48 Enforcement Decisions: What SDAIA Has Actually Penalised

The Enforcement Record: What It Covers

Since the PDPL's enforcement provisions became operative in November 2024, SDAIA has issued 48 confirmed enforcement decisions. These decisions span complaints received from data subjects, investigations initiated by SDAIA on its own motion, and cases referred from other regulatory bodies. The decisions are not uniformly published with full factual detail, but the available record — including decisions disclosed in enforcement summaries, decisions where the subject entity has made regulatory disclosures, and decisions referenced in SDAIA guidance publications — provides sufficient data to identify meaningful patterns.

This analysis covers the categories of violations penalized, the penalty ranges applied, and the enforcement targeting patterns that emerge from the record. Organizations conducting compliance assessments that do not account for the actual enforcement record are calibrating their risk assessments against the text of the law rather than the law as applied.

Categories of Violations Penalized

The 48 decisions cluster into four primary violation categories, often in combination:

• Unauthorized processing (19 decisions): Processing personal data without a valid legal basis under Article 4 of the PDPL. The most common fact pattern involves organizations processing personal data for marketing or commercial purposes without valid consent, or relying on contractual necessity as a basis for processing activities that extend substantially beyond the scope of the underlying contract. Secondary patterns include employee monitoring without disclosed legal basis and sharing personal data with affiliates without a documented basis for the transfer.
• Consent failures (14 decisions): Either obtaining consent through mechanisms that do not meet the PDPL's requirements (bundled consent, opt-out rather than opt-in, consent obtained as a condition of service where processing is not strictly necessary) or processing data beyond the scope of consent that was obtained. Several decisions in this category involve consent obtained prior to the PDPL's operative date that was not refreshed to meet the new standard.
• Breach notification failures (9 decisions): Failure to notify SDAIA within the 72-hour window following awareness of a personal data breach, or notification that omitted required content (categories of data affected, number of data subjects, likely consequences of the breach, measures taken). One case involved a deliberate delay in notification pending internal investigation — an approach SDAIA specifically addressed in its decision as impermissible.
• Cross-border transfer violations (6 decisions): Transferring personal data outside Saudi Arabia without a valid legal basis or without the documentation that the Implementing Regulations require. All six decisions involved transfers to cloud service providers or SaaS vendors without any documented transfer mechanism or, in two cases, with documentation that was insufficient (generic vendor agreements that did not contain the required substantive provisions).

Penalty Ranges

The PDPL authorizes penalties of up to SAR 5,000,000 for first violations and up to SAR 10,000,000 for repeated violations, with additional penalties for violations involving sensitive personal data. The enforcement record to date shows:

• Unauthorized processing penalties have ranged from SAR 100,000 to SAR 2,500,000, with the higher end applied to cases involving large volumes of data subjects, intentional violations, or processing of sensitive personal data.
• Consent failure penalties have ranged from SAR 50,000 to SAR 1,500,000. Lower penalties were applied where the organization had made good-faith efforts to correct the consent mechanism following notification from SDAIA.
• Breach notification failures have attracted penalties from SAR 200,000 to SAR 3,000,000. The highest penalties in this category have been applied where delay was material (notification occurring more than two weeks after the 72-hour deadline) or where the organization failed to notify data subjects in addition to SDAIA.
• Cross-border transfer violations have ranged from SAR 500,000 to SAR 2,000,000.

Enforcement Targeting Patterns

Several patterns in SDAIA's enforcement targeting are notable:

• Sector concentration: Financial services, healthcare, and e-commerce account for over 60% of the 48 decisions. These are sectors processing high volumes of sensitive or commercially valuable personal data, and SDAIA's enforcement activity suggests deliberate prioritization of high-impact sectors.
• Complaint-driven triggers: Approximately two-thirds of decisions were triggered by data subject complaints rather than proactive inspections. This means that SDAIA's enforcement exposure correlates strongly with customer-facing data practices — consent flows, privacy notices, data subject rights fulfillment — rather than backend processing architecture.
• Repeat encounter escalation: Four organizations in the 48 decisions received escalated penalties for violations that SDAIA characterized as repeat non-compliance. In each case, the organization had previously received a warning or a remediation directive that had not been fully implemented.
• Documentation as a mitigating factor: Across multiple decision summaries, SDAIA noted the presence or absence of documented compliance measures as a factor in penalty calibration. Organizations that had maintained processing registers, conducted data protection impact assessments, or had written policies — even if the underlying practice was non-compliant — received lower penalties than organizations with no documentation infrastructure at all.

What the Record Tells Organizations

The enforcement record yields several practical conclusions. Customer-facing consent and data subject rights mechanisms carry disproportionate enforcement risk because they are the primary trigger for complaints. Breach notification failures are penalized more heavily than their frequency in the record might suggest, because SDAIA has signaled that timely notification is a priority. Cross-border transfer violations are under-represented in the enforcement record relative to their likely prevalence in the market — suggesting either that this area is a future enforcement priority or that many violations have not yet surfaced through complaints. And documentation — even imperfect documentation — functions as a penalty mitigant that most organizations are not taking full advantage of.