saudi-pdpl.com

Table of Contents

Article 1

Article 2

Article 3

Article 4

Article 5

Article 6

Article 7

Article 8

Article 9

Article 10

Article 11

Article 12

Article 13

Article 14

Article 15

Article 16

Article 17

Article 18

Article 19

Article 20

Article 21

Article 22

Article 23

Article 24

Article 25

Article 26

Article 27

Article 28

Article 29

Article 30

Article 31

Article 32

Article 33

Article 34

Article 35

Article 36

Article 37

Article 38

Article 39

Article 40

Article 41

Article 42

Article 43

Article 20

  1. The Controller shall notify the Competent Authority upon knowing of any breach, damage, or illegal access to personal data, in accordance with the Regulations.
  2. The Controller shall notify the Data Subject of any breach, damage or illegal access to their Personal Data that would cause damage to their data or cause prejudice to their rights and interests, in accordance with the Regulations.

FAQs

Controllers must implement comprehensive safeguards under Article 20 and related regulations, including: 

  • Data encryption (in transit and at rest) to protect data confidentiality. 
  • Access controls: Role-based permissions, multi-factor authentication, and strict logical access management. 
  • Cybersecurity systems: Firewalls, intrusion detection systems, malware protection, and regular vulnerability scans. 
  • Physical security: Restricted access to data centers, smart ID controls, CCTV, and secure storage for physical records. 
  • Personnel measures: Regular training on data protection policies, incident response, and handling procedures. 
  • Incident response planning: Clear protocols for detecting, reporting, and responding to data breaches. 
  • Data minimization: Limiting collection, processing, and retention to only what’s necessary. 
  • Vendor management: Contracts with third parties must include PDPL-compliant security clauses and ongoing audits. 

Yes. Controllers must conduct regular risk assessments, including: 

  • Risk analysis: Identifying threats and vulnerabilities tied to their processing activities. 
  • Data Protection Impact Assessments (DPIAs): Mandatory for high-risk scenarios like large-scale processing, linking data sources, profiling, or using new technologies. 
  • Risk mitigation: Implementing appropriate technical and organisational measures based on assessment findings. 
  • Tracking risk management: Documenting the assessment, results, and mitigation steps for ongoing review. 

Controllers must prove they are actively maintaining data security by: 

  • Documenting security controls: Keep records of encryption, access logs, system configurations, and training schedules. 
  • Conducting regular reviews: Periodic audits, penetration tests, and internal compliance checks help uncover weaknesses. 
  • Updating measures: Security controls must be amended in response to new risks, technology changes, or audit findings. 
  • Maintaining logs & reports: Details of access events, incidents, and corrective actions must be logged. 
  • Certifications & standards: Voluntary certifications (like ISO 27001) or internal codes of conduct show commitment to best practices. 
Scroll to Top