Saudi Arabia E-Commerce Legislations and Comparative European Union and Turkey Legislations Review


As we mentioned in our latest Article Saudi Arabia is an appealing advantage for e- commerce initiatives. In this Article we will examine this country regulation within scope of the consumer rights, data protection, license requirements and other related issues in comparison with EU and TR legislation.

The E-commerce Law in Saudi Arabia entered into force on 10 July 2019.[1] The E-Commerce Law aims to increase the contribution of e-commerce to the Saudi Arabian economy, to enable the foreign and local e- commerce companies to invest in Saudi Arabia, and ensuring the achievement of 2030 Vision. The law regulates the rights and obligations of Service Providers who are located in Saudi Arabia and Service Providers outside Saudi Arabia but provide products or services to consumers in Saudi Arabia. The Service Providers defined as; e-commerce practitioners registered in the trade registry (Merchants) and e-commerce practitioners not registered in the trade registry (Practitioners). However, non-registered service providers (Practitioners) are required to specify their company addresses on their e-commerce sites.

Consumer Rights

The Service Providers obliged to pay attention; to protect consumers data (Art.5), to disclose goods/services features appropriately and properly, to submit a statement containing the terms and conditions of the contract to be concluded to the Consumer ( Art.7), to submit a detail invoice that contains indicating the specified delivery date and location, total prices including taxes, and delivery costs, if any. (Art.8).

E-Commerce Law aims to protect the consumer against fraud, deception and misleading information statement by aiming to improve the confidence of the consumer regarding e-commerce transactions.

If Service Providers do not comply with the provisions of the E-Commerce Law and Regulation, they pay a penalty of approximately $270,000.

The Service Providers need to provide terms and conditions of the conducted contract pursuant to E-Commerce Law and Regulation. Fundamental features of goods/services, product warranty informations, the total price of the product and/or service, including taxes, and delivery and shipping costs, if any; payment and delivery terms, the service provider’s contact information, name, residing address etc., and also other specific information specified in the Regulations regulating the information that the Service Provider must provide according to the nature of each transaction should be disclosed to the Consumer. Without prejudice to the provisions of the E-Commerce Law, within the scope of the pre-information obligation of the service provider pursuant to Turkish and EU legislation, the consumer should be clearly informed that a binding contract will be concluded between the parties after the payment has been approved and this contract will constitute a payment obligation. (Article 7 of the Regulation.)

Pursuant to the E-Commerce Law, if the consumer has not used or benefited from the goods or services other than the cases specified in the E-Commerce Law, the right to return the product purchased through an e-commerce channel or the right to terminate the service contract within seven(7) days from the date of receipt has been recognized and the cost of terminating the contract is given to the consumer. As in the Turkish legislation, the consumer has the right to withdraw due to the right of return and cancellation, but in Turkey, the right to return is recognized as 14 days and there is no cost incurred if the consumer terminates the contract.

In addition to the consumer’s right to terminate the contract, if the Service Provider delays the delivery for more than fifteen days, the consumer will also have the right to cancel his/her order.

The cases in which the right of withdrawal cannot be exercised in Article 11 of the E-Commerce Law are the same as in Article 15 of the Turkish Regulation on Distance Contracts.

Information Required to Disclose on E-Commerce Sites

Pursuant to Article 6 of the Law and Regulation the Service Provider should disclose these informations on their web site: in case the service provider is not registered with an E-store Authentication Authority the service provider’s name and any identifying feature of the service provider; If the company is registered in the registry, its name and registration number, the e-commerce site privacy policy (if it is stated, that the privacy policy is not an obligation, contrary to the legislation in Turkey), the terms of use, the license information and contact number of the service provider, if available,the Service Provider’s tax number, customer complaints and resolution procedures and methods.


Article 12 of the Regulation and after the establishment of the e-store, the trade registry must be registered within 30 days. Practitioners who are not registered in the trade registry can apply through the Ministry’s website by collecting the information required in Article 12 of the Regulation. For a completely foreign venture, an application must be made to the Saudi Arabian Investment Authority for an Investor License. With the investor license, the foreign investor can operate his company in the region without the need for a local business partner. In addition to the investor license, foreign investors should apply to the Ministry of Trade and Industry for a trade registry certificate. Registration with the Chamber of Commerce and Industry and meeting with the General Manager are mandatory. In addition, it is obligatory for the foreign investor to register with the Zakat, Tax and Customs Authority, the Ministry of Human Resources and Social Development ,and the General Organizations of Social Insurances. [2]

