What PDPL says about biometric data
The Personal Data Protection Law treats biometric data — including face templates and facial vectors — as a special category requiring stronger protection than ordinary personal data. The implementing regulations (issued by SDAIA) set out:
- Lawful basis — explicit consent is the default; legitimate interest is permitted only with documented justification.
- DPIA requirement — face recognition triggers a mandatory Data Protection Impact Assessment.
- Cross-border rules — biometric data is among the categories most tightly bound by Article 29 cross-border rules.
- Retention — must be the minimum necessary; default postures of “keep forever” will fail.
Anchor in the PDPL glossary and the PDPL compliance video analytics checklist.
What you can do — three permitted use cases
- Workplace access control with explicit, documented employee consent and an alternative method (badge or PIN) for those who refuse.
- High-security site access with a documented legitimate-interest test, often paired with consent. Common at Aramco and military-adjacent sites.
- Safety alerting — recognising specific authorised personnel in restricted zones, again with the legitimate-interest test and DPIA.
For the underlying solution see the face recognition solution and the access control solution.
What you cannot do — three common mistakes
- Continuous covert face recognition of customers in public retail spaces without consent infrastructure. Not defensible under 2026 PDPL.
- Cross-border face template export to a vendor’s overseas data centre without an Article 29 mechanism in place.
- “Just in case” indefinite retention of face vectors. Retention must be tied to a documented purpose.
A vendor proposal that requires any of these three is a red flag.
The DPIA — what auditors expect
A defensible 2026 DPIA for face recognition contains:
- Purpose specification — what business outcome the system enables.
- Necessity test — why face recognition is required versus alternatives (badge, PIN, fingerprint).
- Proportionality test — scope, retention, access controls.
- Risk register — bias risk, false-match risk, function-creep risk.
- Mitigation plan — minimum necessary data, KSA-resident processing, retention schedule.
- DPO sign-off with named signatory.
This anchors in the trust / compliance overview and the security overview.
Cross-border rules under Article 29
Article 29 binds the export of personal data — and especially biometric data — outside the Kingdom. Three permitted patterns in 2026:
- No transfer. Face templates stored and processed entirely inside CST-licensed data residency regions. The defensible default.
- Adequacy decision — the destination country has a SDAIA adequacy decision. Few qualify in 2026.
- Specific safeguards — explicit consent, contractual safeguards, or specific necessity under Article 29 exceptions.
For detail see the PDPL compliance video analytics answer.
Employee monitoring — the labour-law overlay
PDPL is not the only constraint. Employee monitoring also touches:
- Saudi Labour Law — monitoring must be proportionate and disclosed.
- NCA Essential Cybersecurity Controls — see the NCA-ECC glossary.
- Sectoral rules — Aramco, SABIC and other operating organisations layer their own contractor HSE manuals on top.
The defensible posture combines explicit employee consent, a documented purpose, and a clear opt-out path that does not penalise the worker.
Bias and false-match risk
Biometric systems exhibit demographic performance variance. KSA construction workforces are unusually diverse — South Asian, North African, Filipino, Saudi national. A 2026-grade vendor:
- Discloses per-demographic precision/recall on a held-out validation set.
- Tracks drift weekly, with retraining triggered below an operational threshold.
- Provides a manual override path so a falsely rejected worker can still enter through a secondary verification.
Without these, the system’s first false-match incident will collapse trust.
Retention — what 2026 looks like
A defensible retention schedule:
| Data class | Retention |
|---|---|
| Live face template (active access) | While employment / access continues |
| Match log (event metadata) | 30 days default, 90 days if linked to incident |
| Face vector backup | None — re-enrol if needed |
| Face image archive | Not retained beyond enrolment |
Anchor in the data residency posture.
Vendor selection filter
Three filters that trim the candidate list:
- Saudi-resident processing confirmed in writing.
- DPIA template provided as part of the proposal, not as a billable add-on.
- Bias and demographic performance disclosure with the proposal.
For the broader procurement view see the top 10 platforms shortlist and the IKTVA Saudi-Made AI vendors guide.
What to expect in an SDAIA inspection
A 2026 SDAIA inspection of a face-recognition deployment typically looks for:
- Lawful basis register, signed by the DPO.
- DPIA on file, with named signatory.
- Consent records (where applicable) with timestamps.
- Retention schedule applied — random sample check.
- Cross-border posture documented.
- Incident response plan for biometric breaches.
If any of these is missing, expect a remediation order with a 30–90 day deadline [VERIFY-SME].
Common deployment mistakes
- Skipping the DPIA — the most common failure mode.
- No alternative method — workers cannot decline face enrolment.
- Cross-border processing without an Article 29 mechanism.
- Indefinite retention — “forever” is not a retention period.
Next steps
If you are scoping or auditing a face recognition deployment in Saudi Arabia, start with the face recognition solution, the access control solution and the PDPL compliance checklist. Cross-reference the PDPL glossary entry and the trust / compliance overview.
Book a privacy-side scoping call and we will produce a DPIA template and lawful-basis register tailored to your deployment within 10 working days.
