Key Proposed Updates to Saudi Arabia’s PDPL Implementing Regulations

I. Introduction

The Saudi Data & Artificial Intelligence Authority (SDAIA) has launched a public consultation on Proposed Amendments to the Implementing Regulations of the Personal Data Protection Law (PDPL). Public feedback is open through May 27, 2025, via the Istitlaa Platform. These draft changes aim to align regulatory language more closely with the Personal Data Protection Law (PDPL) itself, simplify how key information is communicated to data subjects, and clarify obligations for data controllers, particularly around registration, privacy policies, and oversight functions. The proposals also ease certain compliance requirements, such as those related to direct marketing and complaint procedures.

Below is an overview of the major changes and their implications for data controllers and processors operating in the Kingdom.

II. Streamlined Language Requirements for Privacy Policies

Currently, controllers are required to tailor communications to individuals lacking full legal capacity by providing information in an “appropriate language.” This is being revised and the new requirement will simply state, “The Controller shall provide the required information in an appropriate and simplified language…”

This change emphasizes clarity and accessibility for all data subjects especially minors or vulnerable individuals by requiring that notices and privacy information be both suitable and easily understandable, not merely translated.

The updated regulations also introduce clearer standards for privacy policies. Controllers may now have to ensure that:

• There is an explicit privacy policy, and it is written in clear, simplified, and comprehensible language that accommodates varying levels of understanding across different data subject groups.
• The language used aligns with the customary language in which services or products are provided to the relevant audience.
  • This proposed amendment is particularly useful as it addresses the ambiguity regarding whether privacy policies must be translated into different languages in the KSA.

III. Direct Marketing Provisions Removed

Several provisions related to direct marketing may be removed from the Regulations, including:

• The definition of “Direct Marketing” (which includes both physical and electronic communications, such as advertisements or promotions).
• A requirement to disclose the sender’s identity when sending direct marketing material.

Organizations engaging in direct outreach should not interpret this as a license to proceed without consent, as the consent requirement still persists.

Personal Data Breach Definition Removed

The definition of a "Personal Data Breach" may also be removed from the Implementing Regulations. Previously, this definition referred to any incident involving the breach, corruption, or unauthorized access to personal data, whether intentional or accidental, automated or manual.

Instead of retaining a rigid definition, the revised regulations rely on the breach notification obligations already set out under Article 20 of the PDPL, Article 24 of the Implementing Regulations and the Personal Data Breach Incidents Procedural Guide. That article requires data controllers to notify both the Competent Authority and affected data subjects upon knowing of any breach, damage, or illegal access. Controllers must report to the Authority within 72 hours of becoming aware of the breach and include relevant details and mitigation measures. Where the breach poses a risk to the data subject’s rights or interests, the data subject must also be notified without undue delay and in clear, accessible language.

IV. Reduction in Record-Keeping Requirements

Key obligations around maintaining Records of Processing Activities (ROPAs) are also potentially being repealed. The following requirements are expected to be deleted:

• The mandate that processing records must be in writing,
• The specific list of minimum information to be included, such as:
  • Controller and DPO contact details
  • Purposes and categories of data
  • Retention periods
  • Recipients and transfers
  • Security measures

While the obligation to maintain records is still present, the removal of this granular list suggests a more flexible compliance framework.

V. Complaint Timeframe Restrictions Removed

It seems as if the requirement setting the 90-day deadline for data subjects to submit complaints to the Competent Authority may also be deleted. In the current regime, the Authority has discretion to accept late complaints if the individual had valid reasons for the delay.

A. Responding to Compliance Requests

A newly proposed provision requires controllers to respond to inquiries from SDAIA concerning their compliance with the PDPL and its Implementing Regulations within 10 business days.

The deletion of this clause reflects a desire to remove unnecessary barriers to recourse, allowing individuals greater freedom to pursue complaints regardless of procedural timing.

VI. Expansion and Clarification of the DPO Role

Significant changes are also expected to the structure and obligations surrounding Personal Data Protection Officers (DPOs). The Rules for Appointing Personal Data Protection Officer will be repealed if this amendment comes into force and replaced with a more prescriptive framework:

• Controllers must formally document the appointment of a DPO.
• Upon appointment, the DPO’s contact information must be submitted via the Competent Authority’s platform, and updated whenever a change occurs.

The DPO’s role will no longer be limited to compliance monitoring. Under the new Article 34, their responsibilities may now explicitly include:

• Acting as the main liaison with the Competent Authority and implementing its instructions.
• Providing internal support to the controller and promoting awareness of the PDPL.
• Enabling data subject rights and handling related requests or complaints.
• Notifying the Authority of any personal data breach.
• Maintaining and updating the controller’s processing records.
• Overseeing remediation efforts when the controller violates data protection requirements.
• Supervising DPIAs, audits, and control reports and issuing necessary recommendations.

VII. Centralized Enforcement: New Platform Introduced

A new paragraph in Article (1) is potentially being introduced, describing an electronic platform under the supervision of the Competent Authority. This platform is intended to serve as a hub for:

• Support services and compliance tools
• Implementation of the PDPL’s requirements
• Management of the National Register of Controllers

This will mark a practical step towards centralizing oversight and facilitating digital compliance mechanisms for regulated entities. Once operational, the platform is expected to play a key role in simplifying registration, submissions, and communication with the regulator.

In a related move, The Rules Governing the National Register of Controllers Within the Kingdom will be repealed and replaced with a new article detailing mandatory registration criteria if this amendment is passed. Registration through the platform will now be required if any of the following apply:

• The controller is a public entity.
• The controller’s core activity involves processing personal data.
• The controller transfers personal data outside the Kingdom or discloses it internationally.
• The controller processes sensitive data.
• The controller processes data about individuals lacking full or partial legal capacity.

This requirement extends not only to legal entities but also to individuals who meet the controller definition and process personal data beyond personal or family use.

Each controller will have a dedicated record within the platform, containing documentation referred to in Article 31 of the PDPL as well as any additional processing-related information required by the Authority.

VIII. Key Takeaways for Businesses

These regulatory changes are more than editorial tweaks; they signal a clear shift toward simplification and flexibility. However, controllers and processors should be cautious not to interpret the removal of specific rules as a relaxation of obligations. Your organization, as best practice, should observe the following steps:

• Monitor further guidance from the SDAIA, especially around the launch and scope of the new enforcement platform.
• Maintain internal records of processing as a safeguard in the event of audits or incidents.
• Continue to obtain consent and disclose sender identity (as best practice) in direct marketing activities.
• Review data breach response protocols to ensure incidents are still escalated appropriately despite the absence of a formal breach definition.

As the PDPL continues to evolve, organizations operating in Saudi Arabia should take this opportunity to revisit their compliance programs and ensure their data governance frameworks remain aligned with the law’s intent.