PDPL video analytics compliance in Saudi Arabia comes down to three things: keep personal video data inside the Kingdom unless an exception applies, document a clear legal basis for every camera, and register with SDAIA if you handle sensitive data at scale. If you run a site with AI video surveillance, drone capture, or worker-tracking cameras in KSA, the September 2024 enforcement deadline is already behind you, and the regulator is no longer in "warning" mode.
What PDPL actually requires for video data
Saudi Arabia's Personal Data Protection Law (PDPL) treats camera footage the same way it treats any other personal data: if a face, body, or behavior can be tied to an identifiable person, it is personal data. AI video analytics — PPE detection, intrusion alerts, fatigue detection, license-plate recognition, even heat-mapping of worker movement — almost always falls inside that definition because the system processes identifiable individuals.
Three rules drive almost every compliance gap we see on Saudi construction and industrial sites:
- A documented legal basis is mandatory before the camera records. Consent is one option, but legitimate interest and contract necessity cover most workplace-safety use cases.
- Purpose limitation is hard. You cannot repurpose a "safety" camera feed for "productivity scoring" without a fresh basis and a new notice to workers.
- Retention must be the minimum necessary. Most Saudi sites keep 30 days; PDPL expects you to justify any longer window in writing.
SDAIA's implementing regulations also require a Data Protection Officer (or equivalent contact) for any controller that processes sensitive personal data at scale, which AI video systems at giga-projects usually do.
Data residency rules in plain English
Saudi data residency requirements under PDPL are narrower than the rumor mill suggests — but they are real, and they cover most enterprise video workloads. The general rule is that personal data may be transferred outside the Kingdom only if certain conditions are met. The default presumption, however, is that you store and process inside KSA.
For a site manager, the practical version is:
- Storage must be in a Saudi region for the primary copy of the footage and its metadata.
- AI inference (the analytics engine that detects PPE, intrusion, etc.) should run on KSA-hosted infrastructure — edge gateways on-site, or a Saudi cloud region (STC, Mobily, Oracle Jeddah, Azure Saudi, AWS me-central-1 in Riyadh).
- Cross-border transfer is allowed only through one of the legal pathways: an adequacy decision by SDAIA, binding corporate rules, standard contractual clauses, or explicit consent for a specific transfer. As of 2024–2025, SDAIA has not issued a long list of "adequate" jurisdictions, so most companies fall back to SCCs.
- Backups, logs, and training datasets follow the same rule. If you retrain a model on Saudi site footage, that dataset is still personal data and usually must stay resident.
The one nuance people miss: residency is about the data, not the vendor's HQ. A Western vendor hosting in Riyadh is compliant; a Saudi vendor replicating to Frankfurt is not, unless an exception applies.
The PDPL video analytics compliance checklist
Use this as a working document for any Saudi site running AI cameras or drone capture. Every item should be ticketed, dated, and stored in your compliance register.
- Map every camera and drone payload that produces personal data: location, field of view, retention window, and downstream analytics.
- Assign a legal basis (consent, contract, legitimate interest) per camera, with a written justification.
- Post visible notices at site entry points in Arabic and English, naming the controller, the purpose, and the retention period.
- Appoint a Data Protection Officer if you process sensitive data at scale or act as a processor for multiple sites.
- Sign a Data Processing Agreement (DPA) with every vendor that touches the footage, including drone operators and cloud providers.
- Configure storage on KSA-resident infrastructure for the primary copy; disable auto-replication to non-adequate regions.
- Set a retention timer on the VMS or cloud bucket — 30 days for general surveillance, 7 days for high-traffic zones is defensible.
- Document a deletion workflow that proves footage is purged on schedule, including backups.
- Run a Data Protection Impact Assessment (DPIA) for any new AI model, especially biometric or behavioral analytics.
- Log every access to footage by an internal user, with reason code and approver.
- Prepare a cross-border transfer file for any onward processing outside the Kingdom, including SCCs and a transfer impact assessment.
- Train site supervisors on the basics: no sharing clips on WhatsApp, no forwarding to non-approved vendors, no off-laptop exports.
- Test the breach-response runbook: 72-hour clock to notify SDAIA, plus affected individuals where there is high risk.
- Review quarterly. Camera scopes drift, contractors rotate, and the data flow rarely stays static for six months.
Cross-border data transfer: when you can ship footage abroad
Cross-border data transfer Saudi rules are the most common source of audit findings we see. The PDPL permits a transfer outside the Kingdom when at least one of the following is true:
- SDAIA has issued an adequacy decision for the destination country.
- The data subject has given specific, informed, unambiguous consent for that transfer.
- The transfer is necessary to perform a contract with the data subject.
- Binding corporate rules (BCRs) approved by SDAIA cover the transfer.
- Standard Contractual Clauses (SCCs) or similar contractual safeguards are in place, and a transfer impact assessment shows the destination protects the data adequately.
For a typical giga-project in NEOM, Qiddiya, Diriyah, or the Red Sea, the realistic path is SCCs plus a documented TIA. Consent alone is fragile for a workforce, because employment law makes "freely given" consent hard to defend. Adequacy is the cleanest route, but the list is still short in 2025–2026.
A practical note for drone operators: if you fly a DJI or similar UAS, the telemetry, GPS track, and image EXIF is part of the dataset. If the drone's companion cloud is set to a non-Saudi region by default, that is a transfer event. Reconfigure ground-control software to KSA endpoints, and turn off "auto-upload to global cloud" before the first flight.
