Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Saudi Arabia - Data Protection Overview
Back

Saudi Arabia - Data Protection Overview

April 2022

1. Governing Texts 

The data protection regulatory landscape in the Kingdom of Saudi Arabia ('KSA') is complex and continues to develop.

Historically, the KSA did not have a specific personal data protection legislation. Rather, it was traditionally thought that Shari’a (or Islamic) principles could offer some protection in respect of processing or use of personal data or information of individuals. However, in recent years KSA has seen sectoral regulations emerge, for example, in telecoms and financial services.

More recently, we have also seen the introduction of the Personal Data Protection Interim Regulations ('PDPIR'), included within the National Data Governance Interim Regulations, by the National Data Management Office ('NDMO') in 2020, and a new Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No.98 dated 14 September 2021 (only available in Arabic here) ('PDPL'), which was published in the KSA Official Gazette in 2021 but which is not yet in effect.

This Data Protection Overview includes a number of the key features of the PDPIR and the PDPL.

Notably, however, although the PDPL was to become effective on 23 March 2022 (subject to a one-year grace period for compliance), on 21 March 2022, following recommendations from the Saudi Authority for Data and Artificial Intelligence ('SDAIA') and other key stakeholders, a Royal Order was issued postponing the implementation of the PDPL to 17 March 2023. It remains to be seen if, in the period of the postponement, amendments will be made to the PDPL, or if a new law will replace it altogether, to reflect the recommendations of the SDAIA and stakeholders.

1.1. Key acts, regulations, directives, bills

The data protection landscape in the KSA is primarily (but not exclusively) regulated by the following:

  • the PDPL; and
  • the PDPIR.

The PDPL was published in the KSA Official Gazette on 24 September 2021, and states that it would enter into force after 180 days from the date of such publication i.e. 23 March 2022. Data Controllers (as defined in the PDPL – see response at section on principles) would then have another year to comply with the PDPL, although this period might be extended.

The SDAIA, the data regulator as per the PDPL (see section on guidelines), released a statement, on 22 March 2022, stating that the competent authorities have decided to postpone the full enforcement of the PDPL until 17 March 2023 to take the necessary measures in light of recommendations from the SDAIA and feedback received from various stakeholders.

The PDPL will be supplemented by executive regulations, which will provide further guidance on the application of the PDPL. In March 2022, the SDAIA, in collaboration with the NDMO, issued for public consultation a draft version of the Executive Regulations ('the Draft Executive Regulations').

Further details regarding each of these regulations (in their current form, and in the case of the Draft Executive Regulations, in their consultation form) are set out below.

In the meantime, the PDPIR is still available on the NDMO's website and is assumed to remain effective, pending the PDPL becoming effective.

The position regarding the application and enforcement of these regulations, and any further measures by competent authorities, should continue to be monitored.

1.2. Guidelines

The PDPIR was issued by the NDMO.

As per the PDPL, SDAIA will be the regulatory authority for at least two years. During this time, consideration will be given on transferring the competence to supervise the application of the PDPL (and its executive regulations) to the NDMO.

The Saudi Central Bank ('SAMA') and the Communications and Information Technology Commission ('CITC') both appear to maintain their jurisdiction to regulate data protection within their remit.

1.3. Case law

The KSA does not have a system of precedent, meaning that the courts/government authorities do not have to follow the earlier decisions of other courts/authorities, and there is no comprehensive system of reporting cases in the KSA.

Consequently, it is often not possible to reach a definitive interpretation of KSA law, and how a KSA court, committee, or government authority is likely to view a particular issue.

2. Scope of Application 

2.1. Personal scope

Both the PDPIR and the PDPL have extra-territorial effect. In particular (subject to limited exceptions):

  • the PDPIR applies to all entities in the KSA that process personal data in whole or in part, as well as entities outside of the KSA that process personal data related to individuals residing in the KSA using any means, including online personal data processing; and
  • the PDPL applies to any processing of personal data, related to individuals, that takes place in the KSA by any means, including the processing of personal data related to individuals residing in the KSA, carried out, by any means, by any entity outside of the KSA.

There may also be specific regulations applicable to certain sectors, such as the banking sector, which is regulated by the SAMA.

2.2. Territorial scope

See section on personal scope above.

