Overview
Personal Data Breach Incidents Procedural Guide – Scope defines the entities to which the Guide applies. It confirms that all Controllers subject to the Saudi Personal Data Protection Law (PDPL) and its Implementing Regulations must follow the procedures set out in this Guide when handling personal data breach incidents.
This ensures consistent breach response practices across all regulated entities within the Kingdom and aligns operational actions with SDAIA’s regulatory expectations.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Applicability to Controllers
This Guide applies to every Controller that falls within the scope of the Saudi Personal Data Protection Law (PDPL) and its Implementing Regulations. Any entity that determines the purposes and means of processing personal data is required to follow the breach handling procedures outlined in this Guide.
Alignment with PDPL Obligations
By linking its scope directly to the PDPL and Implementing Regulations, the Guide ensures that breach response obligations are not optional or discretionary. Instead, they form part of the Controller’s mandatory compliance framework under the Saudi Personal Data Protection Law (PDPL).
Consistent Breach Handling
Applying this Guide uniformly to all Controllers supports consistent notification, assessment, and mitigation of personal data breach incidents. This consistency strengthens regulatory oversight, protects Data Subjects, and reduces the risk of fragmented or inadequate breach response practices.
