Overview
Rules for Appointing Personal Data Protection Officer Article 5 defines the specific cases in which a Controller is required to appoint one or more DPOs under the Saudi Personal Data Protection Law (PDPL).
It clarifies when large-scale processing, sensitive personal data processing, and regular and systematic monitoring of data subjects trigger a mandatory DPO appointment. The Article also explains how to assess large-scale processing, what constitutes regular and systematic monitoring, and how core activities are identified.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 5: Cases of Appointing DPO
First: Controller shall appoint one or more individuals to be responsible for protection of Personal Data in any of the following cases:
- Controller is a Public Entity that provides services involving Processing of Personal Data on a large scale.
- Controller core activities are based on processing operations that, by their nature, require regular and systematic monitoring of Data Subjects.
- Core activities of Controller are based on processing of sensitive Personal Data.
Second: The determination of whether the processing is on a large scale is based on the following criteria:
- Number of data subjects.
- Volume of personal data.
- Type of personal data.
- Geographical scope of processing.
- Different categories of data subjects.
Third: The term “regular and systematic monitoring of Data Subjects” refers to:
- Collection of personal data through tracking or other technologies.
- Monitoring is considered regular if it is continuous, occurs at specific intervals, or takes place periodically.
- Monitoring is considered systematic if it is conducted through technological systems, follows a specific methodology, or is implemented as part of a comprehensive strategy or general plan for collecting personal data.
Fourth: The following activities are examples of regular and systematic monitoring:
- Collecting personal health and fitness data through wearable devices.
- Using behavioral analytics technologies for risk assessment purposes.
- Location tracking, the use of cookies, and surveillance cameras.
Fifth: Activities are considered core if the Controller cannot provide products or services without processing personal data. Examples of core activities include:
- Insurance companies processing health data to provide health insurance to customers.
- Finance companies processing credit data to offer products or services related to financing.
- Marketing companies processing personal data for marketing purposes. Activities that support the Controller's core business, such as processing employee data by the human resources department within the entity, do not constitute core activities.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 5
First: Mandatory DPO Appointment Cases
Second: Large-Scale Processing Assessment Criteria
Third: Meaning of Regular and Systematic Monitoring
This provision clarifies what constitutes regular and systematic monitoring of data subjects. Monitoring includes tracking or similar technologies and is considered regular when it is continuous or periodic.
It is considered systematic when carried out through structured technological systems, defined methodologies, or organized strategies for collecting personal data.
