KSA PDPL » Saudi PDPL Article 34 – Right to File Complaints to Competent Authority (SDAIA)

Saudi PDPL Article 34 – Right to File Complaints to Competent Authority (SDAIA)

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 10, 2025
Updated: January 11, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 34 establishes the individual right to submit complaints to the Competent Authority, such as SDAIA, whenever they believe that their personal data rights have been violated or that a controller has failed to comply with PDPL requirements. The Article forms the legal basis for raising concerns, creating a clear and accountable channel through which individuals can seek redress.

The Regulations accompanying the PDPL will define the method for submitting complaints, the procedural steps for reviewing them, and how infringements will be addressed to maintain trust and ensure regulatory compliance across the Kingdom.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 34

A Data Subject may submit to the Competent Authority any complaint that may arise out of the implementation of this Law and the Regulations. The Regulations shall set out the rules for processing the complaints that may arise from implementing this Law and the Regulations.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Right to Submit Complaints

This provision grants every Data Subject the right to file a complaint directly with the Competent Authority. This applies whenever a person believes their PDPL rights have been infringed, their personal data has been mishandled, or a controller has failed to meet obligations under the Law or Regulations.

Regulatory Procedures Will Define the Complaint Process

This provision clarifies that while the right to complain is immediate, the specific rules for how complaints are to be submitted, documented, reviewed, and resolved will be established in the Regulations. These rules will guide individuals on the format, timelines, and steps involved in raising concerns.

Ensuring Consistent Enforcement of PDPL Rights

By directing all complaints to a unified authority and ensuring that procedures are formally defined, Article 34 establishes a consistent enforcement channel across the Kingdom.

This helps build trust, improve transparency, and strengthen the accountability framework for processing personal data.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), when can a person file a complaint with SDAIA?

A person may file a complaint when they believe a Controller has violated their PDPL rights or obligations. Article 34 makes this an available avenue when concerns are not resolved directly with the organization.

Do Data Subjects need to contact the business first before filing a complaint under Article 34?

Article 34 does not mandate a specific sequence, but in practice, many Data Subjects try resolving the issue with the Controller first. The right to complain to SDAIA remains available regardless.

Can employees file PDPL complaints against their employer?

Yes, employees are Data Subjects and may file complaints if they believe their Personal Data rights have been violated. Article 34 applies the same way to internal and external Data Subjects.

In e-commerce, can customers complain to SDAIA about unwanted marketing messages?

Yes, if the messages appear to violate PDPL rules. Article 34 allows Data Subjects to escalate concerns related to any PDPL non-compliance.

If a company refuses a Data Subject Request (DSR), can the individual complain under Article 34?

Yes, a refusal or inadequate response may justify a complaint. The Data Subject has the right to ask SDAIA to review the situation.

Does Article 34 mean SDAIA will intervene in every complaint?

Not necessarily. SDAIA may assess each complaint and determine the appropriate action under its authority.

In fintech, can customers complain about how their financial data is processed?

Yes, if they believe PDPL rules were violated. Article 34 applies to all sectors, including highly regulated ones like fintech.

Can a Processor file a complaint on behalf of Data Subjects under Saudi PDPL?

No, the right belongs to the Data Subject. A Processor may support a Controller operationally, but does not act as a substitute complainant.

If a business operates from outside Saudi Arabia but processes Saudi users’ data, can those users still file complaints?

Yes, Article 34 covers Data Subjects whose Personal Data is processed under PDPL’s scope. Physical location of the business does not remove the complaint right.

Common misconception, “Only major violations can be taken to SDAIA.” Is that correct?

No, Article 34 does not limit complaints to severe incidents. Any suspected PDPL violation may be raised.

Can a business take action against a customer for filing a complaint?

Retaliation contradicts PDPL principles. Article 34 ensures Data Subjects have the right to raise concerns without penalty.

Do SaaS users complain to the SaaS vendor or the Saudi Controller?

Complaints under Article 34 relate to the Controller’s compliance. SaaS vendors act as Processors, so complaints typically target the Controller responsible for the processing.