Saudi Arabia: Public consultation on draft changes to the Data Protection Regulations

As part of Saudi Arabia’s continued efforts to strengthen its personal data protection landscape, the Saudi Data and Artificial Intelligence Authority (SDAIA) has launched a public consultation on draft amendments to the Implementing Regulation (Regulations) of the Personal Data Protection Law (PDPL). These amendments seemed designed to bring greater clarity and operational detail. 

In this note we outline the proposed changes and possible implications. If you would like to contribute to the discussion, the Public Consultation opened on 27 April 2025 and closes on 27 May 2025. Further details are available here and here.

We summarise the changes and provide brief observations in the order in which the changes will, if approved in the current form, appear in the revised Regulations.  In this note, we have otherwise generally used the word “Regulator” to refer to the Competent Authority, which is currently SDAIA.

Amendments to Definitions

Article 1 of the Regulations sets out the definitions. The proposal is to remove the term “Personal Data Breach” and the associated definition (as well as instances where the term appears in the Regulations); as well as the term “Direct Marketing” and its definition. The removal of these terms does not appear material.

A new term, “Competent Authority’s Platform”, is introduced to provide context for the platform through which Controllers are to submit details to the Regulator, as discussed further below.

Privacy Notices

Proposed changes to Article 4(7) of the Regulations require Controllers to provide required information in appropriate and simplified language (removing specific reference to data subjects lacking legal capacity).

 A new article, Article 18 Repeated, introduces a requirement for Controllers to ensure that ‘privacy policies’ (presumably also ‘privacy notices’) are drafted in clear, simplified and comprehensible language suited to diverse audiences.  It also provides that the language used shall be consistent with the language customarily used for the relevant activities in respect of the relevant data subjects, presumably providing a basis for requiring (or permitting) privacy notices in Arabic (the official language of the Kingdom) or in languages other than Arabic, where appropriate. (For example, consumer-facing privacy notices may be appropriately provided in Arabic and English, whereas employee privacy notices for use within the Saudi office of a foreign company that operates in English would not need to be provided in Arabic.)

Direct Marketing

Besides the removal of the defined term “Direct Marketing”, the proposed changes include amendments to Article 28 (relating to advertising and awareness) and Article 29 (relating to marketing). (The exact distinction between advertising and marketing would benefit from clarification, but this is absent from the proposed amendments.)

In terms of Article 28, the key change seems to be the removal of wording that seemed to require consent in the event that there was no prior interaction between the Controller and the Data Subject. This enhances clarity, as the requirement to obtain consent is no longer applicable only to circumstances where there was no prior interaction. The provision otherwise seems to be consistent with the original wording.

In terms of Article 29, there are two key changes, seemingly intended to enhance clarity: removal of wording to provide more concise language around withdrawal of consent (as such details are available in 12 of the Regulations); and removal of a requirement to clearly disclose the identity of the sender when sending marketing material (as the same requirement remains elsewhere in Article 29).  

Data Protection Officers

While Article 32(3) relating to appointment of Data Protection Officers seems to have been heavily re-worked, on closer inspection the changes appear limited. There is a new statement to the effect that the Controller must document the appointment of the DPO. There is also a requirement to notify the Regulator, via the “Competent Authority’s Platform”, immediately upon appointing or replacing the DPO. Other changes in this section seem to be largely reiterating the original wording, with some adjustments for brevity.  

Records of Processing

Article 33 of the Regulations originally provided for Controllers to retain a written record of processing activities, and it also provided a fairly detailed breakdown of the requirements for such a record. Article 31 of the PDPL itself already includes a requirement to keep a record (albeit not specifically stating ‘in writing’) as well as a detailed list of requirements for such a record. Accordingly, the proposed removal of the relevant points from Article 33 of the Regulations seems to be aimed at enhancing clarity and avoiding redundant repetition.

Registration with Regulator

Article 34 of the Regulations originally provided for the Regulator to issue the rules for the registration of Controllers. The proposed amendments to this article replace this general obligation with more specific information on the triggers for the registration requirement. 

Specifically, there are details on the types of entities that need to register: 

• Public entities (presumably as defined in the PDPL, essentially being government entities); 
• Controllers whose primary activity is based on processing personal data; 
• Controllers who rely on the exceptional circumstances under Article 4 of the Data Transfer Regulations to the PDPL to transfer personal data outside the Kingdom; and 
• Controllers who process sensitive data; and 
• Controllers who process personal data of individuals lacking (partially or fully) legal capacity. 

The reference to sensitive data might benefit from being qualified (e.g. limited to ‘core activities’ of the Controller involving processing of sensitive personal data), as the term is broad and there is scope for most Controllers to process personal data in some form – thus resulting in the registration requirement being triggered for most Controllers rather than on an exceptional basis. Similarly, the trigger relating to processing of personal data of data subjects lacking legal capacity may also benefit from such a qualification, as anyone processing personal data of children (for example) would automatically fall within this requirement.

The new wording of Article 34 also includes clarification that the requirement will apply to individuals processing personal data other than for purposes beyond family or personal use. This wording would seem redundant, given that such individuals are already included in the definition of Controller and would thus be subject to the requirements of Article 34 if they fall within the criteria.

Regulatory Cooperation; Complaint Handling

A new article, Article 36 Repeated, introduces a ten business day timeframe (from receipt), within which Controllers are required to respond to requests from the Regulator. This is a new development.

Article 37(1) of the original Regulations, which imposed on data subjects a 90 day timeframe within which complaints had to be submitted to the Regulator (but allowing the Regulator some discretion to address late-filed complaints), is removed. This could be seen as exposing Controllers to something of a higher degree of risk, as there is no longer a ‘time bar’ to a claim from a Data Subject.

Next Steps

Generally, our view is that there is nothing particularly exciting about the proposed changes to the Regulations. Most of them seem to be intended to enhance clarity. Despite this, the public consultation could provide an opportunity to seek to identify points in respect of which amendments have not been proposed, but which might benefit from amendments. Rather than simply commenting on what has been proposed in the draft, perhaps consider commenting on amendments you think should have been proposed.

For any further information on developments or current requirements in this space, please contact Nick O’Connell or Nona Keyhani.