A wave of personal data protection legislation is transforming how organisations across the Gulf Cooperation Council handle data. SCOVR keeps every message, every call, every file and every byte of stored data inside the sovereign jurisdiction — satisfying the core requirement that all these laws share.
Both laws draw on internationally recognised data protection principles — and both place explicit restrictions on cross-border data transfers that make in-country sovereign communications infrastructure essential.
Enacted by Royal Decree No. M/19 (2021) and amended by Royal Decree No. M/148 (2023), the Saudi PDPL came into force on 14 September 2023, with full enforcement from 14 September 2024. It is supervised by the Saudi Data & Artificial Intelligence Authority (SDAIA) — which, within the first year of full enforcement, issued 48 confirmed violation decisions covering unauthorised processing, disclosure failures, and inadequate technical safeguards.
Authority: SDAIA (Saudi Data & Artificial Intelligence Authority) — with possible transfer to NDMO after initial period.
Cross-border transfers: Only permitted where the recipient country has adequate data protection, appropriate safeguards are in place, and the transfer does not prejudice national security or public interest.
Fines: Administrative fine up to SAR 5M; criminal penalties for sensitive data: up to 2 years' imprisonment and SAR 3M fine. Repeat violations: fines doubled.
Breach notification: 72 hours to SDAIA for breaches posing risk to data subjects; prompt notification to affected individuals for high-risk breaches.
Sensitive data: Stricter processing rules apply. Legitimate interest cannot justify processing sensitive personal data — only specific listed grounds are valid.
The UAE's Federal Personal Data Protection Law took effect on 2 January 2022, establishing the first federal-level data protection framework for the UAE. Overseen by the UAE Data Office, it applies to organisations established in the UAE and any entity outside the UAE that processes personal data of UAE residents. Separate regimes apply in the financial free zones (DIFC and ADGM), both of which maintain GDPR-comparable frameworks.
Authority: UAE Data Office for federal law; DIFC Commissioner of Data Protection; ADGM Office of Data Protection for free zone regimes.
Cross-border transfers: Requires adequate protection in the recipient country or appropriate safeguards (standard contractual clauses or binding rules). Government and security entities are exempt from the law entirely.
Fines: AED 50,000 to AED 5 million. DIFC and ADGM carry separate, more substantial penalty regimes closer to GDPR levels.
Primary legal basis: Consent is the default basis for processing personal data, with a defined set of exceptions. Unlike GDPR, the framework does not recognise legitimate interest for all data types.
Sensitive data: Covers ethnicity, political/religious beliefs, criminal records, biometric details, health and genetic information — subject to heightened processing restrictions.
The Gulf Cooperation Council is undergoing a systematic transformation of data governance — driven by the same economic diversification agenda that is attracting international investment and demanding regulatory credibility in return.
One of the earliest Gulf frameworks, Bahrain's PDPL is closely modelled on the EU GDPR — including independent supervisory authority (Personal Data Protection Authority), data subject rights, and lawful basis requirements. Among the most GDPR-aligned laws in the region.
Qatar's data protection law has been incrementally updated and now includes cross-border transfer restrictions, sector-specific data localisation requirements, and consent obligations. The Qatar Financial Centre (QFC) maintains a separate GDPR-comparable regime for regulated entities.
Kuwait's Personal Data Protection Law entered full effect in February 2025. Its current scope focuses on organisations licensed by the Communications and Telecommunications Regulatory Authority (CITRA), with expansion anticipated. Data localisation requirements are a central feature.
Jordan's PDPL took full effect in March 2025, bringing the Kingdom into the regional data protection framework. It introduces controller and processor obligations, data subject rights, and cross-border transfer restrictions comparable to the other GCC frameworks.
Every PDPL framework across the Gulf region draws on the structural architecture of the EU General Data Protection Regulation. The shared elements are not coincidental: Saudi Arabia, the UAE, Bahrain, Qatar, Kuwait, and Jordan all modelled their frameworks on GDPR's core principles — lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and security — while adapting enforcement and penalty structures to their own legal traditions. The result is a family of laws where GDPR compliance expertise transfers directly: the obligations that sovereign communications satisfy under GDPR are, article by article, the same obligations they satisfy under every GCC PDPL. Critically, all of these laws also share GDPR's extraterritorial reach — any organisation anywhere in the world that processes the personal data of individuals in these jurisdictions must comply, regardless of where the organisation itself is based.
