KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

PDPL Implementing Regulation Article 1 – Definitions
PDPL Implementing Regulation Article 2 – Personal or Family Use
PDPL Implementing Regulation Article 3 – General Provisions of Data Subject Rights (DSR)
PDPL Implementing Regulation Article 4 – Right to be Informed
PDPL Implementing Regulation Article 5 – Right of Access to Personal Data
PDPL Implementing Regulation Article 6 – Right to Request Access to Personal Data
PDPL Implementing Regulation Article 7 – Right to Request Correction of Personal Data
PDPL Implementing Regulation Article 8 – Right to Request Destruction of Personal Data
PDPL Implementing Regulation Article 9 – Anonymisation
PDPL Implementing Regulation Article 10 – Means of Communication
PDPL Implementing Regulation Article 11 – Consent
PDPL Implementing Regulation Article 12 – Consent withdrawal
PDPL Implementing Regulation Article 13 – Legal Guardian
PDPL Implementing Regulation Article 14 – Processing to Serve the Actual Interest of Data Subject
PDPL Implementing Regulation Article 15 – Collecting Data from Third Parties
Load More

PDPL Implementing Regulation Article 17 – Choosing the Processor

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: December 20, 2025
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

PDPL Implementing Regulation Article 17 sets the requirements that govern how Controllers select, instruct, monitor, and supervise Processors. It specifies the contractual guarantees that must be included, the Controller’s responsibility to issue instructions, the ongoing obligation to assess Processor compliance, and the consequences when a Processor violates instructions.

It also defines the conditions for engaging sub-Processors, including guarantees, approval requirements, and compliance obligations.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 17: Processor selection

  1. The Controller shall ensure that any Processor chosen provides sufficient guarantees to protect Personal Data, and that the agreement with the Processor includes the following:

    1. Purpose of the Processing.

    2. Categories of Personal Data being processed.

    3. Duration of the Processing.

    4. Processor's commitment to notify the Controller in case of a Personal Data Breach, in accordance with the provisions of the Law, this Regulation, and without undue delay.

    5. Clarification of whether the Processor is subject to Regulations in other countries and the impact on their compliance with the Law and its Regulations.

    6. Not requiring the Data Subject's prior consent for mandatory Disclosure of Personal Data under the applicable laws in the Kingdom, provided that the Processor notifies the Controller of such Disclosure.

    7. Identifying any subcontractors contracted by the Processor, or any other party to whom Personal Data will be disclosed.

  2. The Controller shall issue clear instructions to the Processor, and in case of any violation of the Controller’s instructions or any applicable laws in the Kingdom, the Processor shall notify the Controller in writing without undue delay.

  3. The Controller is responsible to periodically assess Processor's compliance with the Law and its Regulations, and ensuring that all regulatory requirements are met, whether the Processing is achieved by the Processor or third parties acting under their behalf. The Controller may appoint an independent third party to assess and monitor Processor’s compliance on its behalf.

  4. If Processor violates the instructions issued by the Controller or the agreement regarding the Processing of Personal Data, the Processor shall be considered as a Controller and held directly accountable for violating any provisions of the Law.

  5. Before entering any subsequent contracts with sub-Processors, the Processor shall abide by the following:

    1. Take sufficient guarantees to ensure that such contracts would not impact the level of protection provided to the Personal Data being processed.

    2. Choose only sub-Processors that provide the sufficient guarantees to comply with the Law and its Regulations.

    3. Obtain prior acceptance from Controller, with the Controller being notified before entering into such contracts and enabling the Controller to object to them within a timeframe agreed upon between the Controller and the Processor.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 17(1)

Processor Contract Requirements

This provision requires the Controller to ensure that any chosen Processor offers sufficient guarantees to protect Personal Data. The agreement between the Controller and Processor must include specific elements that define the scope, responsibilities, and conditions of processing.

Article 17(1)(a)

Define Processing Purpose

This provision requires the agreement to clearly state the purpose for which the Processor will carry out the processing activities. It ensures that the Processor acts only within the defined purpose.

Article 17(1)(b)

Specify Personal Data Categories

This provision requires the agreement to identify the categories of Personal Data that will be processed. It ensures clarity about the type of data being handled.

Article 17(1)(c)

State Processing Duration

This provision requires the agreement to indicate the duration of the processing. It clarifies the time period in which the Processor will act on behalf of the Controller.

Article 17(1)(d)

Breach Notification Commitment

This provision requires the Processor to commit to notifying the Controller without undue delay in case of a Personal Data Breach. The notification must comply with the Law and the Regulation.

Article 17(1)(e)

Clarify Cross-Border Regulations

This provision requires the agreement to state whether the Processor is subject to laws or regulations in other countries and how this affects their compliance with the Law and its Regulations.

Article 17(1)(f)

Mandatory Disclosure Handling

This provision clarifies that the Processor must not require the Data Subject’s prior consent for mandatory disclosures under applicable laws. The Processor must notify the Controller of such disclosures.

Article 17(1)(g)

Identify Sub-Processors

This provision requires the agreement to identify any sub-processors or any party to whom Personal Data will be disclosed. It ensures transparency about additional parties involved.

Article 17(2)

Controller Instructions Requirement

This provision requires the Controller to issue clear written instructions. If the Processor violates instructions or any applicable laws, it must notify the Controller in writing without undue delay.

Article 17(3)

Ongoing Compliance Monitoring

This provision requires the Controller to periodically assess whether the Processor complies with the Law and its Regulations. It also allows the Controller to appoint an independent third party to conduct compliance reviews.

Article 17(4)

Processor Liability As Controller

This provision states that if the Processor violates instructions or the agreement, it will be treated as a Controller. It will be directly accountable for violations of the Law.

Article 17(5)

Sub-Processor Requirements

This provision establishes the conditions that must be met before the Processor enters into contracts with sub-Processors. It ensures that protections remain consistent throughout the processing chain.

Article 17(5)(a)

Guarantees For Sub-Processing

This provision requires the Processor to ensure that sub-Processor contracts do not reduce the level of protection afforded to the Personal Data.

Article 17(5)(b)

Select Qualified Sub-Processors

This provision establishes the conditions that must be met before the Processor enters into contracts with sub-Processors. It ensures that protections remain consistent throughout the processing chain.

Article 17(5)(c)

Controller Approval Requirement

This provision requires the Processor to obtain prior acceptance from the Controller before contracting with sub-Processors. It also requires notification and an opportunity for the Controller to object within an agreed timeframe.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top