KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

PDPL Implementing Regulation Article 1 – Definitions
PDPL Implementing Regulation Article 2 – Personal or Family Use
PDPL Implementing Regulation Article 3 – General Provisions of Data Subject Rights (DSR)
PDPL Implementing Regulation Article 4 – Right to be Informed
PDPL Implementing Regulation Article 5 – Right of Access to Personal Data
PDPL Implementing Regulation Article 6 – Right to Request Access to Personal Data
PDPL Implementing Regulation Article 7 – Right to Request Correction of Personal Data
PDPL Implementing Regulation Article 8 – Right to Request Destruction of Personal Data
PDPL Implementing Regulation Article 9 – Anonymisation
PDPL Implementing Regulation Article 10 – Means of Communication
PDPL Implementing Regulation Article 11 – Consent
PDPL Implementing Regulation Article 12 – Consent withdrawal
PDPL Implementing Regulation Article 13 – Legal Guardian
PDPL Implementing Regulation Article 14 – Processing to Serve the Actual Interest of Data Subject
PDPL Implementing Regulation Article 15 – Collecting Data from Third Parties
Load More

PDPL Implementing Regulation Article 23 – Information Security

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: December 23, 2025
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

PDPL Implementing Regulation Article 23 defines the security obligations that Controllers must implement to protect Personal Data and maintain the privacy of Data Subjects. It requires Controllers to adopt necessary organizational, administrative, and technical safeguards to limit risks related to Personal Data Breaches and to comply with cybersecurity controls and standards issued by the National Cybersecurity Authority (NCA).

Where such controls are not mandatory, Controllers must rely on recognized best practices and established cybersecurity standards. The Article reinforces that security and privacy protection must be embedded across all Processing activities in alignment with PDPL requirements.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 23: Information Security

The Controller shall take the necessary organizational, administrative, and technical measures to ensure the security of Personal Data and the privacy of the Data Subjects, and shall comply with the following:

  1. Implement necessary security and technical measures to limit security risks related to Personal Data Breach.

  2. Comply with relevant controls, standards, and rules issued by the National Cybersecurity Authority or recognized best practices and cybersecurity standards if the Controller is not obligated to follow the controls, standards, and rules issued by the National Cybersecurity Authority.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 23 (1)

Security Risk Mitigation

This provision requires the Controller to establish and implement the necessary technical and security measures to limit risks associated with Personal Data Breaches.

Article 23 (2)

Cybersecurity Standards Compliance

This provision requires the Controller to follow the controls, standards, and rules issued by the National Cybersecurity Authority (NCA). When such requirements are not mandatory, the Controller must follow recognized best practices and cybersecurity standards.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top