Overview
Personal Data Breach Incidents Procedural Guide Stage Two sets out the mandatory containment and response actions that Controllers must implement after identifying a personal data breach under the Saudi Personal Data Protection Law (PDPL). This stage focuses on limiting harm, identifying affected data and individuals, and notifying Data Subjects when their rights or interests may be impacted. It aligns breach response practices with international standards while ensuring compliance with SDAIA notification expectations and PDPL requirements on transparency, risk mitigation, and individual protection.
In practice, Stage Two bridges regulatory notification and operational response by defining how Controllers must assess breach scope, contain damage, and communicate clearly with affected Data Subjects when required.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
STAGE TWO: Breach Incident Containment
The Controller shall implement response and containment procedures for personal data breach incident in accordance with best international practices and relevant regulatory requirements, including, but not limited to, the following measures to control personal data breach incidents:
- Identifying type and quantity of personal data.
- Identifying type of breached personal data that can be changed (such as email addresses, passwords, confidential inquiries, credit card numbers, etc.) and taking actions to change this breached data.
- Identifying individuals affected by data breach incident based on type of personal data breached.
- The Controller shall notify the Data Subjects without undue delay if this results in damage to their data or conflicts with their rights or interests, including, but not limited to: Damages related to exercising the right of the data subject, physical harm such as stalking and assault, or economic damage, such as fraud or identity theft.
A. Notice Methods:
- The Controller may notify the Data Subject by any appropriate means in accordance with the preferred methods for communication by the Data Subject, including, but not limited to text messages, or e-mail.
- If the breach damage extends to a large group of people at the national level, the Controller may, provided, that the content of the notice complies with the applicable law requirements in the Kingdom, in addition to the provisions mentioned in paragraph (1) above, notify the Data Subject by other means, including, but not limited to, Controller's website, official controller's accounts on social media platforms, or media.
B. Notice Description:
The notice provided to the Data Subject shall be in a clear and simple manner and shall include the following:
- A detailed explanation of personal data breach incident.
- An explanation of the potential risks arising from that incident and the measures taken to prevent, avoid, or mitigate such consequences.
- The Controller's Name, contact details and its DPO (if any) or any other appropriate means of communication with the Controller.
- Guidelines and necessary advice that may assist the affected Data Subject in taking appropriate actions to avoid potential risks or mitigate their consequences, such as economic damages ex. fraud or identity theft.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