Communications infrastructure — every message sent, every call made, every file shared — is personal data processing. Each channel triggers obligations under the PDPL that cannot be satisfied by policy alone.
Organisations must implement "necessary organisational, administrative, and technical measures" to preserve personal data security — including during transfer. End-to-end encryption is the primary technical measure that satisfies this requirement for communications infrastructure. No written alternative is sufficient without it.
Transfers outside the jurisdiction require that the recipient country provides adequate protection — assessed by SDAIA / UAE Data Office — and that appropriate safeguards are in place. Any cloud messaging, video conferencing, or file sharing platform hosted abroad constitutes a cross-border transfer every time a resident uses it.
Qualifying breaches must be notified to SDAIA within 72 hours of discovery. Where the breach creates significant risk to data subjects, the affected individuals must also be notified promptly. The isolated, self-hosted architecture of a sovereign platform dramatically reduces the probability and scale of qualifying incidents.
Individuals may request access to their data, correction of inaccuracies, deletion of their records, restriction of processing, and portability of their data to another controller. Requests must be fulfilled within 30 days. Controllers must maintain records of all data subject requests.
Sensitive personal data — including health data, genetic information, biometric identifiers, criminal records, and religious beliefs — may not be processed on the basis of legitimate interest alone. Explicit consent or another specific lawful ground is required. Communications containing sensitive data must be protected to the highest available standard.
Organisations must maintain records of processing activities including purpose, data categories, recipients, cross-border transfer status, and expected retention period. These records must be available to SDAIA upon request. Full audit logging of communications platform access and processing events constitutes this register automatically.
Every key obligation that touches communications infrastructure is addressed at the platform level — architecture first, documentation second.
Cross-border transfer restrictions are among the most operationally demanding obligations in the Saudi PDPL and UAE PDPL. Every cloud messaging service, video conferencing platform, and file sharing tool that is headquartered abroad constitutes a cross-border data transfer under these laws — regardless of where the servers are nominally located. The reason is straightforward: a US-headquartered company remains subject to US law even when it operates servers in the Gulf, meaning that US authorities can compel the production of data held anywhere in the world.
SCOVR eliminates this problem at the architectural level. The platform is self-hosted: your servers, in your jurisdiction, under your jurisdiction's laws. When a ministry communicates with a state-owned enterprise, when a bank's legal team shares documents with compliance, when two organisations in the same city hold a video meeting — none of that data touches foreign infrastructure. It never needs to. The platform is designed specifically so that internal communications remain internal, by design, not by policy.
For communications with external parties in other jurisdictions, the federated architecture provides the same guarantee at the other end: each organisation hosts its own server, and only the messages themselves transit between servers — with end-to-end encryption ensuring that not even the servers can read what passes between them.
All data — messages, files, voice recordings, call records, user profiles, and audit logs — is stored on servers physically located within the jurisdiction you designate. No data transits to foreign infrastructure. The cross-border transfer obligation is satisfied architecturally, before any legal analysis is required.
US-headquartered cloud providers remain subject to the US CLOUD Act regardless of server location — meaning they can be compelled to produce data held on Gulf servers by US authorities. SCOVR's infrastructure has no US-headquartered parent. There is no legal pathway for foreign governmental access to your data.
Communications between organisations within the same jurisdiction — government ministries, state-owned enterprises, regulated firms, and their counterparts — never leave the country. The federated architecture means each sovereign deployment communicates with others without routing through any foreign server.
The PDPL requires that organisations transferring data abroad verify the adequacy of the destination country's protection. A deployment that never transfers data abroad requires no adequacy assessment at all — not as a workaround, but as the correct architectural outcome of sovereign hosting.
The PDPL explicitly prohibits transfers that prejudice national security or public interest. A sovereign, self-hosted platform creates no such risk — there are no foreign system administrators, no shared infrastructure, and no external party with technical access to communications content or metadata.
Messaging, video conferencing, file sharing, and data hosting: four categories of personal data processing that trigger PDPL obligations, all addressed by a single sovereign platform.
Every message is encrypted end-to-end before leaving the sender's device. No server — including your own — can read the content. Personal data shared in messages: names, IDs, financial details, sensitive matters — all remain protected and within jurisdiction. No foreign platform operator receives or stores them.
Satisfies: Security, data minimisation, cross-border
Encrypted voice and video calls hosted on your sovereign infrastructure. No content is retained on foreign servers. Meetings between government entities, between financial institutions, between advisors and clients — all occur entirely within the jurisdiction, with no foreign platform processing the audio, video, or metadata.
