KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

PDPL Implementing Regulation Article 1 – Definitions
PDPL Implementing Regulation Article 2 – Personal or Family Use
PDPL Implementing Regulation Article 3 – General Provisions of Data Subject Rights (DSR)
PDPL Implementing Regulation Article 4 – Right to be Informed
PDPL Implementing Regulation Article 5 – Right of Access to Personal Data
PDPL Implementing Regulation Article 6 – Right to Request Access to Personal Data
PDPL Implementing Regulation Article 7 – Right to Request Correction of Personal Data
PDPL Implementing Regulation Article 8 – Right to Request Destruction of Personal Data
PDPL Implementing Regulation Article 9 – Anonymisation
PDPL Implementing Regulation Article 10 – Means of Communication
PDPL Implementing Regulation Article 11 – Consent
PDPL Implementing Regulation Article 12 – Consent withdrawal
PDPL Implementing Regulation Article 13 – Legal Guardian
PDPL Implementing Regulation Article 14 – Processing to Serve the Actual Interest of Data Subject
PDPL Implementing Regulation Article 15 – Collecting Data from Third Parties
Load More

PDPL Implementing Regulation Article 24 – Notification of Personal Data Breach

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: December 23, 2025
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

PDPL Implementing Regulation Article 24 sets out the obligations of Controllers when a Personal Data Breach occurs. The Article requires timely notification to the Competent Authority within seventy two (72) hours when a breach may cause harm, conflict with Data Subject Rights (DSR), or affect their interests. It also requires maintaining documentation, providing justifications for delayed reporting, and notifying Data Subjects without undue delay when the breach may cause harm to their data or impact their rights.

The Article clarifies reporting content, timelines, and accountability, and reinforces alignment with National Cybersecurity Authority (NCA) requirements and broader PDPL obligations.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 24: Notification of Personal Data Breach

  1. The Controller shall notify the Competent Authority within a delay not exceeding (72) hours of becoming aware of the incident, if such incident potentially causes harm to the Personal Data, or to Data Subject or conflict with their rights or interests. the notification shall include the following:

    1. A description of the Personal Data Breach incident, including the time, date, and circumstances of the breach and the time when the Controller became aware of it.

    2. Data categories, actual or approximate numbers of impacted Data Subjects, and the type of Personal Data.

    3. Description of the risks of the Personal Data Breach, including the actual or potential impact on Personal Data and Data Subjects, and the actions and measures taken by the Controller to prevent or limit the impact of those risks and mitigate them, as well as the future measures that will be taken to avoid a recurrence of the breach.

    4. A Statement if the Data Subject has been notified of the breach of their Personal Data, as stipulated in Paragraph (5) of this Article.

    5. Contact details of the Controller or its data protection officer, if any, or any other official having information regarding the reported incident.

  2. If the Controller is not able to provide any of the required information within (72) hours from the time it became aware of the Personal Data Breach in accordance with paragraph (1) of this article, it shall provide it as soon as possible, along with justifications for the delay.

  3. The Controller shall keep a copy of the reports submitted to the Competent Authority under paragraph (1) of this article and document the corrective measures taken in relation with the Personal Data Breach, as well as any relevant documents or supporting evidence.

  4. The provisions of this article do not prejudice the obligations of the Controller or Processor to submit any report or notification about Personal Data Breaches according to what is issued by the National Cybersecurity Authority or any laws and Regulations applicable in the Kingdom.

  5. The Controller shall, without undue delay, notify the Data Subject of a Personal Data Breach, if it may cause damage to their data or conflict with their rights or interests, provided that the notification is in simple and clear language, and that it includes the following:

    1. Description of the Personal Data Breach.

    2. Description of the potential risks arising from the Personal Data Breach, and the measures taken to prevent or limit those risks and limit their impact.

    3. Name and contact details of the Controller and its data protection officer, if any, or any other appropriate means of communication with the Controller.

    4. Any recommendations or advice that may assist the Data Subject in taking appropriate measures to avoid the identified risks or limit their impact.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 24(1)

Authority Notification Timing

This provision requires the Controller to notify the Competent Authority within seventy two hours of becoming aware of a breach that may harm Personal Data or affect Data Subject rights or interests.

Article 24(1)(a)

Incident Description Details

This clause requires the Controller to provide a description of the breach, including the time, date, circumstances, and when the Controller became aware of the incident.

Article 24(1)(b)

Impacted Personal Data Categories

This clause requires specifying the categories of data involved, the actual or approximate number of affected Data Subjects, and the types of Personal Data impacted.

Article 24(1)(c)

Risk and Impact Assessment

This clause requires describing the risks arising from the breach, the actual or potential effects on Personal Data and Data Subjects, the mitigation actions taken, and future measures to prevent recurrence.

Article 24(1)(d)

Data Subject Notification Status

This clause requires stating whether the Data Subjects have been notified as required by paragraph five of this Article.

Article 24(1)(e)

Controller Contact Information

This clause requires providing contact details for the Controller, its data protection officer if applicable, or any official with information about the breach.

Article 24(2)

Delayed Information Justification

This provision allows the Controller to submit missing information after the initial seventy two hour window but requires providing it as soon as possible along with justifications for the delay.

Article 24(3)

Record Keeping Requirements

This provision requires retaining copies of reports submitted to the Competent Authority, documenting corrective actions taken, and keeping relevant supporting evidence.

Article 24(4)

Other Regulatory Duties

This provision clarifies that these obligations do not replace or reduce the requirements imposed by the National Cybersecurity Authority (NCA) or other applicable laws in the Kingdom.

Article 24(5)

Data Subject Notification Duty

This rule requires the Controller to notify affected Data Subjects without undue delay when a breach may cause harm to their data or affect their rights or interests. Notifications must be simple, clear, and include the items listed below.

Article 24(5)(a)

Breach Description

This clause requires describing the Personal Data Breach to the Data Subject.

Article 24(5)(b)

Potential Risk Explanation

This clause requires describing potential risks and the measures taken to prevent or mitigate those risks and limit their impact.

Article 24(5)(c)

Controller Contact Channels

This clause requires providing the Controller’s contact details or those of its data protection officer or any other suitable communication method.

Article 24(5)(d)

Recommendations for Data Subjects

This clause requires providing guidance or advice to help Data Subjects take protective actions to reduce or avoid the identified risks.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top