PDPL Article 33 defines the regulatory authority and oversight powers of the Competent Authority (e.g., SDAIA) to build and govern the data protection ecosystem in the Kingdom. It covers:
Setting entry requirements for companies offering data protection services
Licensing and regulating certification and audit bodies
Monitoring foreign controllers who process data of individuals in the Kingdom
These powers help ensure quality, compliance, and enforcement—both inside and outside Saudi Arabia.
Saudi PDPL Article 33 (1)
Set Market Entry Requirements
The Competent Authority shall set the requirements for practicing commercial, professional or non-profit activities related to Personal Data protection in the Kingdom, in coordination with the competent authorities, and without prejudice to the other requirements set by those authorities in their domain of competence.
Saudi PDPL Article 33 (2)
License Certification Bodies
The Competent Authority may grant licenses to entities that issue accreditation certificates to Controllers and Processors. The Competent Authority shall set the rules to regulate the issuance of such certificates.
Saudi PDPL Article 33 (3)
License Audit Providers
The Competent Authority may grant licenses to entities that conduct audits or checks of Personal Data Processing activities related to the Controller’s activity, in accordance with the provisions stipulated in the Regulations. The Competent Authority shall set the conditions and criteria to grant such licenses, and the rules regulating them.
Saudi PDPL Article 33 (4)
Monitor Foreign Controllers
The Competent Authority shall specify the appropriate tools and mechanisms to monitor compliance of Controllers and Processors outside the Kingdom in regard with their obligations as stated in the Law and the Regulations when Processing personal data related to individuals residing in the Kingdom by any means, and shall define procedures to enforce the provisions of the Law and the Regulations outside the Kingdom.
Explanation of Saudi PDPL Article 33
SDAIA defines conditions for data protection businesses:
Saudi PDPL Article 33 (1) says that, the Competent Authority will establish the entry conditions for commercial, professional, or non-profit data protection service providers, in coordination with relevant sectoral regulators.
SDAIA may license entities to issue PDPL accreditation certificates:
Saudi PDPL Article 33 (2) says that, entities that want to certify controllers and processors for compliance must be licensed by SDAIA, which will also define the rules for certification programs.
SDAIA may license firms to perform audits or assessments:
Saudi PDPL Article 33 (3) says that, organizations that conduct audits or compliance reviews of data processing activities must be licensed under the criteria and rules defined by the Authority.
SDAIA will supervise and enforce PDPL for non-KSA entities processing Saudi data:
Saudi PDPL Article 33 (4) says that, SDAIA will define the tools, mechanisms, and enforcement procedures to ensure controllers and processors outside the Kingdom comply with PDPL when handling Saudi residents’ data.
