Saudi Arabia’s Public Prosecution has reiterated a clear message: disclosing personal data without legal authorization is a criminal offense, and privacy protection is a fundamental pillar under the Personal Data Protection Law (PDPL).

The announcement also clarifies what “disclosure” means in practice: any unauthorized enabling that allows others to obtain, access, view, or use personal data by any method and for any purpose.

What the Public Prosecution highlighted (in practical terms)

The Public Prosecution emphasized three core points:

1. Unauthorized “enabling” is disclosure
   This includes actions that make personal data accessible to others without legal basis—whether intentional or accidental (e.g., misdirected emails, open shared drives, uncontrolled printing, insecure archiving rooms).
2. Sensitive data disclosure with harmful intent or personal benefit is treated seriously
   Where sensitive data is disclosed with intent to harm the data subject or achieve personal benefit, exposure escalates significantly under PDPL.
3. No leniency in enforcement
   The message is also a reminder that violations can trigger prosecution, not just reputational damage.

Why PDPL matters for every organization in KSA

PDPL isn’t a “tech-only” issue. It applies to how you collect, process, store, share, retain, and dispose of personal data across the business—HR, customer operations, finance, contracts, legal files, vendor onboarding, and more.

For many organizations, the highest risk isn’t sophisticated hacking—it’s everyday operational leakage, such as:

• Hardcopy files left unsecured (reception desks, warehouse aisles, project rooms)
• Uncontrolled access to archives and storage areas
• Overshared folders / unrestricted permissions
• Poor indexing and retrieval controls (anyone can “pull” files)
• Weak vendor controls (couriers, offsite storage, scanning providers)
• Missing destruction policies (data retained far longer than needed)

What “PDPL compliance” typically requires in practice

Based on PDPL guidance and implementing expectations, compliance usually involves a mix of governance, operational controls, and technical measures, including:

• Data inventory and classification (personal vs. sensitive data)
• Lawful basis and purpose limitation controls
• Access controls (least privilege; audit trails; segregation of duties)
• Retention schedules and secure destruction processes
• Policies and procedures for collection, processing, disclosure, and requests
• Vendor/processor governance (contracts, controls, monitoring)
• Training and awareness for staff who handle data daily

Penalties and exposure: why proactive prevention is cheaper than reaction

PDPL provides for serious sanctions, and credible legal summaries highlight that disclosure/misuse of sensitive data with intent to harm or gain benefit can lead to major penalties, including imprisonment and/or significant fines.

(Separately, beyond penalties: data incidents can also trigger customer churn, tender disqualification, and regulatory scrutiny—especially for regulated sectors like banking, insurance, telecom, and healthcare.)

How Tejoury helps you reduce PDPL risk (digital + physical)

At Tejoury, we focus on preventing the most common root causes of non-compliance: poor control over where data lives, who can access it, and how it’s retained and disposed of.

Our consultation and implementation services typically support:

• PDPL readiness assessment (gap analysis across people/process/technology)
• Records and information governance design (classification, retention, access model)
• Secure digitization programs (scanning + controlled indexing + secure retrieval)
• Physical records controls (secure storage, tracking, chain of custody)
• Secure destruction and evidence-based disposition procedures
• Operating model support (roles, RACI, SOPs, training, audit preparation)

Request a PDPL consultation

If your organization handles personal data (and it does), now is the time to validate controls—especially around unauthorized disclosure risk.

Contact Tejoury for a PDPL consultation to identify exposure areas and implement practical controls that reduce leakage risk across both digital and physical records.