Table of Contents
Article 1
Article 2
Article 3
Article 4
Article 5
Article 6
Article 7
Article 8
Article 9
Article 10
Article 11
Article 12
Article 13
Article 14
Article 15
Article 16
Article 17
Article 18
Article 19
Article 20
Article 21
Article 22
Article 23
Article 24
Article 25
Article 26
Article 27
Article 28
Article 29
Article 30
Article 31
Article 32
Article 33
Article 34
Article 35
Article 36
Article 37
Article 38
Article 39
Article 40
Article 41
Article 42
Article 43
Article 30
- Without prejudice to the provisions of this Law and the powers of the Saudi Central Bank pursuant to applicable legal provisions, the Competent Authority shall be the entity in charge of overseeing the implementation of this Law and the Regulations.
- The Regulations shall identify the situations where the Controller shall appoint one or more persons as personal data protection officer(s). and shall set the responsibilities of any such person in accordance with the provisions of this Law.
- The Controller shall cooperate with the Competent Authority in performing its duties to supervise the implementation of the provisions of this Law and the Regulations, and shall take such steps as necessary in connection with the related matters referred to the Controller by the Competent Authority.
- The Competent Authority, in order to carry out its duties related to supervising the implementation of the provisions of the Law and Regulations, may:
A. Request the necessary documents or information from the Controller to ensure its compliance with the provisions of the Law and Regulations.
B. Request the cooperation of any other party for the purposes of support in accomplishing supervisory duties and enforcement of the provisions of the Law and Regulations.
C. Specify the appropriate tools and mechanisms for monitoring Controllers’ compliance with the provisions of the Law and the Regulations, including maintaining a national register of Controllers for this purpose.
D. Provide services related to Personal Data protection through the national register referred to in Subparagraph (c) of this Paragraph or through any other means deemed appropriate. The Competent Authority may collect a fee for the Personal Data protection services it may provide. - The Competent Authority may, at its discretion, delegate to other authorities the accomplishment of some of its duties that are related to supervision or enforcement of the provisions of the Law and Regulations.
FAQs
Under Article 30, the Saudi Data & AI Authority (SDAIA) serves as the Competent Authority with broad oversight powers. This includes:
- The power to audit and inspect Controllers’ data processing operations and compliance systems.
- The ability to request documentation, such as Records of Processing Activities, DPIAs, breach notifications, and security logs.
- Authority to enforce corrective measures, which may involve issuing warnings, imposing penalties, or requiring changes to practices.
- Responsibility for maintaining a national Controller registry and charging associated regulatory fees.
Yes, in certain scenarios outlined under Article 30 (backed by rules from SDAIA), appointing a DPO is mandatory when a Controller:
- Is a public entity processing personal data on a large scale
- Has core activities involving systematic or large-scale monitoring of individuals
- Processes sensitive personal data (like health or financial records) on a large scale
The DPO role can be fulfilled internally or outsourced, but must be officially documented, appropriately qualified (with experience in personal data protection, risk, and regulatory compliance), and remain independent within the organization. Controllers must also register the appointed DPO with SDAIA.
If a Controller refuses to cooperate with SDAIA’s oversight or inspections:
- They become subject to regulatory enforcement, which can include formal warnings, costly fines, or remedial compliance orders.
- Continued non-compliance may lead to escalated penalties under the PDPL up to SAR 5 million, with fines doubled for repeat offenses