Book A Meeting

Confidentiality of Shareholder Data and Privacy Protection

سرية بيانات المساهمين وحماية الخصوصية

The Personal Data Protection Law (PDPL) and Its Applications to the Shareholder Registry

Introduction

In the era of digital transformation, personal data has become a genuine asset requiring strict legal protection. In the context of shareholder registry management, the registry holds massive amounts of sensitive personal data—from names and identities to financial and banking data—making the protection of this data a major legal and ethical responsibility on companies.

The Personal Data Protection Law in the Kingdom of Saudi Arabia (PDPL) was issued by Royal Decree No. (M/19) dated 9/2/1443H, and came into full force on 14 September 2024, becoming the first comprehensive legislation for data protection in the Kingdom. This law imposes detailed obligations on companies in their handling of personal data, with strict penalties that may reach SAR 5 million per violation, and up to SAR 10 million in cases of recurrence.

In this article, we explore the legal framework for personal data protection in the Kingdom and its impact on shareholder registry management, focusing on practical requirements and practices to ensure full compliance.

 

Part One: The Legal Framework for Personal Data Protection in the Kingdom

1. The Personal Data Protection Law (PDPL)

The law was issued by Royal Decree No. (M/19) dated 9/2/1443H, and amended by Royal Decree No. (M/148) dated 5/9/1444H. It is the first comprehensive data protection law in the Kingdom and is largely aligned with international standards such as the European General Data Protection Regulation (GDPR).

2. The Implementing Regulations

The Implementing Regulations of the Personal Data Protection Law were issued to clarify the practical applications of the law and to specify the procedural details required from data-handling entities. They came into full force with the law on 14 September 2024.

3. The Competent Authority

The Saudi Data and Artificial Intelligence Authority (SDAIA) supervises the application of the law in an initial phase, through the National Data Management Office (NDMO). This authority is responsible for:

  • Issuing implementing regulations and explanatory circulars.
  • Monitoring entities’ compliance with the law’s provisions.
  • Receiving complaints and reports related to privacy violations.
  • Imposing penalties on violations.
  • Providing companies with advice on compliance.
  • Issuing assessment and guidance tools.

4. Alignment with International Standards

The Saudi system aligns with several international standards, including:

  • The European General Data Protection Regulation (GDPR).
  • The California Consumer Privacy Act (CCPA).
  • ISO/IEC 27701 Privacy Information Management standards.
  • OECD Privacy Protection Principles.
📅 Transitional Period

The compliance period for the law ended on 14 September 2024. After this date, anyone non-compliant is subject to regulatory penalties. Penalties range from warnings to fines up to SAR 5 million, and the court may double the fine to SAR 10 million in cases of recurrence, in addition to imprisonment in certain cases.

 

Part Two: Basic Concepts in the Law

To properly understand the application of the law, its basic terminology must be grasped:

1. Personal Data

These are any data—whatever their source or form—that may lead to identifying an individual specifically, or make identification possible when linked with other data. In the context of the shareholder registry, they include:

  • Full name.
  • National ID number, residency, or passport number.
  • Date of birth.
  • Phone number and email.
  • Bank account data.
  • Personal photos.
  • Share data and value.

2. Sensitive Data

These are data requiring enhanced protection, including:

  • Data related to racial or ethnic origin.
  • Religious, intellectual, or political beliefs.
  • Security and criminal data.
  • Biometric features.
  • Genetic and health data.
  • Data indicating that the individual is of unknown parentage.

3. Data Controller

This is the entity that determines the purposes and means of processing personal data. In the context of the shareholder registry, the joint-stock company is the data controller and bears primary responsibility for protecting its shareholders’ data.

4. Data Processor

This is the entity that processes data on behalf of the data controller, such as:

  • The Securities Depository Center (for listed companies).
  • Companies contracted to manage the registry.
  • Cloud service providers.
  • Companies specialized in shareholder relations management.

5. Data Subject

This is the natural person to whom the personal data relates. In the context of the shareholder registry, this is the shareholder themselves (for natural persons).

6. Processing

This is any operation performed on personal data, including: collection, recording, storage, modification, retrieval, use, disclosure, publication, transfer, or destruction.

