KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

PDPL Implementing Regulation Article 1 – Definitions
PDPL Implementing Regulation Article 2 – Personal or Family Use
PDPL Implementing Regulation Article 3 – General Provisions of Data Subject Rights (DSR)
PDPL Implementing Regulation Article 4 – Right to be Informed
PDPL Implementing Regulation Article 5 – Right of Access to Personal Data
PDPL Implementing Regulation Article 6 – Right to Request Access to Personal Data
PDPL Implementing Regulation Article 7 – Right to Request Correction of Personal Data
PDPL Implementing Regulation Article 8 – Right to Request Destruction of Personal Data
PDPL Implementing Regulation Article 9 – Anonymisation
PDPL Implementing Regulation Article 10 – Means of Communication
PDPL Implementing Regulation Article 11 – Consent
PDPL Implementing Regulation Article 12 – Consent withdrawal
PDPL Implementing Regulation Article 13 – Legal Guardian
PDPL Implementing Regulation Article 14 – Processing to Serve the Actual Interest of Data Subject
PDPL Implementing Regulation Article 15 – Collecting Data from Third Parties
Load More

PDPL Implementing Regulation Article 37 – Filing and Processing Complaints

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: December 23, 2025
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

PDPL Implementing Regulation Article 37 describes how Data Subjects may submit complaints to the Competent Authority (SDAIA) and sets out the procedural obligations governing how such complaints must be received, recorded, reviewed, and resolved. It defines the timeline for filing complaints, the minimum required complaint information, the examination steps to be followed by the Competent Authority, and the final obligation to take necessary measures and inform the complainant of the results.

This Article establishes the expected transparency and responsiveness in PDPL complaint handling.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 37: Submitting and processing complaints

  1. Data Subject may complain to the Competent Authority within a period not exceeding (90) days from the date of the incident or the date on which the Data Subject became aware of it. The Competent Authority shall determine whether to accept the complaint or not after this period in cases where there are reasonable causes that may have prevented the Data Subject from submitting the complaint in time.

  2. Competent Authority shall receive the complaints that are submitted to it, through the designated means and according to procedures that ensure celerity and quality.

  3. Competent Authority shall keep a record of the complaints filed in a register specifically created for this purpose.

  4. The complaint shall include the following information:

    1. Place and time of the violation.

    2. Name, identification, address, and telephone number of the complainant.

    3. Information about the complained entity.

    4. Clear and specific description of the violation, along with the evidence and the information provided with the complaint.

    5. Any other requirements specified by the Competent Authority.

  5. The Competent Authority shall examine and study the complaints, their documents, and may communicate with the complainant as needed to request the relevant documents and information.

  6. The Competent Authority shall take the necessary measures regarding the complaints submitted to it and inform the complainant of the outcome.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 37(1)

90 Day Complaint Filing Period

This clause establishes the maximum time a Data Subject has to file a complaint, which is ninety days from the incident date or from the date on which the Data Subject became aware of the violation. It also gives the Competent Authority discretion to accept late complaints in situations where the Data Subject had reasonable justifications for not submitting the complaint on time. This ensures both procedural certainty and fair consideration of exceptional circumstances.

Article 37(2)

Receipt Process Requirements

This clause requires the Competent Authority to receive complaints using designated submission channels that comply with predefined procedures. These procedures must ensure that complaints are handled with both timeliness and quality. This creates a formalized intake process that supports consistent and efficient complaint handling.

Article 37(3)

Complaint Register Obligation

This clause requires the Competent Authority to maintain a dedicated register that records all submitted complaints. The register ensures documentation, traceability, and proper tracking of complaints for compliance, oversight, and future reference.

Article 37(4)(a)

Violation Details Requirement

The complaint must include the place and time of the violation. This information establishes the basic context needed to assess the circumstances and relevance of the complaint and to begin procedural review.

Article 37(4)(b)

Complainant Identification Data

This clause requires the complaint to include the complainant’s name, identification details, address, and telephone number. These elements are necessary for authentication, communication, and verification of the complainant’s identity throughout the investigation process.

Article 37(4)(c)(d)

Entity and Evidence Description

This clause requires information about the complained entity along with a clear and specific description of the violation. It also requires the submission of any evidence and supporting information. This ensures that the complaint is actionable and that the Competent Authority has sufficient detail to conduct an informed assessment.

Article 37(4)(e)

Additional Required Information

This clause allows the Competent Authority to request any further information it deems necessary. It provides flexibility to ensure that complaints meet procedural completeness and that investigations have all required inputs.

Article 37(5)

Examination and Follow Up

This clause requires the Competent Authority to review and study the complaint and associated documents. It also authorizes communication with the complainant to request additional documents or information if needed. This ensures a thorough and informed evaluation of the complaint.

Article 37(6)

Outcome and Measures

This clause requires the Competent Authority to take necessary measures in response to complaints and to inform the complainant of the result. It ensures closure, transparency, and accountability in the resolution of complaints.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top