Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 30 explains the powers of the Competent Authority, SDAIA, and outlines how supervisory oversight is carried out across all sectors in the Kingdom.
It also sets the rules for when controllers must appoint a Data Protection Officer and clarifies what responsibilities apply to that role. The Article grants SDAIA authority to investigate, request documents, enforce compliance, and supervise data protection practices. It also authorizes SDAIA to issue rules, coordinate with external entities, and operate national monitoring tools.
This Article forms the foundation of Saudi Arabia’s national data protection supervision model. It provides controllers with clear expectations on when a DPO is required, what support they must provide to SDAIA, and the mechanisms SDAIA uses to maintain regulatory oversight under the Personal Data Protection Law.
Saudi PDPL Article 30
- Without prejudice to the provisions of this Law and the powers of the Saudi Central Bank pursuant to applicable legal provisions, the Competent Authority shall be the entity in charge of overseeing the implementation of this Law and the Regulations.
- The Regulations shall identify the situations where the Controller shall appoint one or more persons as personal data protection officer(s). and shall set the responsibilities of any such person in accordance with the provisions of this Law.
- The Controller shall cooperate with the Competent Authority in performing its duties to supervise the implementation of the provisions of this Law and the Regulations, and shall take such steps as necessary in connection with the related matters referred to the Controller by the Competent Authority.
- The Competent Authority, in order to carry out its duties related to supervising the implementation of the provisions of the Law and Regulations, may:
- Request the necessary documents or information from the Controller to ensure its compliance with the provisions of the Law and Regulations.
- Request the cooperation of any other party for the purposes of support in accomplishing supervisory duties and enforcement of the provisions of the Law and Regulations.
- Specify the appropriate tools and mechanisms for monitoring Controllers’ compliance with the provisions of the Law and the Regulations, including maintaining a national register of Controllers for this purpose.
- Provide services related to Personal Data protection through the national register referred to in Subparagraph (c) of this Paragraph or through any other means deemed appropriate. The Competent Authority may collect a fee for the Personal Data protection services it may provide.
- The Competent Authority may, at its discretion, delegate to other authorities the accomplishment of some of its duties that are related to supervision or enforcement of the provisions of the Law and Regulations.
Explanation of Saudi PDPL Article 30
Article 30(1)
Competent Authority (SDAIA) Oversees PDPL Implementation
This provision establishes SDAIA as the primary supervisory body responsible for overseeing the implementation of the PDPL and its Regulations, except where the Saudi Central Bank has jurisdiction under applicable law.
This ensures unified national oversight of personal data protection while respecting sector-specific supervisory roles.
Article 30(2)
Regulations Determine When DPOs Are Required
This provision explains that the Regulations will specify the scenarios in which a Controller must appoint one or more Data Protection Officers.
It also clarifies that the responsibilities of the DPO will be defined under PDPL to ensure effective supervision of data protection functions within organizations.
Article 30(3)
Controllers Must Assist SDAIA in Supervisory Duties
This provision requires Controllers to cooperate fully with the Competent Authority. This includes responding to inquiries, submitting requested information, and taking any necessary actions related to matters referred by SDAIA.
The obligation strengthens consistent enforcement and supports ongoing compliance.
Article 30(4)(a)
Authority Can Demand Documents to Assess Compliance
Article 30(4)(b)
Authority Can Involve Other Agencies in Supervision
This provision allows SDAIA to seek cooperation from other entities, public or private, to assist in supervisory or enforcement duties.
This facilitates coordinated investigations, joint enforcement efforts, and multi-agency support when required.
Article 30(4)(c)
Authority to Establish Monitoring Tools and a National Register
This provision grants SDAIA the power to determine mechanisms for monitoring compliance, including maintaining a national register of Controllers.
This register acts as an official regulatory inventory of organizations subject to the PDPL.
Article 30(4)(d)
Competent Authority SDAIA to Provide Data Protection Services and Charge Fees
This provision authorizes SDAIA to provide personal data protection services through the national register or other means it deems appropriate.
It also allows SDAIA to collect fees for these services, supporting sustainable regulatory operations.
Article 30(5)
SDAIA May Delegate Supervisory or Enforcement Duties
Article 30(5) permits SDAIA to delegate parts of its supervisory or enforcement duties to other authorities.
This enables efficient distribution of responsibilities, sector-specific oversight, and expanded regulatory reach across the Kingdom.
Related PDPL Regulations, Rules & Guidelines
- Saudi PDPL Article 1 (3)
- PDPL Implementing Regulation Article 32
- PDPL Implementing Regulation Article 34
- PDPL Implementing Regulation Article 35
- PDPL Implementing Regulation Article 36
- Rules for Appointing Personal Data Protection Officer (DPO)
- Rules Governing the National Register of Controllers Within the Kingdom