 

Part Three: Basic Principles of the Law

The law bases personal data processing on several fundamental principles that must be adhered to:

1. Lawfulness Principle

Data processing must take place under one of the permitted regulatory bases, which are:

  • Explicit consent of the data subject.
  • Performance of a contract to which the data subject is a party.
  • Compliance with a regulatory requirement.
  • Protection of vital interests of the data subject.
  • Legitimate interests of the data controller that do not conflict with the data subject’s rights.

2. Purpose Specification Principle

Data must be collected for a specific, explicit, and legitimate purpose, and may not be subsequently processed for purposes conflicting with this purpose. In the context of the shareholder registry, the main purposes include:

  • Proving share ownership and exercising rights.
  • Communicating with shareholders regarding assemblies and disclosures.
  • Disbursing dividend distributions.
  • Compliance with regulatory requirements.

3. Minimization Principle

Collected data must be limited to the minimum necessary to achieve the purpose. Additional data may not be collected without documented necessity.

4. Accuracy Principle

Data must be accurate and up-to-date, and the data controller must take reasonable steps to correct or delete inaccurate data.

5. Storage Limitation Principle

Data may not be kept for longer than necessary to achieve the purpose for which it was collected, unless the law requires otherwise.

6. Security and Confidentiality Principle

Necessary technical and organizational measures must be taken to protect data from unlawful processing, loss, destruction, or unauthorized disclosure.

7. Accountability Principle

The data controller is responsible for proving compliance with the law through documentation, procedures, and clear policies.

 

Part Four: Data Subjects’ Rights

The law grants data subjects a set of rights that must be respected and facilitated:

1. Right to Be Informed

The data subject has the right to be notified of how their data is processed:

  • Identity of the data controller and contact information.
  • Purpose of data collection.
  • Legal basis for processing.
  • Expected data retention period.
  • Entities with which data may be shared.
  • Their rights and how to exercise them.

2. Right of Access to Data

The data subject has the right to access their personal data held by the data controller and obtain a copy of it.

3. Right of Correction

The data subject has the right to request correction or update of their personal data if inaccurate or outdated.

4. Right of Destruction (Deletion)

The data subject has the right to request destruction of their personal data in specific cases:

  • The need for it has ended.
  • It was collected unlawfully.
  • Consent withdrawal (in certain cases).
  • It is processed in a manner contrary to the law.

5. Right to Object

The data subject has the right to object to the processing of their personal data for specific purposes, or to request restriction of processing for a certain period.

6. Right to Withdraw Consent

The data subject has the right to withdraw their consent at any time, without affecting the legality of previous processing.

7. Right of Data Portability

In some cases, the data subject has the right to transfer their data from one controller to another in a structured and machine-readable format.

8. Right to Complain

The data subject has the right to file a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) in case of violation of their rights.

 

Part Five: Applications of the Law to the Shareholder Registry

To properly apply the PDPL law in shareholder registry management, several detailed measures must be taken:

1. Determining the Legal Basis for Processing

Most data in the shareholder registry relies on several legal bases:

  • Compliance with a regulatory requirement (the Companies Law requires maintaining the registry).
  • Performance of a contract (the company’s relationship with its shareholder).
  • Legitimate interests of the data controller (managing the company).
  • Data subject consent (for some additional processing).

2. Preparing the Privacy Notice

The company must prepare a clear and comprehensive privacy notice for shareholders, including:

  • Company identity and contact information.
  • Data Protection Officer (DPO) information.
  • Types of personal data processed.
  • Processing purposes and legal bases.
  • Entities with which data is shared.
  • Data retention periods.
  • Shareholders’ rights and the mechanism to exercise them.
  • Contact information for complaints.

3. Appointing a Data Protection Officer (DPO)

The Implementing Regulations require appointing a data protection officer in specific cases. Large companies processing large volumes of personal data—such as joint-stock companies—often fall within these cases. The officer’s duties include:

  • Overseeing compliance with the law.
  • Providing advice to the data controller.
  • Communicating with data subjects.
  • Communicating with the competent authority.
  • Conducting impact assessments.
  • Overseeing training and awareness.