2.3. Material scope

See section on personal scope above.

Notably, processing of personal data for personal or family use is, as long as it is not shared and disclosed to others, exempt from the scope of the PDPL (Article 2(2) of the PDPL).

Separately, the PDPIR shall not be applicable to the direct collection of personal data – without informing the data subject - or its processing other than the purpose for which personal data has been collected or disclosed – without data subject's consent – or transferred outside the KSA, for the following cases (Article 5.1 of the PDPIR):

  • if the data controller is a government entity and the collection or processing of personal data is required for security purposes, to enforce another law, to fulfil judicial requirements, or to fulfil an obligation under an agreement to which the KSA is a party; and
  • if the collection or processing of personal data is necessary to protect public health or safety or to protect the vital interests of individuals.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

See section on guidlelines above.

3.2. Main powers, duties and responsibilities

See section on guidelines above.

4. Key Definitions

Data controller: Under the PDPIR, 'data controller' is defined as any entity or any natural or legal person, that collects personal data from a data subject and carries out the processing of that personal data, directly or indirectly, through a processor, pursuant to a legal basis. Under the PDPL, there is no definition of 'data controller'. However, the PDPL defines a 'controlling entity' as any public entity, and any person of private natural or legal capacity, that specifies the purpose and manner of processing personal data, whether they process the data by themselves or by a processing entity.

Data processor: Under the PDPIR, 'data processor' is defined as any independent governmental or public entity, or any natural or legal person, which engages in the processing of personal data, on behalf of a data controller, pursuant to a legal basis. Under the PDPL, there is no definition of 'data processor'. However, the PDPL defines a 'processing entity' as any public entity and any private natural or legal person, that processes personal data for the benefit of, and on behalf of, the controlling entity.

Personal data: Under the PDPIR, 'personal data' is defined as any element of data, regardless of source or form, which independently or when combined with other available information could lead to the identification of a person including but not limited to: first name and last name, Saudi national ID number, address, phone, number, bank account number, credit card number, health data, and images or videos of that person. Under the PDPL, 'personal data' is defined as every data, of whatever source or form, that would lead to the identification of the individual specifically, or make it possible to identify them directly or indirectly, including: name, personal identification number, address, contact number, license number, records, personal property, bank account and credit card numbers, fixed or moving pictures of the individual, and other data of personal nature.

Sensitive data: Under the PDPIR, 'sensitive data' is defined as data, the loss, misuse, unauthorised access to, or modification of, which could adversely affect the national interest or the conduct of government programs, or the privacy to which individuals are entitled. Under the PDPL, 'sensitive data' is defined as every personal data that includes a reference to an individual's ethnic or tribal origin, or religious, intellectual, or political belief, or indicates their membership in non-governmental associations or institutions, as well as criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that both parents of an individual or one of them is unknown.

Health data: Under the PDPIR, 'health data' is included within the definition of personal data. Under the PDPL, 'health data' is defined as every personal data related to an individual's health status, whether physical, mental, psychological, or related to their health services.

Biometric data: Is not defined in the PDPIR. Under the PDPL, 'biometric data' is included within the definition of sensitive data (please see above).  

Pseudonymisation: Neither the PDPIR or PDPL define 'pseudonymisation'.

Data subject: Under the PDPIR, 'data subject' is defined as any natural person to whom the personal data relates to, their representative, or the person who has legal custody over them. Under the PDPL, there is no definition of 'data subject'. However, the PDPL defines a 'personal data owner' as an individual to whom the personal data belongs, their representative, or whoever has legal guardianship over them.

Credit data: Is not defined in the PDPIR. Under the PDPL, 'credit data' is defined as every personal data related to an individual's request for, or obtainment of, financing, whether for a personal or family purpose, from an entity that practices financing, including any data related to their ability to obtain credit, to pay it, or their credit history.

Genetic data: Is not defined in the PDPIR. Under the PDPL, 'genetic data' is defined as every personal data related to the genetic or acquired characteristics of a natural person, uniquely identifying the physiological or health characteristics of such person and extracted from the analysis of a biological sample of the person, such as the analysis of nucleic acids or the analysis of any other sample that leads to the extraction of genetic data.

