stricter track.
Employee Data Rights HR Must Honor
The PDPL gives data subjects, including your employees, enforceable rights over their own data. The core rights are the rights to access, correct, and request deletion of their personal data.
For an HR team this means building a process to respond when an employee asks to see what data you hold, asks you to fix an error in their record, or asks you to delete data you no longer need. These are not optional courtesies; they are legal obligations, and an employee who is ignored can complain to SDAIA.
This connects directly to a separate obligation: retention limitation and data minimization. Controllers must not retain personal data for longer than necessary for the purpose for which it was collected, and must destroy it once it is no longer needed. HR archives that quietly keep every applicant CV, terminated-employee file, and old payroll record forever are a compliance liability, not a safety net. Build a retention schedule and stick to it.
The 72-Hour Breach Clock
If employee data is exposed, leaked, or compromised, the clock starts immediately.
Controllers must notify SDAIA within 72 hours of becoming aware of a personal data breach that may harm the personal data or the data subjects' rights, under Article 24 of the Implementing Regulations. Critically, there is no materiality threshold: you do not get to decide that a breach was too small to report. If it may cause harm, it must be reported, and 72 hours is not a lot of time once you account for detecting the incident, investigating it, and assembling the facts.
HR teams should know, before anything goes wrong, who internally owns breach response and how to reach SDAIA. A misdirected payroll email, a lost laptop with employee files, or a misconfigured HR system can all trigger the obligation.
Registration and the DPO Question
Two structural obligations sit above the day-to-day handling rules.
Controller registration
Controllers must register on SDAIA's National Data Governance Platform. The controller registration certificate in the National Register is valid for a maximum of 5 years, after which it must be renewed. This is an organization-level obligation, but HR leaders should confirm their company has done it rather than assume IT or legal handled it.
Data Protection Officer
A Data Protection Officer (DPO) appointment is mandatory in specific situations:
- where core activities involve large-scale systematic monitoring of data subjects
- where core activities involve large-scale processing of sensitive personal data
- for public entities providing large-scale services that involve personal data
Large workforces with biometric monitoring or extensive health-data processing can fall into the first two triggers through HR activity alone. If your organization meets any trigger, the DPO is not optional.
The Penalties: Why This Is a Board-Level Issue
The PDPL backs its rules with serious consequences, and the penalty structure has two tiers.
| Violation type | Penalty |
|---|---|
| General PDPL violations | A warning, or a fine up to SAR 5 million per violation (may be doubled to SAR 10 million for repeat offences) |
| Unlawful disclosure of sensitive data | Up to 2 years imprisonment and/or a fine up to SAR 3 million, where done with intent to harm the data subject or for personal benefit |
The general tier covers most of what an HR team might get wrong, such as processing without a legal basis or unauthorized disclosure: a warning or a fine of up to SAR 5 million per violation, doubled for repeat offences.
The criminal tier is narrower but more severe. Under PDPL Article 35, disclosing or publishing sensitive data in violation of the law carries up to 2 years imprisonment and/or a fine up to SAR 3 million where it is done with intent to harm the data subject or to gain personal benefit. The intent element is what separates a careless mistake from a criminal act, but given that HR handles sensitive health and biometric data, the criminal tier is genuinely in play for this function.
The Rules Are Still Evolving
The PDPL framework is not frozen. SDAIA ran a public consultation on amendments to the PDPL Implementing Regulations between 27 April 2025 and 27 May 2025, the third such public consultation. HR teams should expect the detailed rules to keep maturing and should not treat a one-time compliance project as permanently done.
A Practical PDPL Checklist for HR
- Map every category of employee data you hold to a lawful basis for processing
- Flag health data and biometric data as sensitive, and apply stricter handling
- Confirm you are not relying on legitimate interest for any sensitive data
- Build a process to handle employee access, correction, and deletion requests
- Create and enforce a data retention schedule; destroy data no longer needed
- Define a breach-response owner and how to notify SDAIA within 72 hours
- Verify your organization is registered on SDAIA's National Data Governance Platform
- Assess whether your activities trigger the mandatory DPO requirement
Frequently Asked Questions
Is the Saudi PDPL fully in force, or is there still a grace period?
It is fully in force. The PDPL took effect on 14 September 2023 with a one-year grace period, and that grace period ended on 14 September 2024. The law has been fully enforceable since then, and SDAIA is actively enforcing it.
Can we use biometric fingerprint attendance for employees under the PDPL?
Biometric data is classified as sensitive data under the PDPL, so it attracts stricter handling rules and the higher penalty tier. You also cannot rely on legitimate interest as the lawful basis for processing sensitive data, so biometric attendance needs a stronger legal footing and careful handling. Confirm your specific basis before deploying it broadly.
How quickly must we report a data breach involving employee records?
Controllers must notify SDAIA within 72 hours of becoming aware of a personal data breach that may harm the personal data or the data subjects' rights, under Article 24 of the Implementing Regulations. There is no materiality threshold, so you cannot decide a breach is too minor to report.
What is the maximum penalty for an HR-related PDPL violation?
General violations can draw a warning or a fine up to SAR 5 million per violation, doubled to SAR 10 million for repeat offences. Unlawful disclosure of sensitive data, done with intent to harm or for personal benefit, can mean up to 2 years imprisonment and/or a fine up to SAR 3 million under Article 35.
Compliance and Labor Law Go Hand in Hand
PDPL compliance does not exist in isolation. The same employee files that fall under data protection rules also carry your labor-law obligations, from contract registration to leave records. If you are reviewing how you handle employee data, it is worth revisiting the underlying entitlements too. Our guide to your rights as an expat employee in Saudi Arabia walks through the contract, leave, and end-of-service rules that shape much of the data HR keeps, and our unified contract compliance guide covers the documentation side in depth.
Get PDPL Answers on Demand
Data protection rules are detailed, fast-moving, and unforgiving of guesswork. The Saudi HR assistant can help your team understand specific PDPL obligations, breach-notification timelines, employee data rights, and how they intersect with Saudi labor law, in plain language and in both Arabic and English. Ask a question and get a grounded answer instead of digging through regulations on your own.