KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 20 – Personal Data Breach Notifications

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: December 26, 2025
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Personal Data Protection Law (PDPL) Article 20 requires Controllers to notify the Competent Authority (SDAIA) and, in certain situations, affected individuals when a personal data breach occurs. A breach includes any unauthorized access, damage, or illegal activity that affects Personal Data and may impact the rights or interests of Data Subjects.

Notifications must comply with the timelines and procedures detailed in the Regulations, ensuring that authorities can respond effectively and individuals can take protective action under the Personal Data Protection Law (PDPL).

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 20

  1. The Controller shall notify the Competent Authority upon knowing of any breach, damage, or illegal access to personal data, in accordance with the Regulations.

  2. The Controller shall notify the Data Subject of any breach, damage or illegal access to their Personal Data that would cause damage to their data or cause prejudice to their rights and interests, in accordance with the Regulations.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 20(1)

Authority Notification Requirement

This provision requires the Controller to notify the Competent Authority immediately upon becoming aware of any breach, damage, or illegal access affecting Personal Data. The notification must follow the procedures and timeframes set out in the Regulations.

 

The requirement ensures that the Authority receives timely information about incidents that may affect Personal Data and can oversee any necessary steps to limit impact, investigate the event, or enforce compliance measures.

Article 20(2)

Informing Affected Data Subjects

This provision requires the Controller to notify the Data Subject when a breach, damage, or illegal access to their Personal Data could cause harm to the data or prejudice the Data Subject’s rights or interests. The notification must follow the rules established in the Regulations.

 

This requirement ensures that individuals receive timely information that may help them take protective action, understand the potential consequences of the incident, and remain aware of risks that may affect their Personal Data.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top