5. Legal Bases 

5.1. Consent

As per the PDPIR, personal data may not be collected or processed without the data subject's express consent. 'Consent' is defined as a knowing, voluntary, clear, and specific, expression of consent, whether oral or written, from the data subject, signifying agreement to the processing of personal data.

As per the PDPL, the primary basis for processing is the consent of the data subject. The executive regulations are expected to outline the cases in which consent must be in writing. For instance, Article 11 of the Draft Executive Regulations stipulates that consent must be in writing in the event of sensitive data. This indicates that there may be cases in which consent can be collected by means other than in writing.

The PDPL allows for processing other than on the basis of consent where:

  • the processing achieves a 'definite interest' of the data subject and it is impossible or difficult to contact the data subject;
  • the processing is in accordance with another law, or in the implementation of a previous agreement to which the data subject is a party; and
  • the data controller is a public entity and such processing is required for security purposes or to meet judicial requirements.

5.2. Contract with the data subject

Neither the PDPIR nor the PDPL recognise contracts executed with data subjects as a legal basis for processing.

However, as indicated in the section on consent above, under the PDPL, personal information can be processed without consent where done to implement a previous agreement to which the data subject is a party.  

5.3. Legal obligations

The PDPIR does not recognise legal obligations as a legal basis for processing.

However, as indicated in on consent above, under the PDPL, personal information can be processed without consent where the data controller is a public entity and such processing is required for security purposes or to meet judicial requirements.

5.4. Interests of the data subject

The PDPIR does not recognise the interests of data subjects as a legal basis for processing.

However, as indicated in the section on consent above, under the PDPL, personal information can be processed without consent where the processing achieves a 'definite interest' of the data subject and it is impossible or difficult to contact the data subject.

5.5. Public interest

The PDPIR does not recognise public interest as a legal basis for processing.

However, as indicated in the section on consent above, under the PDPL, personal information can be processed without consent where the data controller is a public entity and such processing is required for security purposes or to meet judicial requirements.

5.6. Legitimate interests of the data controller

Neither the PDPIR nor PDPL recognise legitimate interests as a legal basis for processing.

5.7. Legal bases in other instances

Please see section on consent above.

6. Principles

Under the PDPIR, the key principles are expressly stated as follows:

  • accountability;
  • transparency;
  • choice and consent;
  • limiting data collection;
  • use, retention, and destruction;
  • access of data;
  • data disclosure limitation;
  • data security;
  • data quality; and
  • monitoring and compliance.

The PDPL does not expressly refer to key principles in such a way.

7. Controller and Processor Obligations

7.1. Data processing notification

The PDPIR does not impose registration requirements.

As per the PDPL, data controllers must register with SDAIA. There will be a fixed fee for private entities that are data controllers, which is expected to be published in the executive regulations of the PDPL. At the moment, the Draft Executive Regulations stipulates that the competent authority must prepare a regulation which, among other things, will identify the procedures and conditions of registration in the dedicated portal and the related fees according to the nature of the data controller's business and according to such classifications as the competent authority may set in this regard (Article 36 of the Draft Executive Regulations).

In addition, under the PDPL, records of processing activities ('ROPA') need to be registered with SDAIA. Like other data protection laws, the PDPL appears to require that the data controller prepares a ROPA. However, unlike other data protection laws, the PDPL indicates that the ROPA must also recorded with SDAIA.

7.2. Data transfers

Under the PDPIR, data controllers may only store and process personal data outside the KSA after obtaining written approval from the relevant regulatory authority, whereby 'regulatory authority' is defined as any independent governmental or public entity assuming regulatory duties and responsibilities for a specific sector in the KSA under a legal instrument. The relevant regulatory authority must also coordinate with the NDMO.

The NDMO issued their General Rules on the Transfer of Personal Data Outside the KSA (only available in Arabic here) ('the Transfer Rules') which apply to all public and private entities, as well as non-profit entities in the KSA, which are subject to the scope of the PDPIR and who transfer personal data to other entities outside of the KSA to be processed.

In the event data controllers are not subject to specific regulatory authorities, then the NDMO will exercise the roles and functions of such authorities.  

Data controllers must also obtain NDMO's approval, having coordinated with the regulatory authority, prior to sharing personal data with other entities outside of the KSA.

