PDPL Article 20 says controllers must notify both the Competent Authority and the data subject in the event of a data breach, unauthorized access, or any incident that affects personal data integrity or confidentiality.
The Competent Authority (e.g., SDAIA) must always be informed.
The Data Subject must be notified if the breach could harm their data, rights, or interests.
The Regulations will define the specific timelines, content, and procedures for these notifications.
Saudi PDPL Article 20 (1)
Notify Competent Authority
The Controller shall notify the Competent Authority upon knowing of any breach, damage, or illegal access to personal data, in accordance with the Regulations.
Saudi PDPL Article 20 (2)
Alert Affected Individuals
The Controller shall notify the Data Subject of any breach, damage or illegal access to their Personal Data that would cause damage to their data or cause prejudice to their rights and interests, in accordance with the Regulations.
Explanation of Saudi PDPL Article 20
Controllers must report data breaches to the regulator:
Saudi PDPL Article 20 (1) says that, if there is a breach, damage, or illegal access to personal data, the controller must promptly notify the Competent Authority following the rules in the Regulations.
Data subjects must be informed if their rights or data are at risk:
Saudi PDPL Article 20 (2) says that, if the breach could cause harm or affect the rights of the individual, the controller must also notify the data subject in line with the regulatory requirements.
