Implementing Regulation of PDPL Article 24 outlines the mandatory steps a Controller must take when a Personal Data Breach occurs. It mandates reporting the breach to the relevant authority within 72 hours if the breach could harm personal data or the rights of the data subject. It also requires notifying affected individuals when risks to them arise, using clear language and including risk mitigation advice. The article further aligns with National Cybersecurity Authority (NCA) requirements and insists on thorough documentation of breach incidents and responses.
Controllers must report qualifying data breaches to authorities within 72 hours, notify affected individuals, and keep full records of the incident and actions taken.
Implementing Regulation of PDPL Article 24 (1)
Notify Within 72
The Controller shall notify the Competent Authority within a delay not exceeding (72) hours of becoming aware of the incident, if such incident potentially causes harm to the Personal Data, or to Data Subject or conflict with their rights or interests. the notification shall include the following:
Implementing Regulation of PDPL Article 24 (1) (a-e)
Mandatory Report Contents
a) A description of the Personal Data Breach incident, including the time, date, and circumstances of the breach and the time when the Controller became aware of it.
b) Data categories, actual or approximate numbers of impacted Data Subjects, and the type of Personal Data.
c) Description of the risks of the Personal Data Breach, including the actual or potential impact on Personal Data and Data Subjects, and the actions and measures taken by the Controller to prevent or limit the impact of those risks and mitigate them, as well as the future measures that will be taken to avoid a recurrence of the breach.
d) A Statement if the Data Subject has been notified of the breach of their Personal Data, as stipulated in Paragraph (5) of this Article.
e) Contact details of the Controller or its data protection officer, if any, or any other official having information regarding the reported incident.
Implementing Regulation of PDPL Article 24 (2)
Late Information Justified
If the Controller is not able to provide any of the required information within (72) hours from the time it became aware of the Personal Data Breach in accordance with paragraph (1) of this article, it shall provide it as soon as possible, along with justifications for the delay.
Implementing Regulation of PDPL Article 24 (3)
Maintain Documentation
The Controller shall keep a copy of the reports submitted to the Competent Authority under paragraph (1) of this article and document the corrective measures taken in relation with the Personal Data Breach, as well as any relevant documents or supporting evidence.
Implementing Regulation of PDPL Article 24 (4)
Cybersecurity Reporting Link
The provisions of this article do not prejudice the obligations of the Controller or Processor to submit any report or notification about Personal Data Breaches according to what is issued by the National Cybersecurity Authority or any laws and Regulations applicable in the Kingdom.
Implementing Regulation of PDPL Article 24 (5)
Notify Data Subjects
The Controller shall, without undue delay, notify the Data Subject of a Personal Data Breach, if it may cause damage to their data or conflict with their rights or interests, provided that the notification is in simple and clear language, and that it includes the following:
Implementing Regulation of PDPL Article 24 (5) (a-d)
Data Subject Notification
a) Description of the Personal Data Breach.
b) Description of the potential risks arising from the Personal Data Breach, and the measures taken to prevent or limit those risks and limit their impact.
c) Name and contact details of the Controller and its data protection officer, if any, or any other appropriate means of communication with the Controller.
d) Any recommendations or advice that may assist the Data Subject in taking appropriate measures to avoid the identified risks or limit their impact.
Explanation of Implementing Regulation of PDPL Article 24
Report serious breaches to SDAIA quickly:
Implementing Regulation of PDPL Article 24 (1) says, if the breach poses risk to data or rights, notify the Competent Authority within 72 hours of awareness.
Include timing, type, risks, actions, contact details:
Implementing Regulation of PDPL Article 24 (1) (a-e) says, the report must cover breach description, affected data, risks, mitigation steps, and contact information.
Justify any delay in submitting complete report:
Implementing Regulation of PDPL Article 24 (2) says, if all details can’t be provided within 72 hours, send what’s available and justify the delay.
Keep breach reports and related documents:
Implementing Regulation of PDPL Article 24 (3) says, controllers must retain breach reports and evidence of mitigation steps.
Observe additional reporting under NCA or Saudi laws:
Implementing Regulation of PDPL Article 24 (4) says, this doesn’t exempt Controllers from other legal or cybersecurity reporting duties.
Inform affected people without delay if rights are impacted:
Implementing Regulation of PDPL Article 24 (5) says, Data Subjects must be notified in simple terms when risks to their data or rights arise from a breach.
Include breach summary, risk, contact, and advice:
Implementing Regulation of PDPL Article 24 (5) (a-d) says, notifications must describe the breach, outline risks, share contacts, and provide actionable recommendations.
