What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of SDAIA PDPL — Personal Data Protection Law Full Compliance Walkthrough. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for PDPL and SDAIA.

SKYLINE Engineering @skyline

Published: Jan 9, 2026
Last updated: May 28, 2026
Reading time: 5 min

Overview

The Personal Data Protection Law (PDPL) — Royal Decree M/19 of 1443H, with its Implementing Regulation issued by SDAIA — is the binding privacy law of the Kingdom of Saudi Arabia. The law came into force on 14 September 2023 with a one-year transition; full enforcement landed in September 2024. Penalties reach up to SAR 5 million per violation and, for serious offences, up to 2 years' imprisonment. Every organisation that processes personal data of individuals located in Saudi Arabia is in scope — regardless of where the organisation itself is established.

Who this applies to

Any controller (entity deciding the purpose and means of processing) of personal data of individuals in KSA.
Any processor (entity processing on behalf of a controller).
Public and private sector alike.
Extraterritorial reach: foreign companies serving KSA customers must comply.
Limited exemption: purely personal/household processing.

Key obligations

PDPL is structured around 9 themes mapping to NCA controls and to GDPR concepts:

Lawful basis — consent, contract, legal obligation, vital interests, public interest, legitimate interest (limited).
Data subject rights — access, correction, transfer (portability), erasure, restriction, objection, withdrawal of consent.
Transparency — privacy notice in clear Arabic, before or at point of collection.
Purpose limitation and data minimisation.
Accuracy and retention — schedule per purpose.
Security — appropriate technical and organisational measures (TOMs).
Cross-border transfer — subject to SDAIA conditions.
Breach notification — to SDAIA within 72 hours; to the data subject without undue delay.
Accountability — DPO for certain entities, ROPA (record of processing activities), DPIA for high-risk.

Step 1: Inventory and ROPA

Build a Record of Processing Activities. Per processing activity capture:

Purpose.
Categories of data subjects.
Categories of personal data.
Categories of recipients (internal + third-party).
Cross-border transfers and safeguards.
Retention period.
Security measures.
Lawful basis.

Step 2: Privacy notices

Every collection point (website form, mobile app onboarding, paper form) must offer an Arabic privacy notice covering:

Controller identity and contact.
Purpose and lawful basis.
Recipients.
Cross-border transfers and safeguards.
Retention period.
Data subject rights and how to exercise them.
Right to lodge a complaint with SDAIA.

Step 3: Consent management

Where consent is the lawful basis (especially for marketing and for sensitive data):

Granular: separate tick boxes per purpose.
Freely given: no service-bundle coercion.
Demonstrable: store the consent record with timestamp, channel, IP, form version.
Easy to withdraw: same effort as giving it.

{
  "subject_id": "user-1029384",
  "consent_id": "CNS-2026-04-21-9ab1f3",
  "purpose": "marketing_email",
  "given_at": "2026-04-21T08:14:55+03:00",
  "channel": "web_signup_v3",
  "ip": "78.95.12.4",
  "form_version": "privacy_notice_v3.1",
  "withdrawable_at": "https://example.sa/account/consent"
}

Step 4: Data subject requests (DSR)

Stand up a process to:

Verify identity of the requester.
Acknowledge within 5 working days.
Respond within 30 days (extendable to 60 days for complex requests with notice).
Maintain a register of all DSRs and outcomes.

Step 5: DPIA for high-risk

A Data Protection Impact Assessment is required for:

Large-scale processing of sensitive data (health, biometrics, financial).
Systematic monitoring of public spaces.
Decisions producing legal effects (credit scoring, KYC).
New technologies (AI scoring, behavioural profiling).
Cross-border transfer to inadequate jurisdictions.

(See the dedicated DPIA template guide.)

Step 6: Breach response

Detect via SIEM + DLP + EDR.
Triage within 1 hour.
Assess impact (categories of subjects, volume, sensitivity).
Notify SDAIA within 72 hours where the breach poses risk to the rights and freedoms of subjects.
Notify subjects without undue delay where the breach poses high risk.
Keep a breach log even for incidents that do not require notification.

Step 7: DPO

A Data Protection Officer is required when:

Core activities involve large-scale processing of sensitive data.
Core activities involve regular and systematic monitoring of subjects.
Public-sector body (always required).

The DPO must be independent, have direct access to senior management and SDAIA, and may not be terminated for performing the role.

Common gotchas

English-only privacy notices — must be in Arabic, English may be additional.
Pre-ticked consent boxes — invalid.
Marketing consents older than 12 months without refresh — re-confirm.
DSR responses past 30 days without notification — automatic complaint risk.
"We rely on legitimate interest" — narrow basis in KSA; document the balancing test.

Verification

ROPA dated within last 6 months.
Privacy notice register with version history.
Consent management tooling with audit log.
DSR register with response timings.
DPIA register and DPIAs for every high-risk activity.
Breach log even for non-notifiable incidents.
DPO appointment letter (where applicable).

Conclusion

PDPL is not GDPR-Saudi — it is its own law with KSA-specific requirements (Arabic, SDAIA, cross-border regime). Treat it as a programme of evidence, not a one-time legal review.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship PDPL and SDAIA for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops Endpoint Security & EDR CrowdStrike, SentinelOne, Defender, MDR

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.