SDAIA's 48 Enforcement Decisions: What the Record Confirms

The Enforcement Record

On 16 January 2026, SDAIA confirmed that its Committees for Reviewing Violations issued 48 enforcement decisions during the previous year. Each decision established a violation and imposed the statutory penalty on a data controller under Article 36 of the PDPL. This followed the end of the PDPL compliance grace period on 14 September 2024, after which the enforcement provisions became fully operative.

SDAIA described the violations by type. It did not publish a numeric breakdown by category, individual decision records, or penalty amounts per case. The confirmed record is the total, the recurring violation types, and the statutory penalty ceiling.

The Four Recurring Violation Types

SDAIA identified four categories of violation across the 48 decisions.

• Unlawful collection and processing of personal data. Processing without a valid legal basis under the PDPL.
• Disclosure of personal data without legal justification.
• Failure to implement appropriate organizational, administrative, and technical measures to protect personal data.
• Sending advertising and marketing messages to data subjects without their consent.

These are the violation types SDAIA chose to name. They signal where enforcement attention has concentrated.

The Penalty Framework

The PDPL sets the penalty ceiling, not a published per-case figure. Administrative violations carry fines up to SAR 5,000,000. Fines can double to SAR 10,000,000 for repeat violations. The unlawful disclosure of sensitive personal data, where committed with intent to harm or for personal gain, carries separate criminal penalties of up to two years imprisonment and a fine up to SAR 3,000,000. SDAIA did not disclose the specific penalty applied in any of the 48 decisions.

What the Record Signals for Organizations

The four named violation types map to four areas of exposure that most organizations can assess directly.

• Legal basis. Confirm every processing activity has a documented lawful basis under the PDPL.
• Disclosure controls. Confirm personal data is not shared or disclosed without a documented justification.
• Security measures. Confirm organizational, administrative, and technical safeguards are implemented, not only documented.
• Marketing consent. Confirm marketing messages rely on valid, specific consent that meets the PDPL standard.

The record does not require assumptions about case counts to be useful. The four categories are the regulator's own statement of where violations occurred. Aligning to them is the practical response.

Sources

Primary source: Saudi Press Agency, 16 January 2026, reference N2489505, at spa.gov.sa/en/N2489505. Corroboration: IAPP analysis of SDAIA enforcement.