KSA PDPL » Saudi PDPL Article 42 – Competent Authority (SDAIA)Timeline and Coordination for PDPL Regulations

Saudi PDPL Article 42 – Competent Authority (SDAIA)Timeline and Coordination for PDPL Regulations

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 10, 2025
Updated: January 11, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 42 defines the mandatory timeline for issuing the Implementing Regulations of the Personal Data Protection Law (PDPL). The president of the Competent Authority must publish these Regulations within 720 days from the date the Law is officially issued. The Article also requires coordination with key ministries and national authorities to ensure the Regulations align with national cybersecurity, technology, foreign affairs, health, and financial sector considerations.

This coordinated approach ensures that PDPL implementation is unified, consistent, and aligned with Saudi Arabia’s broader regulatory, operational, and national security priorities.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 42

The president of the Competent Authority shall issue the Regulations within a period not exceeding (seven hundred and twenty) days commencing on the date of publishing the Law provided that the president must coordinate before issuing the Law with: (Ministry of Communications and Information Technology, Ministry of Foreign Affairs, Communications, Space & Technology Commission, Digital Government Authority, National Cybersecurity Authority, Saudi Health Council, and Saudi Central Bank), each in its own jurisdiction.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

SDAIA Must Publish PDPL Regulations

This provision states that the president of the Competent Authority must issue the PDPL Implementing Regulations within a maximum of 720 days after the Law is published. This establishes a fixed and legally binding timeframe for releasing the official rules that guide PDPL compliance.

The Article also requires the president to coordinate with several government ministries and national authorities before issuing the Regulations. These include entities responsible for communications, foreign affairs, digital governance, cybersecurity, health, technology, and financial stability. Their collective input ensures that the Regulations reflect national priorities and sector-specific requirements, supporting a harmonized application of the PDPL across the Kingdom.

Frequently Asked Questions (FAQs)

What does Article 42 of the Saudi Personal Data Protection Law (KSA PDPL) mainly address?

Article 42 focuses on SDAIA’s role in issuing and coordinating PDPL-related regulations. It explains how regulatory updates and implementing rules are formally introduced.

Does Article 42 give SDAIA authority to interpret the PDPL?

Yes, SDAIA is the competent authority responsible for issuing supporting regulations. This means SDAIA typically guides how specific PDPL requirements are applied in practice.

Does Article 42 specify exact deadlines for new PDPL regulations?

No, the article does not list fixed dates. It simply confirms that SDAIA oversees the timing and coordination of regulatory issuance.

Do controllers need to track all updates issued under Article 42?

Yes, controllers are expected to stay aligned with new PDPL regulations released by SDAIA. Staying updated helps avoid compliance gaps.

Is Article 42 about enforcement or penalties?

No, it focuses on regulatory issuance and coordination. Enforcement and penalties are addressed in other articles of the PDPL.

Does Article 42 allow SDAIA to work with other authorities?

Yes, the article recognizes SDAIA’s role in coordinating with relevant bodies. This helps align data protection rules with broader national frameworks.

Does Article 42 require organizations to update their internal policies whenever SDAIA issues new regulations?

In practice, yes, organizations typically revise policies after regulatory updates. The article itself does not dictate a process, but alignment is necessary for compliance.

Is Article 42 relevant for SaaS or tech providers operating in Saudi Arabia?

Yes, because these providers must follow all PDPL amendments and regulatory updates issued through SDAIA. Article 42 clarifies who controls this process.

Does Article 42 mean the PDPL will continue evolving?

It suggests that updates will be issued over time as needed. SDAIA manages the timing and coordination of those updates.

Can organizations request clarification from SDAIA based on Article 42?

The article does not outline a formal request mechanism. However, SDAIA is the primary authority for PDPL interpretation and is typically the reference point.

Is there a common misconception about Article 42?

Yes, some believe it sets detailed compliance timelines for companies, but it actually deals with timelines for regulatory issuance, not corporate deadlines.

Does Article 42 impact cross-border transfer rules?

Indirectly, yes, because SDAIA also issues regulations related to transfers. The article confirms SDAIA’s authority to coordinate such rules.