KSA PDPL » Saudi PDPL Article 33 – Licensing, Accreditation, and Cross-Border Oversight (SDAIA)

Saudi PDPL Article 33 – Licensing, Accreditation, and Cross-Border Oversight (SDAIA)

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 10, 2025
Updated: January 11, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 33 authorises SDAIA, acting as the Competent Authority, to regulate the licensing, accreditation, and oversight of entities providing data protection–related services in Saudi Arabia. These responsibilities include defining entry requirements, granting licences or accreditation, approving audit firms, and establishing monitoring tools to ensure compliance with the Personal Data Protection Law (PDPL).

Article 33 strengthens professional accountability, enhances regulatory oversight, and supports governance standards for entities operating inside and outside the Kingdom when processing Saudis’ personal data.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 33

The Competent Authority shall set the requirements for practicing commercial, professional or non-profit activities related to Personal Data protection in the Kingdom, in coordination with the competent authorities, and without prejudice to the other requirements set by those authorities in their domain of competence.

The Competent Authority may grant licenses to entities that issue accreditation certificates to Controllers and Processors. The Competent Authority shall set the rules to regulate the issuance of such certificates.

The Competent Authority may grant licenses to entities that conduct audits or checks of Personal Data Processing activities related to the Controller’s activity, in accordance with the provisions stipulated in the Regulations. The Competent Authority shall set the conditions and criteria to grant such licenses, and the rules regulating them.

The Competent Authority shall specify the appropriate tools and mechanisms to monitor compliance of Controllers and Processors outside the Kingdom in regard with their obligations as stated in the Law and the Regulations when Processing personal data related to individuals residing in the Kingdom by any means, and shall define procedures to enforce the provisions of the Law and the Regulations outside the Kingdom.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 33(1)

Requirements for Practicing Personal Data Protection Activities

This provision empowers SDAIA to establish the eligibility criteria for any commercial, professional, or non-profit entity that provides services involving personal data protection in Saudi Arabia.

These criteria define who may offer advisory, operational, technical, or governance-related services, and ensure that only qualified organisations enter the regulated PDPL services market.

SDAIA must coordinate with other sectoral regulators to avoid conflicting requirements and to maintain consistency across industries.

PDPL Article 33(2)

Licensing Accreditation Bodies

This provision authorises SDAIA to licence entities that provide accreditation certificates to Controllers and Processors.

These accredited bodies may evaluate whether organisations meet PDPL compliance standards.

SDAIA will set the rules governing how these certificates are issued, renewed, revoked, or validated, ensuring that accredited entities operate with integrity and follow recognised standards.

PDPL Article 33(3)

Licensing Audit and Compliance Review Firms

This provision allows SDAIA to license firms that perform PDPL compliance audits or conduct checks on personal data processing activities.

These firms may inspect security measures, governance controls, data handling practices, and other PDPL obligations.

SDAIA will define the criteria for selecting eligible firms, such as competency, independence, operational capability, and professional accreditation, ensuring that audits are conducted reliably and lawfully.

PDPL Article 33(4)

Oversight of Foreign Controllers and Processors

This provision requires SDAIA to implement enforcement mechanisms for Controllers and Processors located outside Saudi Arabia when they process the personal data of individuals residing in the Kingdom.

SDAIA must define monitoring tools, compliance procedures, and enforcement pathways to ensure these foreign entities follow PDPL requirements, including when processing occurs cross-border or via remote digital services.

This rule strengthens data sovereignty and extends PDPL protections globally for Saudi residents.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), what does Article 33 mean by “licensing and accreditation” from SDAIA?

It refers to situations where SDAIA may require certain entities or activities to obtain formal approval. Article 33 gives SDAIA authority to define when licensing or accreditation is needed.

Does every company processing Personal Data in Saudi Arabia need an SDAIA license under Article 33?

No, not automatically. Article 33 allows SDAIA to require licensing for specific cases, but it is not a blanket requirement for all organizations.

In fintech, does cross-border data movement require special accreditation under Article 33?

It may, depending on the rules SDAIA sets for cross-border oversight. Article 33 gives SDAIA the power to impose such conditions, but the specific triggers come from the Regulation.

What is the difference between “oversight” and “licensing” in Article 33?

Oversight refers to SDAIA monitoring compliance, while licensing involves obtaining approval to conduct certain processing activities. Article 33 empowers SDAIA to use both tools when needed.

If a business already complies with PDPL, does it still need SDAIA accreditation?

Only if SDAIA requires accreditation for that type of activity. Compliance does not replace licensing where Article 33 applies

Do data centers hosting Saudi Personal Data need special approval under Article 33?

Possibly, depending on SDAIA’s rules for providers involved in sensitive or cross-border processing. Article 33 enables SDAIA to define such requirements.

In e-commerce, does using an international payment gateway fall under Article 33 oversight?

It can, if cross-border processing is involved. SDAIA may apply oversight rules to ensure compliance with PDPL transfer regulations.

Does Article 33 apply only to Controllers or also to Processors?

It can apply to both, depending on the activity. SDAIA may require licensing or accreditation for Controllers, Processors, or service providers engaged in specific types of processing.

If a Saudi company uses a foreign SaaS platform, does SDAIA oversee that arrangement under Article 33?

Yes, cross-border processing falls within SDAIA’s oversight power. Article 33 supports SDAIA’s role in supervising such arrangements.

Q: Common misconception, “Article 33 means every vendor must be licensed by SDAIA.” Is that true?

No, Article 33 gives SDAIA authority to mandate licensing when needed. It does not impose a universal licensing rule.

Does Article 33 change the rules for cross-border transfers already defined in Article 29?

It complements them. Article 29 sets transfer conditions, while Article 33 allows SDAIA to create licensing or oversight mechanisms for such transfers.

In SaaS environments, who ensures compliance with Article 33 rules, the SaaS vendor or the Saudi customer?

The Saudi customer, as Controller, must ensure that any licensing or oversight requirements are met. Vendors support compliance but do not replace the Controller’s responsibility.