Overview
PDPL Implementing Regulation Article 24 sets out the obligations of Controllers when a Personal Data Breach occurs. The Article requires timely notification to the Competent Authority within seventy two (72) hours when a breach may cause harm, conflict with Data Subject Rights (DSR), or affect their interests. It also requires maintaining documentation, providing justifications for delayed reporting, and notifying Data Subjects without undue delay when the breach may cause harm to their data or impact their rights.
The Article clarifies reporting content, timelines, and accountability, and reinforces alignment with National Cybersecurity Authority (NCA) requirements and broader PDPL obligations.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 24: Notification of Personal Data Breach
- The Controller shall notify the Competent Authority within a delay not exceeding (72) hours of becoming aware of the incident, if such incident potentially causes harm to the Personal Data, or to Data Subject or conflict with their rights or interests. the notification shall include the following:
- A description of the Personal Data Breach incident, including the time, date, and circumstances of the breach and the time when the Controller became aware of it.
- Data categories, actual or approximate numbers of impacted Data Subjects, and the type of Personal Data.
- Description of the risks of the Personal Data Breach, including the actual or potential impact on Personal Data and Data Subjects, and the actions and measures taken by the Controller to prevent or limit the impact of those risks and mitigate them, as well as the future measures that will be taken to avoid a recurrence of the breach.
- A Statement if the Data Subject has been notified of the breach of their Personal Data, as stipulated in Paragraph (5) of this Article.
- Contact details of the Controller or its data protection officer, if any, or any other official having information regarding the reported incident.
- If the Controller is not able to provide any of the required information within (72) hours from the time it became aware of the Personal Data Breach in accordance with paragraph (1) of this article, it shall provide it as soon as possible, along with justifications for the delay.
- The Controller shall keep a copy of the reports submitted to the Competent Authority under paragraph (1) of this article and document the corrective measures taken in relation with the Personal Data Breach, as well as any relevant documents or supporting evidence.
- The provisions of this article do not prejudice the obligations of the Controller or Processor to submit any report or notification about Personal Data Breaches according to what is issued by the National Cybersecurity Authority or any laws and Regulations applicable in the Kingdom.
- The Controller shall, without undue delay, notify the Data Subject of a Personal Data Breach, if it may cause damage to their data or conflict with their rights or interests, provided that the notification is in simple and clear language, and that it includes the following:
- Description of the Personal Data Breach.
- Description of the potential risks arising from the Personal Data Breach, and the measures taken to prevent or limit those risks and limit their impact.
- Name and contact details of the Controller and its data protection officer, if any, or any other appropriate means of communication with the Controller.
- Any recommendations or advice that may assist the Data Subject in taking appropriate measures to avoid the identified risks or limit their impact.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 24(1)
Authority Notification Timing
Article 24(1)(a)
Incident Description Details
Article 24(1)(b)
Impacted Personal Data Categories
Article 24(1)(c)
Risk and Impact Assessment
Article 24(1)(d)
Data Subject Notification Status
Article 24(1)(e)
Controller Contact Information
Article 24(2)
Delayed Information Justification
This provision allows the Controller to submit missing information after the initial seventy two hour window but requires providing it as soon as possible along with justifications for the delay.