Under the PDPL, data transfers out of the KSA are even more tightly controlled when compared with the PDPIR. Personal data transfers outside of the KSA are prohibited except in the following circumstances:

  • extreme necessity to preserve the life of a data subject outside of the KSA or the data subject's vital interests;
  • to prevent, examine, or treat a disease;
  • if the transfer is required to comply with an agreement to which the KSA is party;
  • to serve the interests of KSA; or
  • other purposes as determined by the executive regulations.

However, the above is still predicated upon complying with the following conditions:

  • the transfer or disclosure does not prejudice national security or the vital interests of the KSA;
  • there are sufficient guarantees for preserving the confidentiality of the personal data that will be transferred or disclosed, so that the data protection standards are not less than the standards stipulated in the PDPL and the executive regulations;
  • the transfer or disclosure must be limited to the minimum personal data needed; and
  • the competent authority approves the transfer or disclosure, as determined by the executive regulations.

However, the competent authority may exempt the data controller, on a case-by-case basis, from being bound by these conditions if:

  • the transfer does not prejudice national security or the vital interests of the KSA;
  • if the competent authority, jointly or severally with other parties, sees that the personal data will have an acceptable level of protection outside of the KSA; and
  • the personal data is not sensitive data.

Note also that the relevant definitions for 'processing' under both the PDPIR and PDPL include, amongst other things, transfer of personal data, therefore the consent requirements relating to processing are also relevant/applicable.

In addition, in certain contexts or sectors, specific approvals may be required, e.g. in the banking sector, the approval of SAMA.

7.3. Data processing records

The PDPIR does not impose an obligation to maintain data processing records.

Under the PDPL, ROPAs need to be registered with SDAIA (please see section on data processing notification above).

7.4. Data protection impact assessment

Neither the PDPIR nor the PDPL specifically impose a strict requirement to prepare a Data Protection Impact Assessment ('DPIA').

The Transfer Rules provide, among other things, that entities wishing to transfer personal data outside of the KSA must carry out an assessment of the potential impact and risks, for each individual case, to identify whether the data controller or data processor provides sufficient level of protection for the rights of data subjects, and must submit the assessment results to the most senior officer at the data controller, to determine the acceptable levels of risk. The findings of the assessment will impact the procedure that entities will have to follow to transfer data outside of the KSA.

However, the Transfer Rules do exempt entities from the requirement to conduct such an assessment in specific cases, namely when the data transfer outside of the KSA is:

  • based on the approval of the data subjects;
  • in enforcement of a contractual obligation the data subject is a party thereto;
  • in enforcement of judicial requirements;
  • in enforcement of the provisions of another law or an international treaty to which the KSA is a party;
  • for protection of public interest, including protection of public health or safety; or
  • for protection of data subjects' vital interests.

7.5. Data protection officer appointment

There is no specific requirement under the PDPIR for organisations to appoint a data protection officer.

As per the PDPL, foreign data controllers must appoint a representative in the KSA to be licensed by the competent authority (as per the PDPL, this is to be determined by a decision of the Cabinet) to perform the data controller's obligations stipulated under the provisions of the PDPL and the executive regulations.

This appointment does not prejudice the responsibilities of the foreign data controller towards the data subject or SDAIA. The executive regulations are expected to set out the provisions related to licensing and the limits of the representative's relationship with the data controller outside the KSA, which they represent. The Draft Executive Regulations provide that the competent authority will prepare a regulation which will set out, among other things, the condition for the licensing of a representative of a data controller outside the KSA that processes personal data of residents of the KSA (Article 37 of the Draft Executive Regulations).

7.6. Data breach notification

Under the PDPIR, data controllers must notify the regulatory authorities immediately, and no later than 72 hours, in the event of any data breach or leakage impacting personal data in accordance with the mechanisms and procedures determined by the regulatory authorities. In the event data controllers are not subject to specific regulatory authorities, then the NDMO will exercise the roles and functions of such authorities.  

Under the PDPL, data controllers must notify the competent authority (as per the PDPL, this is to be determined by a decision of the Cabinet) as soon as it becomes aware of the occurrence of a leakage of or damage to personal data, including if personal data was illegally accessed. In addition, the executive regulations will specify circumstances in which the data controller must notify the data subject in the event of a leakage or damage to the data subject's personal data or illegal access thereto. However, if the occurrence of any of the above would cause serious harm to the data subject's data or the data subject, the data controller must notify the data subject immediately. Article 24 of the Draft Executive Regulations governs the notification of a data breach to data subjects.