4. Controlling Data Access

Strict controls must be applied for access to shareholder data:

  • Graded permissions system (Role-Based Access Control).
  • Multi-Factor Authentication.
  • Complete operations log for all access activities.
  • Periodic review of permissions.
  • Cancellation of permissions upon end of need.

5. Technically Securing Data

  • Encryption of data at rest.
  • Encryption of data in transit.
  • Use of secure protocols (HTTPS, SFTP).
  • Regular backups in multiple geographic locations.
  • Testing of disaster recovery plans.
  • Periodic system updates.

6. Managing Shareholder Consents

For some additional processing (such as marketing or sharing data with partners), explicit and documented consents must be obtained, with:

  • Precise clarification of the purpose.
  • Providing the possibility of refusal.
  • Documenting consents historically.
  • Enabling easy consent withdrawal.

7. Data Sharing Controls

When sharing shareholder data with other parties, you must:

  • Enter into clear contracts with processors.
  • Verify these entities’ compliance with the law.
  • Precisely identify each party’s responsibilities.
  • Monitor performance periodically.
  • Disclose sharing to shareholders.

8. Cross-Border Transfer

To transfer shareholder data outside the Kingdom (for foreign shareholders or international entities):

  • Ensure availability of regulatory justifications for the transfer.
  • Ensure an equivalent level of protection in the receiving country.
  • Obtain SDAIA approval in required cases.
  • Enter into contractual terms to protect data.

 

Part Six: Compliance Implementation Steps

For full compliance with the law, companies can follow a systematic roadmap:

Step 1: Initial Assessment

  1. Comprehensive inventory of all personal data in the shareholder registry.
  2. Identification of data sources and collection channels.
  3. Identification of processing purposes and legal bases.
  4. Identification of all parties with which data is shared.
  5. Identification of gaps between the current situation and the law’s requirements.

Step 2: Designing the Compliance Program

  1. Drafting internal privacy policies.
  2. Preparing privacy notices for shareholders.
  3. Designing consent forms.
  4. Identifying data retention periods.
  5. Establishing procedures for responding to data subject requests.

Step 3: Technical Implementation

  1. Developing or updating systems to meet requirements.
  2. Applying access and permissions controls.
  3. Implementing encryption and technical protection.
  4. Developing operational logs (Audit Logs).
  5. Testing systems and procedures.

Step 4: Organizational Implementation

  1. Appointing a Data Protection Officer.
  2. Forming a Data Protection Committee (if necessary).
  3. Training employees on the law’s requirements.
  4. Educating shareholders about their rights.
  5. Registration in the National Personal Data Protection Registry with SDAIA.

Step 5: Continuous Monitoring

  1. Periodic compliance reviews.
  2. Updating policies and procedures.
  3. Handling incidents and complaints.
  4. Periodic reports to senior management.
  5. Continuous improvement.

 

Part Seven: Handling Data Breach Incidents

Despite all preventive measures, data breach or leak incidents may occur. Rapid and correct response to these incidents is essential to limit damage and avoid penalties.

1. Types of Data Breach Incidents

  • Cyberattacks from external parties.
  • Internal leaks from employees or contractors.
  • Loss of devices containing data.
  • Erroneous transmission of data to unauthorized parties.
  • Public publication of data by mistake.

2. Immediate Response Steps

  1. Detect the incident and estimate its scope.
  2. Contain the incident and prevent its escalation.
  3. Document all incident details.
  4. Form the response team.
  5. Assess the affected data.

3. Regulatory Notification

Under the PDPL law, the data controller must notify SDAIA upon awareness of a data breach incident, within a specified time period. The notification includes:

  • Nature and causes of the incident.
  • Affected data and its volume.
  • Number of affected data subjects.
  • Containment measures taken.
  • Proposed measures for future prevention.

4. Notifying Data Subjects

In cases of serious incidents involving high risks to data subjects, they must be directly notified, with:

  • Clear description of the incident.
  • Affected data.
  • Measures taken.
  • Recommended actions for protection.
  • Contact information for more information.

5. Investigation and Treatment

  1. Comprehensive investigation of the incident’s causes.
  2. Addressing root causes.
  3. Developing additional controls to prevent recurrence.
  4. Communicating with competent authorities (Cybersecurity).
  5. Appropriate compensation to affected parties.

