KSA PDPL » Rules for Appointing Personal Data Protection Officer (DPO) Article 9 – General Provisions

Rules for Appointing Personal Data Protection Officer (DPO) Article 9 – General Provisions

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 16, 2025
Updated: December 23, 2025

Overview

Rules for Appointing Personal Data Protection Officer Article 9 sets out the ongoing governance, independence, resourcing, and organizational positioning requirements for the DPO role.

This Article ensures that Controllers periodically reassess DPO appointment obligations, support the DPO’s independence and effectiveness, extend DPO considerations to processor relationships, and embed the DPO within an appropriate organizational structure that enables sustained compliance with the PDPL and its Implementing Regulations.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 9: General Provisions

Controllers shall periodically review DPO appointment cases to determine whether such cases are still required or likely to become mandatory according to provisions hereof.

The Controller may appoint a DPO on a voluntary basis, even if not obligated to do so, to assist in complying with the provisions of the Law and its Implementing Regulations.

When concluding an agreement between the Controller and the Processor for processing personal data on behalf of the Controller, the Controller shall verify whether the Processor has a DPO. If the appointment of a DPO is required under these rules, the Controller should request the appointment to ensure that the necessary guarantees for implementing the provisions of the Law and Implementing Regulations are in place.

The Controller must enable and support the DPO in performing their duties and responsibilities by providing all necessary resources.

When appointing DPO, Controller shall not assign tasks that may conflict with DPO tasks or affect DPO’s independence.

The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.

The DPO shall be organizationally linked to the Data Management Office within the Controller. If the Controller is not obligated to establish a Data Management Office, the DPO should be linked to another department, in accordance with paragraphs (4) and (5) of this article.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 9(1)

Periodic Review of DPO Appointment Obligations

This provision requires Controllers to regularly reassess whether their circumstances still require a DPO appointment or are likely to trigger a mandatory appointment in the future. This ensures that DPO obligations remain aligned with evolving processing activities and regulatory thresholds.

Article 9(2)

Voluntary Appointment of a DPO

This provision allows Controllers to appoint a DPO even when not legally required. A voluntary appointment may be used as a governance and compliance support mechanism to strengthen adherence to the PDPL and its Implementing Regulations.

Article 9(3)

DPO Considerations in Processor Engagements

This provision requires Controllers to verify whether a Processor has appointed a DPO when entering into processing agreements. Where these Rules require a DPO appointment, the Controller must request such appointment to ensure adequate guarantees for lawful and compliant processing.

Article 9(4)

Resourcing and Organizational Support

This provision obligates Controllers to actively enable and support the DPO by providing all necessary resources. This includes time, access, authority, and tools required for the DPO to perform their duties effectively.

Article 9(5)

Protection of DPO Independence

This provision prohibits Controllers from assigning tasks to the DPO that may conflict with their statutory responsibilities or compromise their independence. It reinforces the DPO’s role as an oversight and advisory function rather than an operational decision maker.

Article 9(6)

Training and Professional Development

This provision requires Controllers to invest in the ongoing training and professional development of DPOs. Supporting professional certifications and skill development is intended to enhance the DPO’s effectiveness and technical competence.

Article 9(7)

Organizational Positioning of the DPO

This provision establishes the organizational linkage of the DPO. Where a Data Management Office exists, the DPO must be linked to it. Where no such office is required, the DPO must be linked to another department in a manner that preserves independence and ensures adequate resourcing, in line with the safeguards set out in this Article.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Table of Contents

← PDPL Compliance Ecosystem