ARTICLE
1 October 2025

Observations And Tips On Data Issues In KSA

AT
Al Tamimi & Company

Contributor

With 17 offices across 10 countries, we are a full-service commercial firm combining knowledge, experience and expertise to ensure our clients have access to the best legal solutions that are commercially sound and cost effective.

Our clients are at the heart of everything we do. Founded in 1989, we are the leading corporate law firm in the UAE and throughout the Middle East & North Africa with more than 450 legal professionals in 17 offices across 10 countries. We’re determined to use our knowledge, experience and intellectual rigour to find innovative solutions to overcome complex business challenges. We actively encourage diversity and inclusion, enabling us to attract and retain the best talent, to ensure our clients succeed.

As part of the compliance obligation under Saudi Personal Data Protection Law (PDPL) We set out below a summary of our observations regarding SDAIA's current practices...
Saudi Arabia Privacy

As part of the compliance obligation under Saudi Personal Data Protection Law (PDPL) We set out below a summary of our observations regarding SDAIA's current practices:

a. Registration with SDAIA

We have observed that SDAIA is increasingly requiring entities to register as data controllers on the National Data Governance Platform (NDGP). In practice, this may occur either through direct outreach by SDAIA or indirectly via the entity's sector regulator, in some cases without a prior assessment of whether the entity is in fact required—under the PDPL and its Implementing Regulations—to register.

In light of this, our recommendations are as follows:

  1. If you fall within the requirements to register as a data controller, you should initiate the registration process promptly to ensure compliance with the PDPL and its regulations.
  2. If you do not fall within those requirements but receive a request from SDAIA or a Saudi regulator to register (noting that such requests typically provide a 30-day grace period), you should be prepared to respond with appropriate explanations and legal arguments as to why registration is not required. Depending on SDAIA's reply, further steps can then be taken.

b. Data Breach Notifications

We have also seen cases where entities seeking to register as data controllers for the purpose of submitting a data breach notification encounter difficulties because they are not recognized as eligible to register. This has resulted in risks of delay in meeting the 72-hour breach notification deadline mandated by the PDPL and enforced by SDAIA.

To mitigate this risk, we have adopted the approach of submitting the initial breach notification directly by e-mail to the National Data Management Office (which administers the NDGP) within the 72-hour timeframe, while completing the formal registration process on the platform if and when registration is required. This ensures compliance with statutory deadlines. Please note, however, that if the notification is submitted after the 72-hour window, SDAIA requires a written justification for the delay.

PDPL Training

Regarding the PDPL training, we would like to emphasize the importance of conducting internal training for employees who process or handle personal data within organizations. This is a key requirement under the PDPL and its Implementing Regulations.

Specifically, Article 36 of the Implementing Regulations mandates that entities conduct regular audits to ensure the protection of personal data. It also highlights the need for staff to be adequately trained to manage personal data responsibly, identify internal compliance gaps, and implement the necessary administrative and organizational measures to ensure data accuracy and integrity.

Additionally, Article 32 outlines the responsibilities of the data protection officer, which include participating in awareness initiatives, delivering training, and promoting knowledge transfer related to data protection, compliance, and the ethical handling of personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More