KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 21 – Timely Response to Data Subject Requests (DSR)

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 10, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 21 requires Controllers to provide timely and compliant responses when Data Subjects exercise their rights (DSR) under the Law. These rights must be fulfilled within the periods and through the methods defined in the Regulations.

Article 21 ensures that Data Subject requests (DSR) are handled in accordance with the prescribed procedures and timelines under the Personal Data Protection Law (PDPL) and its Regulations.
 

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 21

The Controller shall respond to the requests of the Data Subject pertaining to their rights under this Law within such period and in such method as set out in the Regulations.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Timely and Proper Responses

This provision requires the Controller to respond to Data Subject requests (DSR) within the timelines established in the Regulations. The requirement ensures that any request related to the rights granted under the PDPL receives a response within a defined and predictable period.

 

Controllers must adhere to the procedures and response methods outlined in the Regulations so that individuals receive clear and accessible outcomes for their requests.

Compliance With Response Procedures

The Article confirms that the manner of responding to Data Subject requests (DSR) must follow the specific processes set out in the Regulations. These processes govern how requests are received, assessed, and delivered.

 

The obligation ensures consistency in how Controllers interact with Data Subjects and supports accurate, lawful responses that meet PDPL requirements.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), who is responsible for responding to a Data Subject Request (DSR)?
The Controller is responsible for responding because it determines the purpose of processing. A Processor may help operationally, but the duty to respond sits with the Controller.
Does Article 21 require Saudi businesses to respond immediately to every DSR?
No, Article 21 requires responding within the period set by the Regulation. The rule of thumb is timely, not instant, and always within the regulated timeframe.
In e commerce, does a customer asking for an order history count as a DSR requiring a timely response?
Yes, if the request involves Personal Data, it is treated as a DSR. The Controller must respond according to the period set by the Regulation.
If a DSR is complex, can a business delay the response until their internal review finishes?
Not beyond the period allowed by the Regulation. Internal delays do not change the Controller’s obligation to respond on time.
In HR, if an employee requests correction of their records, does Article 21 apply?
Yes, correction requests are part of DSRs. The employer, as Controller, must respond within the regulated timeframe.
Does Article 21 apply to all data subject rights requests or only access requests?
It applies to responses to any Data Subject Request covered by the PDPL. The expectation is timely handling for all PDPL rights.
If a Controller receives a DSR through an unexpected channel, like WhatsApp or a call center, must they still respond?
Yes, once a valid request is received, the Controller must handle it. The channel does not remove the obligation to respond.
In fintech, can a business ignore a DSR if it believes the user is asking too often?
No, Article 21 requires timely responses unless another PDPL provision limits the request. Frequency alone is not a reason to dismiss it.
What happens if the Controller relies on a Processor to pull the data, but the Processor is slow?
The Controller remains accountable. Delays by the Processor do not change the Controller’s duty to respond within the Regulation’s timeframe.
Does Article 21 allow a business to charge a fee to slow down excessive requests?
Article 21 focuses on timely responses, not fees. If fees are addressed, it would be under the Regulation, not Article 21 itself.
Common misconception, “We only need to acknowledge the request within the deadline.” Is that correct under Saudi PDPL?
No, acknowledgment alone is not enough. Article 21 requires responding to the request, not just confirming receipt.
For SaaS platforms, who answers the DSR, the software vendor or the Saudi customer using the platform?
The Saudi customer is typically the Controller and must issue the response. The SaaS vendor supports the process but does not take over the legal obligation.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top