KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

The Rules Governing the National Register of Controllers Within the Kingdom – Introduction
The Rules Governing the National Register of Controllers Within the Kingdom Article 1 – Definitions
The Rules Governing the National Register of Controllers Within the Kingdom Article 2 – Scope and Objective
The Rules Governing the National Register of Controllers Within the Kingdom Article 3 – Controller Delegate Appointment
The Rules Governing the National Register of Controllers Within the Kingdom Article 4 – Registration Procedures
The Rules Governing the National Register of Controllers Within the Kingdom Article 5 – Profile Data
The Rules Governing the National Register of Controllers Within the Kingdom Article 6 – Circumstances for Appointing a Personal Data Protection Officer (DPO)
The Rules Governing the National Register of Controllers Within the Kingdom Article 7 – Information of the Personal Data Protection Officer (DPO)
The Rules Governing the National Register of Controllers Within the Kingdom Article 8 – Obligations
The Rules Governing the National Register of Controllers Within the Kingdom Article 9 – Representative Replacement
The Rules Governing the National Register of Controllers Within the Kingdom Article 10 – Registration Certificate Issuance
The Rules Governing the National Register of Controllers Within the Kingdom Article 11 – Making Registration Certificate Available to the Public
The Rules Governing the National Register of Controllers Within the Kingdom Article 12 – Services Provided on the Platform
The Rules Governing the National Register of Controllers Within the Kingdom Article 13 – Review and Amendment
The Rules Governing the National Register of Controllers Within the Kingdom Article 14 – Enforcement

The Rules Governing the National Register of Controllers Within the Kingdom – Introduction

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: December 23, 2025
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

The Rules Governing the National Register of Controllers Within the Kingdom establish the regulatory framework for registering Personal Data Controllers on the National Data Governance Platform under the Saudi Personal Data Protection Law (PDPL). Issued by the Competent Authority (SDAIA) pursuant to PDPL Article 30(4) and Implementing Regulation Article 34, these Rules define the scope, purpose, and oversight mechanisms for monitoring Controllers’ compliance with PDPL obligations within the Kingdom.

The Rules clarify which Controllers are required to register, the regulatory intent behind the National Register, and the role of the Competent Authority (SDAIA) in supervising and enforcing compliance through centralized registration and monitoring.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Introduction

Pursuant to Article (30), paragraph 4, of the Personal Data Protection Law Issued by Royal Decree No.) M/19 (dated 9/2/1443 AH, amended by Royal Decree No.) M/148 (dated 5/9/1444 AH, which provides: "The Competent Authority, in order to carry out its duties related to supervising the implementation of the provisions of the Law and Regulations, may:...(C) Specify the appropriate tools and mechanisms for monitoring Controllers’ compliance with the provisions of the Law and the Regulations, including maintaining a National Register of Controllers for this purpose". In accordance with Article (34) of the Implementing Regulation of the Law, which mandates that the Competent Authority shall issue the rules for registration in the National Register of Controllers, these Rules are hereby established. The purpose of these Rules is to inform and monitor Controllers within the Kingdom of the scope of their obligation to register on the National Data Governance Platform. Separate registration rules for Controllers located outside the Kingdom will be issued by the Competent Authority.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Legal Basis for the National Register

This Introduction establishes the legal authority for the National Register of Controllers by directly referencing Article 30(4) of the PDPL. It confirms that maintaining a register of Controllers is a statutory supervisory tool granted to the Competent Authority to monitor compliance with the Law and its Implementing Regulations.

Supervisory Role of the Competent Authority

The text clarifies that the National Register functions as a regulatory mechanism to support oversight, supervision, and enforcement of PDPL obligations. By specifying tools and mechanisms for monitoring compliance, the Competent Authority may assess Controllers’ adherence to registration, governance, and accountability requirements under the PDPL framework.

Issuance of Registration Rules

In alignment with Article 34 of the PDPL Implementing Regulation, the Introduction confirms that the Competent Authority is required to formally issue rules governing registration. These Rules operationalize the statutory requirement by translating it into binding procedural and compliance obligations for Controllers operating within the Kingdom.

Purpose and Scope of the Rules

The Introduction explains that the primary purpose of the Rules is twofold, to inform Controllers of their obligation to register, and to enable the Competent Authority to monitor compliance through the National Data Governance Platform. The scope of these Rules is expressly limited to Controllers within the Kingdom, ensuring regulatory clarity and jurisdictional precision.

Separation of Domestic and Cross-Border Registration Frameworks

The Introduction explicitly distinguishes between Controllers located within the Kingdom and those located outside it. It confirms that separate registration rules will apply to Controllers outside the Kingdom, reinforcing the structured and phased approach adopted by the Competent Authority for regulating domestic and cross-border personal data processing activities.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top