Overview
Elaboration and Developing Privacy Policy Guideline — Second: Contact Information and Update Record sets out the requirement for Controllers to clearly state their contact information within the privacy policy, and where applicable, to provide details of the Personal Data Protection Officer (DPO).
The purpose is to ensure that Data Subjects can easily communicate with the Controller regarding the processing of Personal Data and the exercise of their rights.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Second: Contact Information and Update Record
The Controller shall write its own contact information, including: phone number, website, and postal address. In addition, if the Controller is an entity required to appoint a Personal Data Protection Officer, it shall specify the identity and contact information of the Personal Data Protection Officer to provide further details about the processing of Personal Data and the method of exercising related rights.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Controller Contact Details
Personal Data Protection Officer (DPO) Information
Where the Controller is required to appoint a Personal Data Protection Officer (DPO), the privacy policy must also specify the identity and contact information of that officer. This ensures that Data Subjects have a clear point of contact for inquiries related to the processing of Personal Data.
Exercising Data Subject Rights (DSR)
The inclusion of contact details for the Controller and, where applicable, the Personal Data Protection Officer (DPO) supports transparency by enabling Data Subjects to obtain further details about how their Personal Data is processed and how they may exercise their related rights.
