Overview
PDPL Implementing Regulation Article 36 defines how entities must conduct audits and checks on Personal Data Processing activities to ensure proper protection and compliance with the Saudi PDPL. The Article outlines the purpose of audits, the professional standards required for audit execution, and the administrative and organizational safeguards that must be in place to ensure accuracy and integrity of audit outcomes.
It also authorizes the Competent Authority (SDAIA) to issue licensing rules for entities performing PDPL audit and checking functions, including additional coordination with the Digital Government Authority (DGA) for government related service providers.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 36: Auditing and Controlling
- The purpose of audit and checking is to ensure that the entity is properly protecting Personal Data through auditing and checking of carried out Personal Data Processing activities, and related controls and procedures, and identifying any gaps in compliance with the Law and its Regulations.
- When carrying out audit or checking of Personal Data Processing activities, entities shall adhere to the following:
- Provide the services independently according to professional standards.
- Develop the necessary administrative and organizational procedures and controls to ensure the accuracy and integrity of their output.
- The Competent Authority shall issue the rules for licensing entities that undertake auditing or checking of Personal Data Processing activities in accordance with paragraph (3) of Article 33 of the Law. The Competent Authority shall also coordinate with the Digital Government Authority regarding licensing for entities providing services on behalf of government entities.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 36(1)
Audit Purpose Clarified
This clause defines the core objective of audit and checking activities within the PDPL framework. It establishes that the primary purpose is to determine whether the entity is protecting Personal Data appropriately by reviewing Processing activities, related controls, and procedural safeguards. It also emphasizes that audits must evaluate compliance with both the PDPL and its Implementing Regulations and identify any gaps that may require remediation.
This explanation provides clear direction on why audits are mandated and what they are expected to evaluate.
Article 36(2)(a)
Independent Professional Audit
Article 36(2)(b)
Procedural Accuracy Standards
Article 36(3)
Licensing Rules Framework
This clause mandates the Competent Authority to issue licensing rules for entities that carry out auditing or checking of Personal Data Processing activities. These rules are issued under Article 33(3) of the Law and are necessary to ensure audit entities meet regulatory expectations. The clause also requires coordination with the Digital Government Authority for licensing when these audit or checking activities relate to entities providing services on behalf of government bodies.
This ensures alignment between PDPL oversight and broader governmental service governance.