Where GACA and PDPL overlap for drone data
GACA's drone regulations and PDPL are not separate worlds. The General Authority of Civil Aviation handles airspace and flight authorization; SDAIA handles the data those flights produce. If your drone survey captures identifiable workers, vehicles, or third parties, PDPL applies on top of the GACA permit. Saudi Arabia's push for domestic drone manufacturing (e.g., the EHang and locally assembled platforms entering service in 2024–2025) makes the question of onboard data routing a procurement issue, not just a legal one.
Penalties, timelines, and what enforcement looks like in 2025–2026
SDAIA moved from awareness to enforcement over 2024. The maximum administrative fines under PDPL reach SAR 5 million per violation, doubled for sensitive personal data, with a cumulative cap that can climb to SAR 25 million in serious cases. A "violation" is broadly interpreted — a single camera stream left unencrypted can count as one.
Other real-world consequences:
- Public reprimand via SDAIA's website, which has material impact on giga-project suppliers.
- Suspension of data processing — meaning your analytics platform can be ordered offline until remediated.
- Mandatory audit at the controller's cost, often by an SDAIA-approved assessor.
- Cross-border transfer freeze, which is operationally brutal for any team that has built analytics around overseas inference.
The 72-hour breach notification clock is tight. If a hard drive walks off a site, or a cloud bucket is misconfigured, the clock starts the moment you become aware, not the moment IT confirms.
PDPL vs GDPR: what Saudi teams get wrong
Saudi teams often import their EU GDPR habits directly, which is understandable but often wrong. The table below highlights the practical differences that change how you build a video stack.
| Area | GDPR (EU) | PDPL (Saudi Arabia) |
|---|---|---|
| Regulator | National DPAs (e.g., CNIL, BfDI) | SDAIA (centralized) |
| Data residency | Free movement within EEA; adequacy for exports | Default residency in KSA; outbound transfer only via SCC, BCR, consent, or adequacy |
| DPO threshold | Mandatory for certain public bodies and large-scale monitoring | Required for sensitive personal data at scale; controllers may appoint voluntarily |
| Sensitive data | Special categories with a closed list | "Sensitive personal data" includes genetic, biometric, health, financial, and location data — broad scope |
| Breach notice | 72 hours to DPA | 72 hours to SDAIA, plus affected individuals where high risk |
| Max fine | Up to 4% of global turnover | Up to SAR 5M per violation, doubled for sensitive data |
| Consent standard | Freely given, specific, informed, unambiguous | Specific, explicit, informed; "unambiguous" not always required when other bases apply |
| Children's data | Under 16 (member-state flexibility) | Under 18 — no processing without guardian consent in most cases |
| Cross-border tools | SCCs, BCRs, adequacy, derogations | Same toolkit, but adequacy list is still short in 2025–2026 |
The single biggest mistake is treating legitimate interest as a copy-paste from GDPR. Saudi regulators read it more narrowly when employees are involved, and the Vision 2030 giga-projects have their own worker-welfare charters that overlay PDPL with stricter rules on surveillance in heat-exposed zones (where worker dignity, not just data, is the issue).
Practical tweaks for Saudi site conditions
- Heat, dust, and uptime. Edge NVRs in desert conditions fail more often, which destroys retention timers. Pick industrial-rated edge gateways and verify the deletion workflow on a 60-day test before relying on it for a 50,000-worker site.
- Multi-contractor sites. NEOM and Qiddiya typically host 30+ contractors, each running their own cameras. A single master-controller agreement, signed at the project level, is far cleaner than chasing 30 individual DPAs.
- Arabic-first signage. Worker-facing notices should be Arabic-primary, English-secondary — not the other way around. SDAIA inspectors look at this.
Frequently asked questions
Does PDPL apply to temporary construction sites, or only permanent facilities?
PDPL applies wherever personal data is processed in the Kingdom, including temporary sites. A short-term laydown yard with four cameras and a local NVR still triggers the law. The 30-day retention and SCC rules apply just as they would on a five-year project.
Is drone footage considered "sensitive personal data" under PDPL?
Not automatically. Drone footage becomes sensitive when it captures biometric identifiers, health-related behavior, or precise location data of identifiable individuals. A pure topographic survey of an empty site is generally out of scope; a drone monitoring workers in a heat-stress zone likely is in scope.
Can I use a foreign AI vendor that only has data centers in Europe or the US?
You can, but you must sign SCCs, complete a transfer impact assessment, and ensure the primary Saudi copy of the data stays resident. A common compliant pattern is a Saudi cloud region for storage, with foreign inference called on a tokenized or anonymized subset only. Plain text footage shipped to a US region without SCCs is a finding waiting to happen.
How does PDPL interact with the Saudi Cloud Computing Policy and CITC rules?
The Cloud Computing Policy (issued by CITC, now merged into the broader digital-government framework) requires certain entities to host data with local-resident providers. PDPL is sector-agnostic but enforces residency by default. In practice, the two reinforce each other: your cloud architecture should assume KSA-resident storage for personal data regardless of which rule your auditor cites.
The bottom line
PDPL video analytics compliance in Saudi Arabia is not a paperwork exercise — it is an architecture decision. Choose Saudi-resident storage from day one, configure analytics to run on KSA infrastructure, document your legal basis per camera, and keep a tight retention window. Get those four right, and the rest of the checklist is a Tuesday morning.
ViewKeeper runs AI video analytics and drone surveying on KSA-resident infrastructure, with PDPL-aligned retention, DPIA templates, and SDAIA-ready audit logs built in. If you are standing up surveillance on a new giga-project or retrofitting a live industrial site, talk to our team and we will walk through your current camera map against the checklist above.