 

Part Eight: Penalties for Violation

The law imposes strict penalties for violations, graded by the nature and severity of the violation:

Type of ViolationPenalty
Unlawful disclosure of sensitive dataImprisonment up to two years, and fine up to SAR 3 million
Other violations of the law’s provisionsWarning, or fine up to SAR 5 million
Repeated violationDoubling the fine to SAR 10 million
Cross-border data transfer without justificationFine per the regulations
Failure to notify of breach incidentsAdministrative fine
Violations relating to childrenAggravated penalties

In addition to penal penalties, affected data subjects may have the right to claim civil compensation for damages incurred.

 

Part Nine: Common Challenges in Implementing the Law

1. Large Data Volume

Challenge: Joint-stock companies hold data for thousands of shareholders, making implementation of requirements an operational challenge.

Solution: Using advanced automation tools, methodically classifying data, investing in advanced systems.

2. Integration with Legacy Systems

Challenge: Legacy systems may not support modern privacy requirements.

Solution: Gradual updating, using middleware layers, transitioning to the cloud.

3. Organizational Culture

Challenge: Changing the institutional culture to handle data with greater sensitivity.

Solution: Ongoing training programs, raising awareness of the importance of privacy, active leadership from senior management.

4. Dealing with Third Parties

Challenge: Ensuring compliance of all partners and suppliers.

Solution: Clear contracts, periodic audits, choosing committed partners.

5. Cross-Border Transfer

Challenge: Dealing with foreign shareholders requires cross-border data transfer.

Solution: Obtaining necessary approvals, using approved mechanisms, communicating with SDAIA.

 

Part Ten: Best Practices in Shareholder Data Protection

  1. Privacy by Design: Embedding privacy requirements in system design from the start.
  2. Privacy by Default: Making default settings the most privacy-protective.
  3. Data Minimization: Not collecting additional data without justification.
  4. Comprehensive Encryption: Encrypting all data at rest and in transit.
  5. Multi-Factor Authentication: Adopting multi-factor authentication for all sensitive access operations.
  6. Continuous Training: Periodically training all employees on privacy requirements.
  7. Periodic Review: Regular internal and external reviews of compliance.
  8. Rapid Response: Clear plans for responding to incidents and complaints.
  9. Transparency: Clear communication with shareholders on how their data is processed.
  10. Continuous Improvement: Continuously developing procedures and systems based on experiences and developments.

 

PDPL Compliance Checklist

At the Institutional Level

  • Appointment of a Data Protection Officer (DPO).
  • Formation of a Data Protection Committee.
  • Approval of privacy policies.
  • Registration in the National Registry with SDAIA.
  • Allocation of a budget for the compliance program.

At the Documentation Level

  • Comprehensive inventory of personal data.
  • Records of Processing Activities.
  • Data Protection Impact Assessments (DPIAs).
  • Written policies and procedures.
  • Privacy notices for shareholders.

At the Technical Level

  • Comprehensive data encryption.
  • Graded access controls.
  • Multi-Factor Authentication.
  • Operations and monitoring logs.
  • Backup and recovery.

At the Operations Level

  • Procedures for responding to data subject requests.
  • Breach incident response plan.
  • Consent management procedures.
  • Retention and destruction controls.
  • Supplier audit procedures.

At the Competencies Level

  • Training all employees on requirements.
  • Specialized training for sensitive teams.
  • Educating shareholders about their rights.
  • Professional certifications for relevant personnel.
  • Continuous knowledge update.

 

Conclusion and Key Takeaways

Protecting shareholders’ personal data is not merely a legal obligation but a fundamental pillar for building trust between the company and its shareholders. With the Personal Data Protection Law (PDPL) entering into full force, compliance has become a necessity, not a choice—especially with the strict penalties that may reach SAR 10 million in cases of recurrence.

Leading companies view data protection as an opportunity to enhance their reputation and differentiate from competitors, not as a regulatory burden. Investing in an integrated compliance program—covering legislative, technical, and organizational aspects—achieves long-term benefits that go beyond merely avoiding penalties to building a strong relationship with shareholders.

