Saudi Arabia's Personal Data Protection Law (PDPL), enforced by SDAIA, establishes a clear requirement: sensitive personal data — and health data is explicitly classified as sensitive — must be processed and stored within the Kingdom unless specific international transfer conditions are met.
For healthcare AI tools, this creates a compliance test that many globally-developed solutions fail. A medical scribe that sends audio of patient encounters to servers in the United States or Europe for AI processing is in direct violation of PDPL. For the physicians and facilities using such tools, the liability is real.
What PDPL Requires for Health Data
- Explicit, informed patient consent for processing health data (or a recognized legal basis such as treatment necessity).
- Data must be processed for the stated purpose only — a clinical notes tool cannot use patient data to train commercial AI models without separate consent.
- Health data classified as 'sensitive' requires heightened protection measures.
- Cross-border transfers require SDAIA approval or documented compliance with localization requirements.
- Data processors (including AI vendors) must sign Data Processing Agreements and are jointly liable for breaches.
The Problem With Global AI Vendors
Many international AI medical scribe tools were built for the US or EU market. When marketed into Saudi Arabia, they often offer 'regional compliance' which amounts to: storing the final note on local servers while sending audio or raw input abroad for AI processing.
Under PDPL, this is non-compliant. Processing — not just storage — of health data must occur within KSA. An audio recording of a patient encounter is health data the moment it is created.
Questions to Ask Any Healthcare AI Vendor
- Where is the AI model hosted — the country of processing, not just storage?
- Is patient audio or clinical text transmitted outside KSA at any point?
- Does the vendor sign a PDPL-compliant Data Processing Agreement?
- Is the AI model trained on your facility's data? If so, where does training occur?
- Can the vendor provide SDAIA data localization documentation?
- What is the data retention and deletion policy?
How Sina Approaches PDPL Compliance
Sina processes all clinical data — including audio, transcription, and note generation — on AWS infrastructure physically located in the Riyadh region (me-south-1). No patient data leaves KSA at any point. The AI models used for transcription and note generation are hosted within the same KSA-region environment.
PDPL compliance is not a vendor's marketing claim — it is a legal obligation of the facility. Ask for documentation, not assurances.
The Facility's Responsibility
Under PDPL, the healthcare facility — not the technology vendor — is the primary Data Controller. This means the facility is ultimately responsible for ensuring that any AI tool it deploys is compliant. Vendor compliance documentation is necessary but not sufficient: facilities should conduct their own due diligence and document their assessments.