How does video analytics stay PDPL-compliant in Saudi Arabia?
Video analytics on a Saudi site stays PDPL-compliant by establishing a documented lawful basis (typically legitimate interest or legal obligation for safety), minimising captured data, retaining footage no longer than 30 days unless legally mandated, processing on-prem in the Kingdom, registering controllers and processors with SDAIA, running a Data Protection Impact Assessment for any biometric or identification feature, and signposting cameras with bilingual notices.
The Personal Data Protection Law (PDPL) entered full enforcement in September 2024 under the Saudi Data and AI Authority (SDAIA). It applies to any processing of personal data inside the Kingdom or relating to Saudi residents — including faces, license plates, voice, and behaviour patterns captured on camera.
The seven compliance pillars for camera-based AI
1. Lawful basis
Pick one and document it before deployment. For industrial sites, the typical bases are:
- Legal obligation — OSH regulations require monitoring of mandatory PPE zones.
- Legitimate interest — preventing theft, intrusion, or accidents on private property.
- Consent — rare for CCTV; impractical for moving workforces.
- Contract — when a worker's employment terms include monitoring.
2. Data minimisation
Capture only what the safety or security purpose needs. Crop out residential balconies. Mask number plates if plate recognition is not in scope. Aggregate counts when individual identity is not needed.
3. Retention
Default cap of 30 days for general CCTV. Extend only with documented justification (incident investigation, legal hold). Auto-delete must be enforceable in the system, not manual.
4. Hosting
PDPL Article 29 restricts cross-border transfers of personal data. Video and inference results should remain on-prem in Saudi Arabia or in SDAIA-approved cloud regions. AWS Riyadh, Oracle Riyadh, and Google Dammam regions meet the residency requirement; foreign cloud regions usually do not without an approved transfer mechanism.
5. Controller and processor registration
Controllers (the site owner or operator) must register processing activities. Processors (the analytics vendor) must sign a Data Processing Agreement listing purposes, retention, sub-processors, and breach-notification obligations (72-hour SDAIA notification rule).
6. DPIA for high-risk processing
A Data Protection Impact Assessment is mandatory before any of:
- Biometric identification (face recognition, gait).
- Worker monitoring (productivity, breaks).
- Children in scope.
- Large-scale public-area monitoring.
The DPIA documents purpose, necessity, proportionality, risks, and mitigations. SDAIA may request a copy on audit.
7. Signposting and transparency
Bilingual (Arabic + English) notices at every entrance to monitored zones. Notice must state the controller's name, contact, purpose, lawful basis, retention period, and the data subject's rights (access, correction, erasure, objection).
Common compliance gaps we see on Saudi sites
| Gap | Fix |
|---|---|
| Cloud analytics in EU/US region | Move to KSA region or on-prem GPU server |
| No retention policy enforced | Enable auto-delete after 30 days at the storage layer |
| Face recognition without DPIA | Pause feature; complete DPIA; resume with documented mitigations |
| Arabic signs missing | Add bilingual notice within 3 m of every camera-monitored entrance |
| No DPA with vendor | Sign processor agreement with sub-processor list and breach SLA |
Practical checklist before going live
- Map every camera and what personal data it captures.
- Pick lawful basis per use case; document in the records of processing.
- Confirm hosting region.
- Sign DPA with the analytics vendor.
- Run a DPIA if biometrics or identification are in scope.
- Install bilingual signage.
- Enable retention auto-delete.
- Train operators on subject access and complaint handling.
For deployment architecture choices, see edge vs server. For integration, see CCTV integration.