Electronic Advertisements

Pursuant to E-Commerce Law commercial advertisements are ntegral part of the contract and legally binding. The Service Provider will be binding by the product features and price specified in advertisement. In accordance with the E-Commerce Law, electronic advertisements should be included in the content; the name of the advertised product or service; the name and any identifying feature of the Service Provider, unless registered with an e-shop authentication body; Service Provider’s contact information; and other information specified in the Regulation. In the content of the service provider’s electronic messages; should use a clear and understandable statement that they are advertisements and contribute to the conscious choice of the consumer by providing accurate information about the features of the advertised product/service. If the Service Provider is not registered with an E-Shops Verification Body (E-Shops Verification Body), the name of the service provider and any identifying features, the service provider’s contact information must also be clearly present in the advertisement. In addition, the electronic advertisement must not contain any false offers, statements, claims or deceptive content that will deceive or mislead the consumer, as well as a false logo or trademark expression that the service provider does not have the right to use.

As in the Law on the Regulation of Electronic Commerce, in Article 10 of the E-Commerce Law and Regulation, the consumer has the right to refuse taking electronic commercial messages. The Service Provider obliged to stop sending electronic advertisements to the Consumer as of the receipt of this request. In addition, the E-Commerce Law and Regulation includes a regulation on the protection of personal data regarding electronic advertisements. Our explanations about these regulations are included in the Personal Data Protection Law section.

Data Protection

There is a clear emphasis on the protection of consumer data in the E-Commerce Law, and the E-Commerce Law imposes a legal obligation on the service provider to protect the confidentiality of consumer data. As stated in Article 5 of the E-Commerce Law, the information considered as personal data is counted in the Regulation [3]. Accordingly, in Article 5 of the Regulation, the information containing specific information about the identity of the Consumer such as name, identity information, address, telephone number, personal property, account and bank card numbers, still and moving pictures are defined as personal data. Accordingly, in accordance with the E-Commerce Law, the Service Provider will not be able to store the Consumer’s personal data and electronic communications, except for the purpose of fulfilling its obligations, unless agreed by the parties at different times, except for the time required by the nature of the electronic transaction. In addition, it will take the necessary measures to protect and maintain the confidentiality of these personal data and electronic communications throughout the storage period. Also the Service Providers will not use the Consumer’s personal data or electronic communications for unauthorized purposes and will not disclose them to other organizations free of charge or for their own interests , unless the Consumer allows such disclosure or is required by law. Similarly in EU and Turkish legislation, personal data processing conditions are defined in personal data legislation, and no data processing conditions are specifically regulated by law. Personal data to be obtained during e-commerce and personal data processing conditions are not listed in the Turkish Electronic Commerce regulations, and data can be merely processed in cases listed in the Law on the Protection of Personal Data.

Besides, in the Law on the Regulation of Electronic Commerce, the retention period of the consumer’s personal data is not specified, as in Article 5 of the E-Commerce Law.

In the Saudi Arabian E-Commerce Law, the Service Provider is also responsible for the protection of the Consumer’s personal data from its subsidiaries or affiliates that it works with. When we examine the Data Protection Law in Turkey, the data controller and the data processor will be jointly responsible for the security of personal data in the Article 12 of the Data Protection Law. However, since there is no Data Protection Law regulation in Saudi Arabia However, since there is currently no Data Protection Law in effect in Saudi Arabia, it is concluded from the relevant Regulation that the responsibility for a data security breach arising from personal data processing during e-commerce transactions will be on the Service Provider as the data controllerIn addition, in the Turkish e-commerce legislation and the relevant Saudi Arabian legislation, the service provider cannot transmit the consumer’s personal data to third parties or use them for other purposes.

Regarding the violation, unlike the legislation of Turkey and the European Union, the notification of the violation is made to the relevant Ministry, not to a Data Protection Authority. EU and Turkish legislation and Saudi Arabian legislation are the same in terms of notification to the consumer, that is, to the data subjectIn accordance with EU and Turkish legislation, the scope and effects of the violation and the measures taken to remedy this violation will not exempt the Service Provider from liability to the Consumer, and the Service Provider will have to comply with those given by the competent authorities regarding the remedy of the violation.

In accordance with the 3rd paragraph of Article 5 of the Regulation, the personal data of the consumer is processed with the consent of the consumer in the process of becoming a member of the e-commerce site and / or application. If the membership process is a condition of receiving services it will not be accepted as an explicit consent in accordance with the EU and Turkish legislation. Another issue subject to explicit consent in the Regulation is the storage of the Consumer’s personal data for another purpose, such as advertising or marketing, without their explicit consent.

[1] For the full text of the relevant Law E-Commerce Law (Royal Decree Number M/126)


[3] Yönetmeliğin tamamı için bkz.