KSA PDPL » Saudi PDPL Article 20 – Personal Data Breach Notifications

Saudi PDPL Article 20 – Personal Data Breach Notifications

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 10, 2025
Updated: January 10, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 20 requires Controllers to notify the Competent Authority (SDAIA) and, in certain situations, affected individuals when a personal data breach occurs. A breach includes any unauthorized access, damage, or illegal activity that affects Personal Data and may impact the rights or interests of Data Subjects.

Notifications must comply with the timelines and procedures detailed in the Regulations, ensuring that authorities can respond effectively and individuals can take protective action under the Personal Data Protection Law (PDPL).

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 20

The Controller shall notify the Competent Authority upon knowing of any breach, damage, or illegal access to personal data, in accordance with the Regulations.

The Controller shall notify the Data Subject of any breach, damage or illegal access to their Personal Data that would cause damage to their data or cause prejudice to their rights and interests, in accordance with the Regulations.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 20(1)

Authority Notification Requirement

This provision requires the Controller to notify the Competent Authority immediately upon becoming aware of any breach, damage, or illegal access affecting Personal Data. The notification must follow the procedures and timeframes set out in the Regulations.

The requirement ensures that the Authority receives timely information about incidents that may affect Personal Data and can oversee any necessary steps to limit impact, investigate the event, or enforce compliance measures.

PDPL Article 20(2)

Informing Affected Data Subjects

This provision requires the Controller to notify the Data Subject when a breach, damage, or illegal access to their Personal Data could cause harm to the data or prejudice the Data Subject’s rights or interests. The notification must follow the rules established in the Regulations.

This requirement ensures that individuals receive timely information that may help them take protective action, understand the potential consequences of the incident, and remain aware of risks that may affect their Personal Data.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), who is responsible for reporting a personal data breach, the Controller or the Processor?

The Controller is responsible for notifying the Competent Authority when a breach occurs. A Processor must inform the Controller, but it is the Controller who decides and executes the notification.

In a SaaS setup, if the vendor (Processor) suffers the breach, does Article 20 still make the Controller accountable?

es, the Controller remains responsible for the required notifications. The Processor’s role is to alert the Controller so the Controller can take action.

Does every security incident count as a “personal data breach” under Saudi PDPL?

No, a breach typically involves unauthorized access, disclosure, destruction, or alteration of Personal Data. Technical issues without impact on Personal Data are not treated the same way.

Does Article 20 require notifying Data Subjects directly whenever a breach happens?

Only when the breach may cause harm to the Data Subject. If no harm is expected, Article 20 focuses on notifying the Competent Authority.

What does “harm” mean in the context of notifying Data Subjects under Article 20?

Harm refers to negative impact on the Data Subject, such as risks to their rights, interests, or safety. If harm is possible, the duty to notify the Data Subject is triggered.

In e commerce, if an attacker gains access to hashed passwords but not customer names, does Article 20 still apply?

It can, depending on whether the incident qualifies as a personal data breach. The Controller must assess whether the affected information can still impact Data Subjects.

Does Saudi PDPL allow waiting until an internal investigation is finished before notifying the authority?

Article 20 requires notification based on risk, not on completing an investigation. In practice, you notify when a breach is identified, and provide additional information later if needed.

For HR teams, if employee files are accessed by mistake internally, is that a breach requiring notification?

It depends on whether the access was unauthorized and whether it poses risk of harm. Not every internal error triggers notification, but unauthorized access still needs assessment.

Does Article 20 differentiate between accidental and malicious breaches?

No, the duty is based on the impact on Personal Data, not on intent. Both accidental and malicious events can trigger notification obligations.

In fintech, if payment data is exposed but immediately contained, do we still need to notify?

Containment does not remove the duty. What matters is whether the breach occurred and whether there is risk to Data Subjects.

Common misconception, “If data was encrypted, no breach notification is needed.” Is this true under KSA PDPL?

Not necessarily. Encryption reduces risk, but the Controller must still assess whether harm is possible and whether notification obligations apply.

Can a Processor notify the authority directly if the Controller is slow to respond?

Article 20 places the duty on the Controller, not the Processor. The Processor should escalate internally, but authority notification is the Controller’s responsibility.