Satisfies: Security, cross-border, sensitive data
Documents, contracts, reports, and sensitive records are shared within encrypted channels stored entirely on sovereign servers. No file transits through foreign cloud storage. Role-based access controls ensure that only authorised recipients can retrieve files. The open standard means no proprietary file locking.
Satisfies: Security, cross-border, processor contracts
All data — messages, files, call records, user profiles, audit logs — is hosted in your designated sovereign jurisdiction. No data is stored on shared multi-tenant infrastructure. Access is restricted to authorised users within your organisation. The jurisdiction of your data is a fact about your infrastructure — not a policy claim about a foreign cloud provider's servers.
Satisfies: Cross-border, records, breach notification
Every user on a sovereign SCOVR deployment has a unique Matrix identifier. Like an email address, this ID works across any compatible deployment in the world — enabling communication between organisations without requiring them to share infrastructure or accounts on the same platform.
No new accounts. No foreign platform. No data leakage. Each organisation's server holds only its own users' data — the messages transit encrypted between servers, and neither server can read the content of messages intended for the other.
Consumer messaging platforms solve the interoperability problem by centralising everything on one server — which means every user's data passes through and is stored by the platform operator. That is structurally incompatible with PDPL cross-border transfer requirements when the operator is a foreign entity.
The open standard federated protocol solves the same problem without centralisation. Each organisation — a ministry, a bank, a law firm, a private company — runs its own server. Users have their own Matrix identifier tied to their organisation's server. They can communicate freely with anyone on any other compatible deployment, anywhere in the world, using just that identifier. No shared infrastructure. No account creation on a foreign platform.
Within the Kingdom, this means internal communications between any number of government ministries, state entities, and private companies can all occur on sovereign infrastructure — with each organisation maintaining full control over its own users' data, and no central platform operator holding everything.
Across borders, the same architecture enables communications with international partners in the UAE, in Bahrain, in Qatar, or anywhere else — with end-to-end encryption ensuring that even the transit between servers cannot be intercepted, and each server retaining only its own users' records.
Under the Saudi PDPL, transferring personal data abroad requires adequate protection at the destination. When two organisations in different countries communicate via federated sovereign servers, each server processes only its own users' data. The message content is encrypted end-to-end. No personal data of Saudi residents is transferred to or processed by the foreign server — only encrypted transit occurs. This is structurally different from routing messages through a foreign cloud platform, where the operator processes the data.
Documentation, processor contracts, and architectural features aligned with the Saudi PDPL, UAE PDPL, and the broader GCC data protection landscape — bundled with every deployment.
Architecture and processes designed for the Saudi Personal Data Protection Law: in-country data hosting satisfying cross-border transfer restrictions, technical security measures, 72-hour breach notification documentation, data subject rights fulfilment, and a full Data Processing Agreement provided with every deployment.
Platform architecture satisfies the UAE federal PDPL obligations as well as the more stringent requirements of the DIFC Data Protection Law and ADGM Data Protection Regulations — making it appropriate for organisations operating across mainland UAE and financial free zones simultaneously.
All data is hosted within the designated sovereign jurisdiction by default. No cross-border transfer occurs in normal operation — eliminating the adequacy assessment requirement for internal communications. For authorised cross-border communications, the federated architecture ensures each server holds only its own users' data.
Any organisation with a sovereign SCOVR deployment can communicate directly with any other — using only a Matrix identifier, without account creation on a foreign platform. Ministries, state enterprises, regulated firms, and private companies can all communicate on sovereign infrastructure while remaining independently controlled.
Platform and operational processes certified to ISO/IEC 27001:2022 — providing internationally recognised evidence of security controls that satisfies the technical safeguard requirements of both the Saudi PDPL and UAE PDPL, and supports the adequacy assessment that SDAIA applies to transfer destinations.
The platform is built on a published, open protocol maintained by an independent non-profit foundation. SDAIA, the UAE Data Office, or any competent technical authority can audit all processing activities, data flows, and cryptographic implementations without vendor cooperation. No proprietary black-box components exist.
Specific answers to the PDPL questions legal, compliance, and technology teams across the Gulf ask most often.
Book a private briefing with our Gulf compliance team. We will design a deployment that satisfies the PDPL obligations specific to your jurisdiction, sector, and communications requirements — before any processing begins.