Training data is personal data more often than teams assume. Here is what Saudi Arabia's PDPL actually requires, how the regional landscape fits together, and the questions to put to any data partner before a single record leaves your systems.
This brief is general information, not legal advice. Regulations and implementing rules evolve; confirm current requirements with counsel and with the regulator's published guidance before making compliance decisions.
AI teams in the region tend to treat data protection as a deployment problem — something to solve when the model ships. In practice, the highest-risk step often happens much earlier: the moment call recordings, chat logs, documents or medical notes are handed to an annotation workforce. That handoff is a disclosure, frequently a cross-border transfer, and always something a regulator can ask you to account for.
Saudi Arabia's Personal Data Protection Law (PDPL) was issued by Royal Decree M/19 in September 2021, substantially amended in March 2023, and came into force on 14 September 2023, with a one-year grace period for compliance that ended on 14 September 2024. It is supervised by the Saudi Data & AI Authority (SDAIA) and is supplemented by Implementing Regulations and dedicated Data Transfer Regulations.
Three features matter most for AI data work:
A typical labeling engagement copies raw production data — the most identifying form of it — to a vendor, whose annotators view every record in full. If that vendor routes tasks through a global crowd, your call recordings may be listened to on personal laptops across a dozen jurisdictions, outside any transfer mechanism you have assessed. Under the PDPL you remain the controller throughout: the vendor's shortcuts are your liability.
This is why "where is the data processed?" is the single most clarifying question you can ask a data partner. Not where the company is headquartered, and not where the servers are — where the humans who open each record sit, and under what contractual and technical controls.
Saudi Arabia is not an outlier. Most major MENA markets now have comprehensive data protection statutes, each with its own transfer rules and regulator:
| Jurisdiction | Law | Notes for AI data work |
|---|---|---|
| Saudi Arabia | PDPL (2021, amended 2023) | Fully enforced since Sep 2024; SDAIA supervises; dedicated Data Transfer Regulations. |
| UAE | Federal Decree-Law No. 45 of 2021 | Federal regime plus separate DIFC and ADGM frameworks for financial free zones. |
| Qatar | Law No. 13 of 2016 | The region's earliest national privacy law; consent-centric. |
| Egypt | Law No. 151 of 2020 | Licensing requirements for certain processing; criminal penalties available. |
| Jordan | Law No. 24 of 2023 | Recent addition; phased compliance for existing processing. |
For a team operating across the region, the practical consequence is simple: architecting for the strictest applicable regime — in-region processing, documented lawful basis, minimal disclosure — usually satisfies the rest with little extra work.
Before any dataset leaves your environment for annotation, alignment or evaluation, you should be able to answer yes to each of these:
Bayanat Labs runs annotation, alignment and evaluation with in-region residency by default — vetted contributors under NDA, audit trails on every record, and on-prem options for the work that demands them.
Talk to us about residency