KSA PDPL » Saudi PDPL Article 8 – Controller Obligations for Processors

Saudi PDPL Article 8 – Controller Obligations for Processors

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: June 28, 2025
Updated: January 10, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 8 sets out the responsibilities of Data Controllers when selecting and supervising Processors. It requires Controllers to choose Processors that provide adequate guarantees for complying with the Law, monitor their compliance, and remain responsible for fulfilling obligations toward Data Subjects and the Competent Authority (SDAIA).

The Article also requires the Regulations to specify provisions related to Processor contracts and subsequent processing arrangements.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 8

Subject to the provisions of this Law and the Regulations regarding the Disclosure of Personal Data, the Controller shall only select Processors providing the necessary guarantees to implement the provisions of this Law and the Regulations. The Controller shall also monitor the compliance of said Processors with the provisions of this Law and the Regulations. This shall not prejudice the Controller’s responsibilities towards the Data Subject or the Competent Authority as the case may be. The Regulations shall set out the provisions necessary in this regard, including provisions related to any subsequent contracts conducted by the Processor.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 8

Controller Duties When Selecting Processors

Although providing Personal Data to a Processor is not considered “Disclosure” under the PDPL definition, Article 8 requires Controllers to comply with disclosure-related provisions. This ensures that engaging a Processor does not result in unauthorized or prohibited disclosure through subsequent processing or contracting activities.

Within this framework, the provision requires Controllers to ensure that any Processor they select is capable of implementing the provisions of the Law and the Regulations. The Controller must choose only those Processors that can provide the necessary guarantees for compliant processing. This ensures that personal data is handled by entities that meet the required standards and can support the Controller in fulfilling their legal obligations.

Monitoring Processor Compliance

This provision states that Controllers must monitor the Processor’s compliance with the Law and the Regulations. Monitoring may involve oversight activities that confirm the Processor continues to meet the required level of compliance.

The Controller must remain aware of how the Processor handles personal data throughout the processing period to ensure ongoing alignment with legal requirements.

Controller Responsibility Remains

This provision clarifies that the Controller’s responsibilities toward the Data Subject and the Competent Authority remain unchanged even when a Processor is involved.

The use of a Processor does not remove or reduce the Controller’s obligations.

The Controller continues to be accountable for ensuring that personal data is processed lawfully and in accordance with the Law and the Regulations.

Regulation Of Processor Contracts

This provision requires the Regulations to set out the necessary provisions for managing Processor contracts. It includes terms related to any subsequent contracts conducted by the Processor.

This ensures that the processing chain remains compliant and that any additional parties engaged by the Processor follow the same requirements established by the Law and the Regulations.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), can a Controller just pick any vendor and “let them handle privacy”?

No, the Controller should only select Processors that provide adequate guarantees to comply with the PDPL and its Regulations. Outsourcing does not shift the Controller’s core responsibilities to the vendor.

If my SaaS vendor says “we are compliant”, is that enough for Saudi Personal Data Protection Law (KSA PDPL) Article 8?

Not by itself, the Controller must select Processors that provide the necessary guarantees, then monitor their compliance. A practical rule is to treat vendor assurances as a starting point, not the finish line.

In KSA, who is responsible to the Data Subject if a Processor makes a mistake with the data?

The Controller remains responsible toward the Data Subject even when a Processor is involved. Using a Processor does not remove or reduce the Controller’s obligations.

As a rule of thumb, that is a red flag, because the Controller must monitor the Processor’s compliance. If you cannot meaningfully oversee compliance, the Controller cannot realistically meet the Article 8 monitoring expectation.

Typically no, giving Personal Data to a Processor is not treated as “Disclosure” under the PDPL definition, but Controllers still have to comply with disclosure related provisions when engaging Processors. The practical takeaway is that using a Processor does not mean “no disclosure rules apply.”

What does “monitor the Processor” mean in practice under Saudi Personal Data Protection Law (KSA PDPL) Article 8?

It means the Controller should maintain ongoing oversight to confirm the Processor continues to comply with the PDPL and Regulations. The point is not a one time check, it is continued awareness during the processing period.

If the Controller signs a contract with the Processor, does that automatically satisfy Article 8?

No, contracting helps, but Article 8 also requires selecting a Processor with adequate guarantees and monitoring compliance. A contract without real oversight is usually not enough in practice.

Can a Processor in KSA hire a sub-processor without the Controller caring about it?

No, Article 8 expects the regulatory framework to address Processor contracts and subsequent contracts by the Processor. A practical rule is: the Controller should treat downstream contracting as part of the compliance chain it must manage.

If a Processor uses additional subcontractors, is the Controller still accountable under Saudi Personal Data Protection Law (KSA PDPL)?

Yes, the Controller’s responsibilities remain, including toward the Competent Authority (SDAIA) where applicable. The compliance chain should stay controlled even when processing is extended through subsequent contracts.

We are an e-commerce business, our courier and call center touch customer data. Are they “Processors” we must vet under KSA PDPL Article 8?

Often yes, if they process Personal Data for your benefit and on your behalf. The Article 8 rule of thumb is: if a vendor is processing your customer data to deliver your service, treat them as a Processor that must provide guarantees and be monitored.

Common misconception, “Once data is with a Processor, it is their compliance problem.” Is that true in Saudi Personal Data Protection Law (KSA PDPL)?

No, Article 8 explicitly says Controller responsibilities toward the Data Subject and the Competent Authority (SDAIA) remain. The Processor relationship changes how processing is done, not who remains accountable.

In a Controller and Processor setup, who should answer SDAIA if there is a compliance issue?

The Controller remains responsible toward the Competent Authority as the case may be. In practice, the Processor may support with information, but the Controller cannot outsource the accountability.