KSA PDPL » Rules for Appointing Personal Data Protection Officer (DPO) Article 6 – Documenting DPO Appointment

Rules for Appointing Personal Data Protection Officer (DPO) Article 6 – Documenting DPO Appointment

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 16, 2025
Updated: December 23, 2025

Overview

Rules for Appointing Personal Data Protection Officer Article 6 sets out the formal documentation and internal disclosure requirements for appointing a DPO under the Saudi Personal Data Protection Law (PDPL).

It clarifies how the appointment must be recorded depending on whether the DPO is an employee or an external contractor, and it requires Controllers to formally announce the appointment and contact details internally to ensure accessibility and accountability.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 6: Documenting DPO Appointment

The DPO must be appointed in writing, and the Controller must:

Document the appointment of the DPO if they are an employee of the Controller.

Conclude an agreement with the external contractor when appointing a contractor outside the Controller as the DPO.

The appointment of the DPO and their contact details must be promptly announced within the Controller.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 6(1)

Written Appointment Requirement

This provision requires that the appointment of a DPO must be formally documented in writing. The form of documentation depends on the nature of the appointment, ensuring that the DPO’s role and responsibilities are clearly established and legally recorded.

Article 6(1)(A)

Internal Employee Appointment Documentation

This provision explains that when the DPO is an employee of the Controller, the Controller must formally document the appointment through internal records. This ensures clarity of role, accountability, and traceability within the organization.

Article 6(1)(B)

External Contractor Appointment Agreement

This provision clarifies that when the DPO is appointed as an external contractor, the Controller must enter into a formal agreement with that contractor. The agreement serves to define the contractual relationship and confirm the DPO’s responsibilities in accordance with the Law and its Implementing Regulations.

Article 6(2)

Internal Announcement of DPO Details

This provision requires Controllers to promptly announce the DPO’s appointment and contact details internally. The purpose is to ensure that relevant employees are aware of the DPO’s role and can easily contact them regarding personal data protection matters.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Table of Contents

← PDPL Compliance Ecosystem