Overview
Personal Data Breach Incidents Procedural Guide – Introduction: Issued by the Saudi Data and AI Authority (SDAIA) provides a structured framework for managing personal data breach incidents under the Saudi Personal Data Protection Law (PDPL) and its Implementing Regulations. The Guide explains when and how Controllers must notify SDAIA and affected Data Subjects, clarifies breach response obligations, and sets out procedural steps to reduce risks, mitigate harm, and ensure regulatory compliance.
It supports Controllers in responding to breaches in a timely, consistent, and legally compliant manner, while safeguarding Data Subject rights (DSR) and maintaining trust in data processing activities within the Kingdom.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Introduction
Within the framework of the Saudi Data & AI Authority (SDAIA) in supporting the Controller in adhering to the provisions of the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 09/02/1443 AH, amended by Royal Decree No. (M/148) dated 05/09/1444 AH, and its Implementing Regulations, which state that if the Controller knows about any personal data breaches, it shall notify SDAIA in accordance with the conditions set forth in the Regulations, along with notifying the Data Subjects if this incident harms their data or conflicts with their rights or interests. SDAIA prepared this Guide in order to outline the necessary procedures to deal with personal data breaches and reduce the consequences and risks influencing Data Subjects in accordance with the Law and its Implementing Regulations
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
