On 14 September 2024, Saudi Arabia's Personal Data Protection Law (PDPL) became fully enforceable after a one-year grace period. Administered by the Saudi Data and Artificial Intelligence Authority (SDAIA), the PDPL applies to any entity collecting, processing, or storing personal data of individuals in Saudi Arabia — including hotels and their guest access control systems.
Key PDPL Requirements for Hotels
Hotels in Saudi Arabia must ensure they have lawful grounds for processing guest personal data, provide clear privacy notices in simple language, implement appropriate security measures, and respond to data subject access requests. Non-compliance can result in warnings or fines of up to SAR 5 million, with the potential for doubled penalties for repeat violations.
While the PDPL does not specifically mention RFID keycards, the law applies broadly to any personal data processing. Hotels should review their entire data lifecycle, including how access credentials are created, stored, transmitted to keycards, and deleted upon checkout.
Access Credential Security Best Practices
RFID keycards themselves store minimal personal data — typically a room number, access level, and expiry timestamp rather than guest names or identification numbers. However, the property management system that generates these credentials does contain personal data, and the link between a guest's identity and their keycard must be properly secured.
Hotels using MIFARE DESFire cards with AES-128 encryption benefit from mutual authentication, which prevents unauthorised reading of card data. This is a significant security advantage over older magnetic stripe or basic RFID technologies.
Practical Steps for Compliance
- Audit your keycard system's data flow: what data is written to cards, how is it transmitted, and when is it purged
- Ensure your property management system encrypts stored access credentials
- Update your guest privacy notice to cover access control data processing
- Consider upgrading to DESFire-based keycards for enhanced on-card encryption
- Establish clear data retention policies for access logs and keycard assignment records