In addition, notification obligations may be triggered in specific contexts or sectors in the event of a data breach.

7.7. Data retention

The PDPIR provides that data will be retained as long as necessary to achieve their intended purposes or as required by laws and regulations. Data is defined in the PDPIR as a collection of facts in a raw or unorganised form, such as numbers, characters, images, video, voice recordings, or symbols. In addition, the PDPIR provides the following:

  • data controllers should prepare and document data retention procedures and policies in accordance with the relevant purposes, laws, and regulations; and
  • data controllers should include data retention and destruction policy provisions in any agreements to be concluded with other data processors.

The PDPL provides that data controllers should destroy personal data as soon as the purpose of its collection ceases to exist. However, data controllers may keep such data after the purpose of its collection has ceased to exist, if everything that leads to specifically identifying the data subject is removed in accordance with the controls which are to be specified in the executive regulations.

Data controllers are also permitted to keep personal data after the purpose of its collection has ceased to exist in the following two cases:

  • if there is a legal justification that requires keeping it for a specific period, and in such case, it must be destroyed after the end of this period or the purpose of its collection has ceased to exist, whichever is later; or
  • if the personal data is closely related to a case pending before a judicial authority, and it is required to be kept for this purpose, and in such case, it must be destroyed after completion of the judicial procedures related to the case.

7.8. Children's data

Neither the PDPIR nor the PDPL contain specific provisions regulating the processing of children's data.

However, the Children and Incompetents' Privacy Protection Policy of 25 November 2020 (available only in Arabic here) ('the Policy') was issued by the NDMO and applies to, among others, children, where these are defined as anyone under the age of 18.

The provisions of the Policy apply broadly to all public and private entities, as well as non-profit entities in the KSA, that collect and process personal data of children and incompetents in full or in part, and by any means, whether manual or electronic. The provisions of the Policy will apply to all entities outside the KSA that collect personal data of children and incompetents residing in the KSA via the internet.

The Policy expressly provides, among other things, that a child must enjoy all the rights of data subjects provided for in the PDPIR issued by the NDMO, and the guardian must practice such rights, where the guardian is defined as one of the parents or the person who has guardianship over the child's affairs as per the provisions of Shari'a or relevant laws.

7.9. Special categories of personal data

The PDPIR does not contain specific provisions regarding the processing for special categories of personal data.

As per the PDPL, criminal and security data are included within the definition of sensitive data (see section on key definitions above). The PDPL contains provisions addressing the processing of sensitive data which includes, but is not limited to, the following:

  • sensitive data may not be processed for marketing purposes;
  • data transfer restrictions for sensitive data (see section on data transfers); and
  • criminal and administrative fines for disclosing or publishing sensitive data.

Regarding health data (see section on key definitions), the executive regulations are to provide additional controls and procedures regarding the processing of health data, to ensure the preservation of privacy of its owners. The PDPL provides that the executive regulations will include the following:

  • a restriction of the right to access health data, including medical files, to the minimum possible number of employees or workers and only to the extent necessary for providing the necessary health services, defined as services related to the individual's health, including preventive, curative, and rehabilitative services, hospitalisation, and drug provision; and
  • limiting health data processing procedures and processes to the minimum possible number of employees and workers for providing health services or health insurance programs.

Accordingly, Article 20 of the Draft Executive Regulations includes specific controls and procedures for dealing with health data.

Regarding credit data (see section on key definitions), and similar to health data, the executive regulations are to provide rules regarding the processing of credit data in a manner that ensures the preservation of the privacy of its owners and protects their rights in the PDPL and the Credit Information Law, implemented by Royal Decree No. M/37 of 8 July 2008 ('the Credit Information Law'). The PDPL provides that the executive regulations will include the following:

  • there must be necessary actions to verify the availability of the written consent of the data subject to the collection of the data, or change of the purpose of collection of it, its disclosure or publication in accordance with the PDPL and the Credit Information Law; and
  • the data subject must be notified if a request for disclosure of the data subject's credit data is received from any party.

Accordingly, Article 21 of the Draft Executive Regulations includes specific controls and procedures for dealing with credit data.

