Overview
The Rules Governing the National Register of Controllers Within the Kingdom Article 6 Article 6 of the Rules Governing the National Register of Controllers Within the Kingdom establishes the obligation for Controllers to appoint one or more individuals responsible for personal data protection when specific conditions are met.
It links the requirement directly to Article 32 of the Executive Regulations of the Personal Data Protection Law (PDPL) and the formal rules governing the appointment of a Personal Data Protection Officer (DPO), ensuring consistent governance, accountability, and regulatory oversight.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 6: Circumstances for Appointing a Personal Data Protection Officer
The Controller shall appoint one or more individuals to be responsible for the protection of personal data in accordance with the cases stipulated in Article (32) of the Executive Regulations of the Personal Data Protection Law and the rules for appointing a Personal Data Protection Officer.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article(6)
Obligation to Appoint a Personal Data Protection Officer
Link to Executive Regulations and Appointment Rules
The requirement to appoint a Personal Data Protection Officer (DPO) is expressly tied to Article 32 of the Executive Regulations of the Personal Data Protection Law (PDPL). Controllers must therefore assess their processing activities against those regulatory criteria and comply with the formal rules governing the appointment process.
