Skip to content
← All insights

Saudi Arabia’s PDPL and your SAP landscape: what the law actually requires — and what actually runs in-Kingdom today

The misreading that distorts SAP architecture decisions

Ask around any KSA transformation program and you will hear the same assumption: the Personal Data Protection Law is a data-localization law, so every SAP workload must sit on Saudi soil. That assumption drives real money — duplicated landscapes, deferred cloud moves, over-scoped residency requirements. And it is not what the law says. The PDPL is a permit-with-conditions transfer regime: it permits, rather than prohibits, cross-border transfers when conditions are met, and no absolute localization mandate exists under the PDPL itself. Getting that distinction right is the difference between architecting for the actual law and architecting for a rumor of it.

The law, precisely

The PDPL came into force on 14 September 2023, with a one-year grace period ending 14 September 2024. Its reach is broad: it applies to any processing of personal data taking place in the Kingdom, and to processing of KSA residents’ data by entities outside the Kingdom — extraterritorial, in the GDPR mold. Data subjects hold rights to be informed, to access their data and obtain a copy, to request correction, and to request destruction.

What Article 29 actually says about transfers

Cross-border transfer is governed by Article 29 of the law together with SDAIA’s Regulation on Personal Data Transfer Outside the Kingdom. The conditions, per specialist legal analysis of the regime: the transfer must not prejudice national security or the Kingdom’s vital interests; the recipient jurisdiction must afford an adequate level of protection; and the transfer must respect data minimization.

Where the recipient jurisdiction is not adequate, transfers require appropriate safeguards: SDAIA Standard Contractual Clauses (“Saudi SCCs”), Binding Common Rules for intra-group transfers, or a certificate of accreditation from an approved body. Before transferring, controllers must run a transfer risk assessment covering purpose and legal basis, the nature and geographical scope of processing, safeguards, recipient adequacy, and minimization.

One practical gap to plan around: SDAIA has not published its list of adequate jurisdictions, so advisers default to EU-adequate jurisdictions in the interim. For an SAP landscape, that means every cross-border interface — support access, analytics replication, shared services — needs a documented lawful transfer path now, on safeguards, not a wait for an adequacy list.

The audit controls your SAP program must evidence

Three controls recur in PDPL compliance reviews, and all three have direct SAP-landscape implications:

The in-Kingdom map, precisely

Here is where imprecision costs the most, so let us be exact about what runs in Saudi Arabia today — and what does not.

And for SAP specifically: the confirmed in-Kingdom hosting evidence points to Google Cloud. Saudia adopted RISE with SAP on Google Cloud with mission-critical data hosted in-Kingdom to align with the Kingdom’s data sovereignty goals, and Saudi Arabia’s public-sector SAP Business Network deployment is hosted on Google Cloud in Saudi Arabia, allowing government buyers to store data in-country while transacting globally, compliant with national data residency and cybersecurity regulations (CCC-2020). We found no primary source tying SAP’s older 2018 Riyadh data center to RISE hosting — if in-Kingdom RISE is on your requirements list, the substrate to validate with SAP today is Google Cloud’s Dammam region.

What this means for your architecture decisions

Start from the data, not the slogan. Classify what personal data your SAP landscape processes and where it flows; most estates discover their genuine residency-sensitive footprint is narrower than assumed. For data that stays, in-Kingdom options exist today and are widening through 2026 as more hyperscaler regions come online — sequence your roadmap against confirmed availability, not announcements. For data that legitimately leaves — global support models, group consolidation, shared analytics — build the Article 29 path deliberately: safeguards in contracts, transfer risk assessments on file, minimization designed into interfaces. And evidence the controls: 72-hour breach capability, records of processing, a registered DPO where required.

The PDPL does not ask you to lock every byte inside the Kingdom; it asks you to know what leaves, why, and under what protection. Firms that read the law precisely will run leaner architectures — and pass audits — while their competitors pay for residency the regulator never demanded.

Sources

# URL Publisher
1 https://docs.aws.amazon.com/global-infrastructure/latest/regions/aws-regions.html AWS (official)
2 https://press.aboutamazon.com/2024/3/aws-to-launch-an-infrastructure-region-in-the-kingdom-of-saudi-arabia Amazon/AWS (official)
3 https://aws.amazon.com/about-aws/global-infrastructure/ AWS (official)
4 https://www.googlecloudpresscorner.com/2023-11-15-Google-Cloud-Expands-Regional-Presence-with-Opening-of-Dammam-Cloud-Region-Forecast-to-Boost-Economy-by-USD-109-Billion-by-2030 Google Cloud (official)
5 https://news.sap.com/mena/2024/01/saudia-becomes-kingdoms-first-airliner-to-adopt-rise-with-sap-on-google-cloud/ SAP MENA (official)
6 https://news.sap.com/mena/2025/10/saudi-first-in-world-to-host-sap-business-network-for-public-sector-with-full-data-sovereignty-compliance/ SAP MENA (official)
7 https://news.microsoft.com/en-xm/2024/12/04/microsoft-shares-strong-progress-on-datacenter-region-in-saudi-arabia-construction-complete-on-three-sites-with-availability-expected-in-2026/ Microsoft (official)
8 https://www.kslaw.com/news-and-insights/international-personal-data-transfers-under-saudi-arabias-data-protection-law King & Spalding (law firm, Tier-B)
9 https://securiti.ai/regulation-on-personal-data-transfer-outside-the-kingdom/ Securiti (Tier-B)
10 https://www.dlapiperdataprotection.com/?c=SA DLA Piper (law firm, Tier-B)
11 https://halaprivacy.com/what-is-pdpl/ Hala Privacy (Tier-C, cross-checked with DLA Piper)
12 SDAIA Regulation on Personal Data Transfer Outside the Kingdom (official PDF, dgp.sdaia.gov.sa) SDAIA (official)

← Back to the Knowledge Center

Talk to us about your SAP estate.

Thirty minutes, one process, an honest read. No deck, no obligation.