Overview
Personal Data Breach Incidents Procedural Guide Stage One sets the Controller’s obligation to notify SDAIA of qualifying personal data breaches within 72 hours of becoming aware. It explains when notification is required, confirms that notification must be filed through the National Data Governance Platform, and lists the minimum information that must be included in the breach notice.
This stage supports early regulatory visibility and structured breach response under the Saudi PDPL framework.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Stages of the Personal Data Breach Incidents Response
STAGE ONE: SDAIA Notice
Without prejudice to submitting any report or notice of personal data breach pursuant to Regulations issued by the National Cybersecurity Authority (NCA) and any applicable regulations and rules in the Kingdom of Saudi Arabia, the Controller shall notify SDAIA within a period not exceeding (72) hours from the time it becomes aware of the incident and if the incident is expected to harm the personal data or data subjects or is in conflict with their rights or interests through personal data breach notification service provided by National Data Governance Platform. Registration on this platform is required to utilize such service. Upon a personal data breach, the Controller is required to compile a notice that includes:
- Description of the personal data breach, including the time, date, how it occurred, and when the Controller became aware of the incident.
- Category of Data Subjects, their actual or approximate numbers, type and nature of the personal data.
- A description of risks arising from personal data breach, detailing actual or potential consequences and risks to personal data or the Data Subject, the remedial actions undertaken by Controller to prevent, mitigate, or minimize those risks. Furthermore, identifying appropriate future measures the Controller will implement to prevent or avoid the recurrence of the incident.
- Indicating whether Data Subject has been or will be notified of personal data breach, breach in accordance with the requirements mentioned in the second stage of this guide.
- Contact details of the Controller or its personal data protection officer (if any) or any other person who has information about the incident being reported.
NOTE: Upon subsequent contracts as stated in Article (8) of the PDPL, the Processor or any other entity shall follow the above Notice Requirements in coordination with the Controller.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
72-Hour Breach Notice Requirement
1. Description of the Breach
2. Data Subjects and Data Scope
3. Risks, Consequences, Remedial Actions, and Prevention Measures
4. Data Subject Notification Status
5. Contact Details for Follow-Up
The notice must include contact details for the Controller, the Personal Data Protection Officer (DPO) if appointed, or another person who has information about the reported incident. This ensures SDAIA can quickly engage with a responsible contact for clarification, coordination, or escalation.
