KSA PDPL » Saudi PDPL Article 39 – Disciplinary Actions for Public Sector Employees

Saudi PDPL Article 39 – Disciplinary Actions for Public Sector Employees

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 10, 2025
Updated: January 11, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 39 clarifies that government entities are responsible for disciplining their own employees when they violate the Personal Data Protection Law (PDPL) or its Implementing Regulations. These disciplinary actions operate within existing public-sector legal frameworks and established employee conduct procedures.

By assigning internal accountability to public bodies, Article 39 strengthens Saudi Arabia’s privacy governance model. It ensures that PDPL violations by civil servants are treated as administrative misconduct, complementing rather than replacing the other penalties under Articles 35 and 36.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 39

Without prejudice to the provisions of Article (35) and Paragraph (1) of Article (36) of this Law, the Public Entity shall discipline any of its employees who violate any of the provisions of this Law and Regulations, in accordance with the disciplinary provisions and procedures prescribed by law.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Internal Discipline Required

This provision states that when a public-sector employee violates the PDPL or its Regulations, the employing government entity must take disciplinary action consistent with the legal and regulatory procedures governing public employment. These disciplinary actions operate alongside penalties under Articles 35 and 36 but do not replace them.

This framework ensures public institutions remain accountable for the conduct of their workforce while maintaining established administrative disciplinary processes.

Frequently Asked Questions (FAQs)

Does Article 39 of the Saudi Personal Data Protection Law (KSA PDPL) apply to all employees or only public sector staff?

Article 39 applies specifically to employees of public entities. Private sector staff fall under other PDPL enforcement and penalty articles.

If a public entity employee mishandles Personal Data by mistake, does Article 39 still apply?

Yes, Article 39 can still apply because it covers violations committed by public employees, even if unintentional. The type of disciplinary action depends on internal public-sector rules.

Is Article 39 the same as administrative penalties imposed by SDAIA?

No, administrative penalties are covered under different PDPL articles. Article 39 focuses only on disciplinary actions for public sector employees.

Does Article 39 require the public entity to report employee misconduct to SDAIA?

The article does not mandate reporting obligations. It focuses on the internal disciplinary framework within public entities.

Are disciplinary actions under Article 39 considered criminal penalties?

No, they are employment-related disciplinary measures. Criminal penalties come from separate PDPL provisions handled by courts.

Can a public employee face both disciplinary action and PDPL penalties?

Yes, it is possible depending on the severity of the violation. Article 39 does not prevent other PDPL articles from applying.

Does Article 39 mean public entity employees are held to a higher standard?

They are held to specific disciplinary rules because they handle Personal Data on behalf of government bodies. This ensures accountability in the public sector.

Who decides the disciplinary action under Article 39?

It is handled within the public entity according to its internal disciplinary system. Article 39 does not assign this authority to SDAIA.

If a contractor working with a public entity mishandles data, does Article 39 apply to them?

Typically no, because contractors are not public employees. Other PDPL articles would apply to non-employees.

Does Article 39 override civil service laws in Saudi Arabia?

No, it works alongside existing public-sector disciplinary rules. It reinforces responsibility for Personal Data handling but does not replace broader employment laws.

Are public employees disciplined even if the violation caused no actual harm?

They can be, since Article 39 is based on the act of violating PDPL requirements, not only on resulting harm. The exact consequence depends on internal procedures.

Is there a common misconception about Article 39?

Yes, many assume it gives SDAIA power to discipline public employees. In reality, SDAIA handles enforcement, but disciplinary action is carried out internally by the public entity.