PDPL Article 30 defines the oversight role of the Competent Authority (currently SDAIA) under the PDPL. It outlines how the Authority supervises implementation of the law, how controllers must cooperate, and when they must appoint a Data Protection Officer (DPO).
It also grants the Authority powers to:
Request documents from controllers
Work with other agencies
Create tools like a national register of controllers
Delegate its duties to other bodies if needed
Saudi PDPL Article 30 (1)
SDAIA as Supervisor
Without prejudice to the provisions of this Law and the powers of the Saudi Central Bank pursuant to applicable legal provisions, the Competent Authority shall be the entity in charge of overseeing the implementation of this Law and the Regulations.
Saudi PDPL Article 30 (2)
DPO Appointment Conditions
The Regulations shall identify the situations where the Controller shall appoint one or more persons as personal data protection officer(s). and shall set the responsibilities of any such person in accordance with the provisions of this Law.
Saudi PDPL Article 30 (3)
Controller Cooperation Required
The Controller shall cooperate with the Competent Authority in performing its duties to supervise the implementation of the provisions of this Law and the Regulations, and shall take such steps as necessary in connection with the related matters referred to the Controller by the Competent Authority.
The Competent Authority, in order to carry out its duties related to supervising the implementation of the provisions of the Law and Regulations, may:
Saudi PDPL Article 30 (4) (a)
Request Documentation Power
Request the necessary documents or information from the Controller to ensure its compliance with the provisions of the Law and Regulations.
Saudi PDPL Article 30 (4) (b)
Interagency Cooperation Power
Request the cooperation of any other party for the purposes of support in accomplishing supervisory duties and enforcement of the provisions of the Law and Regulations.
Saudi PDPL Article 30 (4) (c)
Monitoring Tools Authority
Specify the appropriate tools and mechanisms for monitoring Controllers’ compliance with the provisions of the Law and the Regulations, including maintaining a national register of Controllers for this purpose.
Saudi PDPL Article 30 (4) (d)
Provide Protection Services
Provide services related to Personal Data protection through the national register referred to in Subparagraph (c) of this Paragraph or through any other means deemed appropriate. The Competent Authority may collect a fee for the Personal Data protection services it may provide.
Saudi PDPL Article 30 (5)
Delegation of Powers
The Competent Authority may, at its discretion, delegate to other authorities the accomplishment of some of its duties that are related to supervision or enforcement of the provisions of the Law and Regulations.
Explanation of Saudi PDPL Article 30
SDAIA is the main authority enforcing the PDPL:
Saudi PDPL Article 30 (1) says that, the Competent Authority, without prejudice to the Saudi Central Bank’s powers, is the entity responsible for supervising PDPL implementation.
Regulations define when controllers must appoint data protection officers:
Saudi PDPL Article 30 (2) says that, the Regulations will explain when controllers must assign one or more data protection officers, and define their responsibilities under the law.
Controllers must assist SDAIA in supervisory duties:
Saudi PDPL Article 30 (3) says that, controllers are legally required to cooperate with the Authority, respond to inquiries, and act on matters referred to them.
Authority can demand documents to assess compliance
Saudi PDPL Article 30 (4) (a) says that, SDAIA can request any information or documentation needed to assess if a controller is complying with the PDPL.
Authority can involve other agencies in supervision
Saudi PDPL Article 30 (4) (b) says that, SDAIA can request support from other public or private parties to help carry out its oversight duties.
Authority may set up monitoring tools including a national register
Saudi PDPL Article 30 (4) (c) says that, SDAIA may establish mechanisms and platforms—such as a national register of controllers—to track compliance.
SDAIA may offer services and charge fees if appropriate
Saudi PDPL Article 30 (4) (d) says that, SDAIA can provide personal data protection services (via the register or other means) and may charge a fee for these services.
SDAIA may delegate duties to other authorities:
Saudi PDPL Article 30 (5) says that, the Competent Authority can delegate supervisory or enforcement tasks to other agencies as it sees fit.