🎯 Core Takeaways

1) The PDPL law entered into full force on 14 September 2024, and is supervised by SDAIA. 2) Penalties reach SAR 5 million (10 million in recurrence) and imprisonment in certain cases. 3) The company is the “data controller” and Edaa and similar are “data processors.” 4) Legal bases for processing in the shareholder registry include: regulatory requirement, contract performance, legitimate interests, consent. 5) Data subjects have 8 main rights that must be facilitated to exercise. 6) Privacy by Design and Privacy by Default principles are the key to effective compliance. 7) Breach incident response plan and notifying SDAIA are regulatory obligations.

FAQ

What is Saudi Arabia's PDPL and how does it affect the shareholder registry?

The Personal Data Protection Law (PDPL), issued by Royal Decree No. (M/19) and amended by Royal Decree No. (M/148), is Saudi Arabia's first comprehensive data protection legislation. It entered full force on 14 September 2024 and is supervised by the Saudi Data and Artificial Intelligence Authority (SDAIA). Because the shareholder registry holds large volumes of sensitive personal data—including national ID numbers, bank account details, share values, and contact information—the company that maintains the registry is classified as the data controller and bears full legal responsibility for protecting shareholders' data. Entities that process data on its behalf, such as Edaa for listed companies, are classified as data processors. Non-compliance carries penalties of up to SAR 5 million per violation, doubled to SAR 10 million for repeated offences, with imprisonment in certain cases.

What rights do shareholders have over their personal data under PDPL?

The PDPL grants shareholders eight rights they can exercise over their personal data at any time. The right to be informed requires the company to explain how their data is collected, processed, and shared. The right of access allows shareholders to obtain a copy of all personal data the company holds about them. The right of correction enables them to request updates to inaccurate or outdated information. The right of deletion allows shareholders to request removal of their data when it is no longer needed or was collected unlawfully. The right to object permits shareholders to restrict certain types of processing. The right to withdraw consent lets them revoke previously given approval without affecting prior processing. The right of data portability allows transfer of data to another controller in a structured format. And the right to complain to SDAIA is available whenever any of these rights are violated.

What are the best practices for PDPL compliance in shareholder registry management?

Compliance rests on two foundational principles and eight supporting practices. Privacy by Design means embedding privacy protections into systems and processes from the outset rather than as an afterthought. Privacy by Default means that default system settings must provide the highest level of privacy protection without requiring shareholder action. Supporting these, companies should apply comprehensive encryption to all data at rest and in transit, enforce role-based access controls with multi-factor authentication, maintain complete audit logs of every data access event, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, appoint a qualified Data Protection Officer (DPO), train all staff periodically on PDPL requirements, and maintain a documented breach incident response plan that includes timely notification to SDAIA as a regulatory obligation.

References and Sources

  • The Personal Data Protection Law issued by Royal Decree No. (M/19), amended by Royal Decree No. (M/148).
  • The Implementing Regulations of the Personal Data Protection Law.
  • Official website of the Saudi Data and Artificial Intelligence Authority (SDAIA) – sdaia.gov.sa
  • Personal Data Protection Portal – dgp.sdaia.gov.sa
  • The European General Data Protection Regulation (GDPR).
  • ISO/IEC 27701 Privacy Information Management standard.
  • OECD Privacy Protection Principles.
Contact Us

Related Posts

الإفصاح عن أنشطة لجان المجلس

Disclosure of Committee Activities

Disclosure of Committee Activities Annual Report Sections, Transparency Levels, and Regulatory Requirements First: Introduction Committees may operate behind closed doors during the year, but their activities must be transparent to shareholders, regulators, and the broader market. Disclosure of committee activities

Read More»
June 17, 2026
تقييم أداء لجان المجلس

Committee Performance Evaluation

Committee Performance Evaluation Methodologies, Indicators, Tools, and Continuous Improvement First: Introduction Board committees, as the specialized arm of the board, deserve separate and structured evaluation of their performance. Evaluating committees as part of the overall board evaluation is insufficient —

Read More»
June 17, 2026
التنسيق بين لجان المجلس

Coordination Between Committees

Coordination Between Committees Overlap Management, Joint Meetings, Responsibility Matrix, and Communication First: Introduction Board committees, while each having its specialized mandate, don’t operate in isolation. Many of the issues facing a company cut across committees: a financial crisis touches audit,

Read More»
June 17, 2026