Overview
The Rules Governing the National Register of Controllers Within the Kingdom Article 2 defines the scope of application and clarifies which Controllers are required to register on the National Data Governance Platform. It establishes mandatory registration thresholds based on controller type, nature of processing, and the use of sensitive personal data.
The Article also explains the regulatory objective of the National Register as a supervisory, monitoring, and compliance enablement mechanism under the Saudi Personal Data Protection Laws (PDPL).
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 2: Scope and Objective
These Rules shall be applicable to Controllers (Any public entity, natural person or private legal person that specifies the purposes and manner of processing personal data, whether the data is processed by that controller or by the Processor) subject to the application scope of the Personal Data Protection Law and are mandated to register on the Platform in any of the following instances:
- If the Controller is a public entity.
- If the Controller’s main activity is based on personal data processing.
- If the controller processes sensitive data.
- If the individual processes personal data for purposes exceeding personal or family use.
This aims to build a national register for public and private Controllers and individuals who process personal data within the Kingdom, in addition to monitoring and following up on Controllers, assisting them in raising their level of commitment to implementing the provisions of the law and regulations and providing services related to personal data protection by registering on the Platform.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 2
Applicability of the Rules
This Article establishes that the Rules apply to all Controllers within the scope of the Personal Data Protection Law (PDPL). This includes public entities, private legal persons, and natural persons who determine the purposes and means of processing personal data, regardless of whether processing is carried out directly or through a Processor.
Mandatory Registration Triggers
Article 2(1)
Public Entity Controllers
Article 2(2)
Controllers Whose Main Activity Involves Processing
Article 2(3)
Processing of Sensitive Data
Article 2(4)
Individual Controllers Beyond Personal Use
Objective of the National Register
The concluding paragraph clarifies that the National Register serves multiple purposes. It functions as a national inventory of Controllers, a monitoring and follow up tool for the Competent Authority (SDAIA), and a mechanism to assist Controllers in improving compliance with the Law and its Regulations while enabling access to personal data protection related services through the Platform.