7.10. Controller and processor contracts

The PDPIR does not impose such requirements.

Under the PDPL, the data controller must, when choosing a data processor, be committed to choosing an entity that provides the necessary guarantees for enforcing the provisions of the PDPL and must constantly verify such entity's compliance with its instructions in all matters relating to the protection of personal data in a manner that does not contradict with the provisions of the PDPL and executive regulations, and without prejudice to its responsibilities towards the data subject or the competent authority, as the case may be. The executive regulations are expected to provide further guidance against this requirement, with the PDPL providing that they include provisions relating to any subsequent contracts with the data processor. 

8. Data Subject Rights

8.1. Right to be informed

Under the PDPIR, data subjects have the right to be informed of the legal basis and purpose for the collection and processing of their personal data.

Under the PDPL, data subjects have the right to be informed, which includes informing them of the valid legal or practical justification for collecting their personal data, the purposes for such collection, and that such data should not be processed later in a manner that is inconsistent with the purpose for which it is collected, or in cases other than those as stipulated in Article 10 of the PDPL. Article 10 of the PDPL provides for certain cases (e.g. if the personal data is publicly available) where the data controller may collect personal data from someone other than its owner or process it for a purpose other than that for which it was collected.

8.2. Right to access

Under the PDPIR, a data subject has the right to access their personal data within the possession of the data controller, including access to, request to correct, complete, or update personal data, request to destroy unnecessary data, and get a copy of such data in a clear format.

Under the PDPL, the data subject has the right to have access to their personal data available to the data controller, which includes accessing it, and obtaining a copy thereof in a format that is clear and identical to the content of the records and free of charge, as determined by the executive regulations (Article 6 of the Draft Executive Regulations). This is without prejudice to the stipulations contained in the Credit Information Law regarding financial consideration, and certain rights of the data controller relating to such access (e.g. the ability of a data controller to restrict the access right if the data controller is a public entity and the restriction is required for security purposes).

8.3. Right to rectification

Regarding the PDPIR, please see section on the right to access above.

Under the PDPL, the data subjects have the right to request correction, completion, or updating of their personal data available to the data controller.

8.4. Right to erasure

Regarding the PDPIR, please see section on the right to access above.

Under the PDPL, the data subjects have the right to request destruction of their personal data available to the data controller, which is no longer needed, without prejudice to the provisions of Article 18 of the PDPL. Article 18 of the PDPL addresses scenarios where the data controller may retain personal data.

8.5. Right to object/opt-out

Under PDPL, data subjects have the right to withdraw consent at any time.

Under the PDPIR, data subjects have the right to withdraw consent at any time unless statutory or judicial requirements require otherwise.

8.6. Right to data portability

Under the PDPIR, data subjects have the right to access their personal data within the possession of the data controller and to receive a copy of such data in a clear format.

Under the PDPL, data subjects have the right to access their personal data and obtain a copy in a format that is clear and identical to the content of the records free of charge.

8.7. Right not to be subject to automated decision-making

Neither the PDPIR nor the PDPL specifically address rights in relation to automated decision-making.

8.8. Other rights

The PDPL provides that a person who has suffered harm as a result of violating the PDPL or the executive regulations has the right to claim before the competent court for compensation for material or moral damage in proportion to the extent of damage.

The executive regulations may, once issued, include additional rights. For instance, the Draft Executive Regulations include, under Article 5, the right to know on using emerging technology.

9. Penalties 

The PDPIR does not contain any express enforcement mechanism or penalties for non-compliance.

As per the PDPL, there are criminal penalties and fines for the following offences:

  • unlawfully transferring data out of the KSA (imprisonment of up to one year and/or a fine of up to SAR 1 million (approx. €242,280); and
  • disclosing or publishing sensitive data unlawfully with intent of harming the data subject or with the intention of achieving some personal benefit (imprisonment up to two years and/or a fine of up to SAR 3 million (approx. €726,850).

Separately, SDAIA has the power to issue warnings and administrative fines of up to SAR 5 million (approx. €1.2 million) for any other violation, which is appealable. This is without prejudice to any more severe penalty stipulated in another law.

Please note the competent court may double the penalty of a fine for repeat offenders.

9.1 Enforcement decisions

Not applicable.