KSA PDPL » Saudi PDPL Article 22 – Mandatory Data Protection Impact Assessments (DPIA)

Saudi PDPL Article 22 – Mandatory Data Protection Impact Assessments (DPIA)

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 10, 2025
Updated: January 10, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 22 establishes a mandatory requirement for conducting a Personal Data Protection Impact Assessment (DPIA) before a Controller initiates any Processing activity that relates to a product or service. The assessment aligns the Processing with the PDPL, evaluates risks to individuals, and ensures that Processing operations meet the safeguards and procedural controls defined by the Regulations.

Article 22 strengthens proactive compliance by making DPIAs part of the design stage for new or modified Processing activities.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 22

The Controller shall conduct an impact assessment of Personal Data Processing in relation to any product or service, based on the nature of the activity carried out by the Controller, in accordance with the relevant provisions of the Regulations.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

DPIA Requirement Scope

This provision requires the Controller to conduct an impact assessment (DPIA) whenever Personal Data Processing relates to any product or service. The obligation applies because the requirement is tied to the nature of the activity itself.

The assessment ensures that Processing decisions are supported by a structured review that reflects the Controller’s operational context.

Assessment Based on Processing Nature

The Article specifies that the assessment must be based on the nature of the activity undertaken by the Controller. This means the DPIA must reflect the actual Processing environment, the characteristics of the operation, and the associated implications.

The wording requires Controllers to align their evaluations with the specific activity in question rather than relying on generic or unrelated assessments.

Alignment With Regulations

The Article states that the assessment must be conducted in accordance with the relevant provisions of the Regulations. This ties the DPIA to the procedural, documentary, and safeguard requirements that the Implementing Regulations will define.

Controllers must therefore follow the Regulation’s methods, timings, and prescribed content when carrying out the assessment to ensure compliance.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), when does a business actually need to perform a Data Protection Impact Assessment, DPIA?

A DPIA is required when the processing could create a high risk to the Data Subject’s rights. The specific triggers are defined in the Regulation, and Article 22 makes the assessment mandatory when those triggers are met.

Does every new project or system automatically require a DPIA under Saudi PDPL?

No, only processing activities that may result in high risk require a DPIA. Routine or low-risk activities typically do not trigger Article 22.

In e-commerce, does using a new analytics tool require a DPIA?

Only if the processing may create high risk to individuals. If the analytics involve sensitive data or large-scale profiling, the Regulation may classify it as high risk.

For HR teams in KSA, do employee monitoring tools require a DPIA?

They might, depending on whether the monitoring could create high risk for employees. The Regulation determines whether the type of monitoring meets a DPIA trigger.

Who is responsible for completing the DPIA, the Controller or the Processor?

The Controller is responsible because it determines the purpose and means of processing. A Processor may assist but cannot replace the Controller’s duty under Article 22.

In a SaaS relationship, can the vendor perform the DPIA on behalf of the Saudi customer?

The vendor may support the process, but the DPIA remains the Controller’s legal responsibility. The Controller must ensure compliance with Article 22.

Does Article 22 require submitting the DPIA to the authority every time?

Not automatically. Submission is required only in the specific cases defined in the Regulation, not for every DPIA.

What happens if the processing changes after the DPIA is completed?

The Controller must reassess if the change causes new high-risk factors. Article 22 expects DPIAs to reflect current processing, not outdated conditions.

Is a DPIA needed if we only use anonymized data?

Usually not, because anonymized data does not identify individuals. If the data can still be linked back to a person, it may be considered personal data and could trigger DPIA requirements depending on the risk.

In fintech, does high-risk financial profiling automatically require a DPIA?

It may, depending on the risk level defined in the Regulation. Financial profiling often involves sensitive decision-making, so businesses should evaluate whether a DPIA is triggered.

Common misconception, “A DPIA is optional if we trust our vendor.” Is that correct under KSA PDPL?

No, Article 22 ties DPIA requirements to the risk to Data Subjects, not to vendor assurances. A trusted vendor does not remove the Controller’s obligation.

Does Article 22 require a specific format for the DPIA?

The Article does not prescribe a format, but the Regulation defines how DPIAs must be conducted. In practice, Controllers use structured templates that follow the regulatory criteria.