Overview
PDPL Implementing Regulation Article 32 explains when a Controller must appoint a Personal Data Protection Officer (DPO) under the Saudi PDPL. It describes the scenarios that trigger mandatory appointment, the permissible employment arrangements for the DPO, and the full scope of responsibilities the DPO must perform.
This Article also clarifies that the Competent Authority (SDAIA) will establish further detailed rules governing how a DPO should be appointed, thereby ensuring accountability, oversight, and compliance with PDPL obligations.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 32: Data Protection Officer
- The Controller shall appoint one or more individuals to be responsible for the protection of Personal Data in any of the following cases:
- Controller is a Public Entity that provides services involving Processing of Personal Data on a large scale.
- Primary activities of the Controller consist of Processing operations that require regular and continuous monitoring of individuals on a large scale.
- Core activities of the Controller consist of Processing sensitive Personal Data.
- Subject to the requirements of paragraph (1) of this Article, the data protection officer may be an official, an employee or an external contractor of the Controller.
- The Personal Data Protection Officer is responsible for monitoring the implementation of the provisions of the Law and its Regulations, overseeing the procedures adopted by the Controller, and receiving requests related to Personal Data in accordance with the provisions of the Law and its Regulations. Specifically, their responsibilities include:
- Acting as the direct point of contact with the Competent Authority and implementing its decisions and instructions regarding the application of the provisions of the Law and its Regulations.
- Supervising the impact assessment procedures, audit reports, and evaluations related to Personal Data protection controls, documenting the assessment results, and issuing necessary recommendations accordingly.
- Enabling the Data Subject to exercise their rights as stipulated in the Law.
- Notifying the Competent Authority of Personal Data Breach incidents.
- Responding to requests from Data Subjects and addressing complaints filed by them in accordance with the provisions of the Law and its Regulations
- Monitoring and updating the records of Personal Data Processing activities of the Controller.
- Handling the Controller’s violations related to Personal Data and taking corrective actions accordingly.
- The Competent Authority shall issue rules for the appointment of the data protection officer, which shall include the circumstances under which a data protection officer shall be appointed.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 32(1)
Mandatory DPO Appointment
Article 32(1)(a)
Public Entity Requirement
Article 32(1)(b)
Large Scale Monitoring
Article 32(1)(c)
Sensitive Data Processing
Article 32(2)
Flexible DPO Engagement
Article 32(3)
DPO Responsibilities
Article 32(3)(a)
Authority Contact Point
Article 32(3)(b)
Assessment Supervision
Article 32(3)(c)
Enable Data Subject Rights (DSR) Exercise
Article 32(3)(d)
Breach Notification
Article 32(3)(e)
Handle Requests and Complaints
Article 32(3)(f)
Maintain Processing Records (RoPA)
This provision requires the DPO to monitor and update the Controller’s records of Personal Data Processing activities (RoPA).
