What is the Saudi PDPL?
The Personal Data Protection Law (PDPL) is Saudi Arabia's first comprehensive law regulating how personal data is collected and processed. It was issued by Royal Decree M/19 in September 2021, amended by Royal Decree M/148 in March 2023, and is enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA). The law came into force in September 2023 with a one-year grace period, and that grace period ended in September 2024. Full enforcement is in effect today.
The PDPL applies to any entity processing the personal data of individuals in Saudi Arabia, regardless of size or sector, and it also reaches entities outside the Kingdom that process the data of its residents. For CX and operations leaders, that has one specific meaning: every conversation between your team and a customer, whether on WhatsApp, phone, web chat, or email, is personal data processing governed by this law.
This guide translates PDPL compliance into the language of customer service teams: what changes in how you run conversations, and what you need in place before anyone asks. One important note before we start: this is practical guidance, not legal advice.
What counts as personal data in customer conversations?
Under the PDPL, personal data is any data that identifies an individual, directly or indirectly. In a customer service context, that covers more than most teams expect:
- Phone number and name: the foundation of any WhatsApp conversation or phone call
- The conversation content itself: order details, complaints, addresses, booking times
- Photos, documents, and voice notes the customer sends inside the chat
- Sensitive data: any mention of a health condition or credit data falls into a higher protection category with harsher penalties
The practical takeaway: your company's conversation history is a full personal data repository, and it needs to be managed with the same seriousness as your CRM.
Lawful basis and consent under the PDPL
The PDPL requires a lawful basis for any processing. Consent is the primary basis, but not the only one: processing is also permitted where it serves the actual interest of the data subject and contacting them is impossible or difficult, where it is necessary to perform a contract they are party to, or to meet a legal obligation. The 2023 amendment added legitimate interest as a basis for non-sensitive data, subject to controls.
What does this mean for your team? When a customer messages you about their order, replying and keeping the conversation context to serve them generally rests on contract performance or actual interest. But using their number later for marketing campaigns is a different purpose that needs its own basis, and consent is the safest route there. The golden rule is purpose limitation: data collected to serve a customer cannot be reused for another purpose without a new lawful basis.
Data subject rights your team must handle
The PDPL grants data subjects rights your team must be able to execute in practice, not just recite:
- The right to be informed: customers know why you collect their data and how you process it
- The right of access and to obtain a copy: a customer can request a copy of the data you hold, including their conversation history
- The right to correction: fixing inaccurate or incomplete data
- The right to destruction: requesting deletion of their data once there is no legal need to keep it
Here is the question to put to your team today: if a WhatsApp message arrives saying "send me everything you have on me" or "delete my number and my conversations", does the agent know what to do? Who receives the request, how do they verify the requester's identity, where do they find data spread across channels, and how many days do they have to respond? If there is no ready answer, that is your first gap to close.
Retention and disclosure limits
The PDPL is clear on retention: keep personal data only as long as needed for the purpose it was collected for, then destroy it. A five-year-old conversation log for a customer who has not returned since is a regulatory liability, not a business asset. You need a written retention policy with clear periods per data type, while accounting for other laws that may require minimum retention, such as tax and commercial requirements.
Disclosure is prohibited by default, with narrow exceptions defined by the law. In practice, this draws boundaries inside your company before outside it: not every employee needs to see every conversation. Access should follow need-to-know, so a Riyadh branch agent does not need Jeddah customers' conversations, and a marketing employee does not need the details of an individual complaint.
Cross-border data transfers from Saudi Arabia
Many global customer service tools host their data outside Saudi Arabia, which makes this a very practical question, not a theoretical one. The legal position has evolved: the first version of the law was highly restrictive, then the implementing regulations and the Data Transfer Regulations, updated in 2024, opened clear pathways for transfers.
Today, transferring customer data outside the Kingdom is permitted for defined purposes under conditions: the receiving country has an adequate level of protection recognized by SDAIA, or approved safeguards are used, such as standard contractual clauses, binding common rules, or certifications, always with data minimization. The practical action for your team: inventory your current tools, find out where your customer conversations are actually stored, and make sure your vendor agreements cover these requirements.
Breach notification and PDPL penalties
When a data breach or unauthorized access occurs, SDAIA must be notified under the regulations, which set a 72-hour window from becoming aware of the incident, and data subjects must be notified where the incident causes them harm. That presumes a response plan that exists before the incident: who detects, who assesses, who notifies.
The penalties are serious: fines reach SAR 5 million per violation and can be doubled for repeat offenses. Disclosing sensitive data with intent to harm rises to a criminal offense punishable by up to two years' imprisonment and a fine of up to SAR 3 million. The math is simple: preparing your team today costs far less than your first violation.
A PDPL compliance checklist for CX teams
Concrete steps to start this quarter:
- Map your channels: where do customer conversations actually happen? WhatsApp, phone, web chat, email, employees' personal phones? You cannot protect what you do not know exists
- Minimize collection: ask customers only for what the purpose requires; an order number is often enough instead of a full ID photo
- Write a retention policy: clear periods per data type, and real destruction when they expire
- Set access controls: each team member sees only what their role requires, with a record of who accessed what
- Review vendor contracts: any platform your customer conversations pass through is a data processor and needs a data processing agreement covering its obligations and storage location
- Train agents on rights requests: a clear path for access, correction, and deletion requests, from intake to response
Where your platform fits in your compliance story
A written policy is not enough if your tools cannot execute it. When customer conversations are scattered across employees' personal phones and separate inboxes, fulfilling even a simple access or deletion request becomes nearly impossible, and access control stays theoretical.
This is where a platform like tkana becomes part of your compliance story: conversations from every channel in one place with a clear record, access permissions set per team member by role, and an AI agent that answers according to the instructions and policy you define, not individual improvisation. tkana does not certify your PDPL compliance, since compliance is your organization's responsibility and its decisions, but it gives you the structure that makes operating your policy possible and provable.
The bottom line
The Saudi PDPL is no longer a law on the horizon: it has been fully enforced since the grace period ended in September 2024. Customer service teams sit at the center of compliance because they handle customer data most directly, every day. Start with the inventory, minimize what you collect, control access, prepare your team for rights requests, and choose tools that help you operate your policy rather than work around it.
To repeat for clarity: this is practical guidance, not legal advice. For consequential decisions, engage a qualified legal advisor and refer to SDAIA's official publications for the current texts.
