The Saudi Authority for Data and Artificial Intelligence (hereinafter referred to as “SDAIA”) on the April 27th, 2025 opened a consultation on the proposed amendments to the Implementing Regulation of the Personal Data Protection Law (hereinafter referred to as “PDPL”). The amendments would revise controller obligations, modify definitions, and adjust procedural requirements. Changes would include the removal of the definitions for “direct marketing” and “personal data breach”.
This move highlights SDAIA‟s continued commitment to engaging with regulated entities, ensuring their perspectives are heard in the development of Saudi Arabia‟s data protection framework. It also presents a valuable opportunity for organizations and experts to contribute their insights, helping shape a balanced and effective privacy law that serves the best interests
of both data subjects and controllers.
The Consultation Feedback should be submitted through the Public Consultation Platform “Istitlaa,” which is affiliated with the National Competitiveness Centre. The deadline for submitting feedback is until 27 May 2025.
BACKGROUND
The amendments would revise controller obligations, modify definitions, and adjust procedural requirements. Changes would include the removal of the definitions for “direct marketing” and “personal data breach”.
Furthermore, the proposed amendments would introduce new requirements for drafting Privacy Policies in clear and service-consistent language, revise consent procedures for marketing communications, and modify obligations regarding direct marketing, including consent withdrawal and sender identification. The amendments also update responsibilities for Personal Data Protection Officers, restructure recordkeeping obligations for Personal Data processing, and adjust procedures for reporting to the Competent Authority. Provisions concerning complaint handling procedures would also be restructured.
The launch of this Consultation demonstrates SDAIA’s commitment to engaging the public and government agencies, receiving their feedback, and proposing appropriate recommendations based on the analysis and study of the feedback.
Earlier the new Saudi PDPL was promulgated by Royal Decree No. M/19 dated 09/02/1443 H (16/09/2021) to regulate the collection and processing of personal information by companies or public entities. SDAIA in this regard had announced that PDPL was made with the objective to ensure the privacy of personal data, regulate data sharing and also prevent abuse of personal data which is in alignment with the goals of Kingdom’s Vision 2030 to develop a digital infrastructure and support innovation to grow a digital economy. Subsequently in 2022, the Saudi Authority for Data and Artificial Intelligence (hereinafter referred to as “SDAIA”) had opened a public consultation on proposed amendments to the Personal Data Protection Law, which received Royal Decree in September 2021 and became effective in March 2022. The SDAIA’s public consultation on the proposed amendments closed on 20 December 2022. The new version of the PDPL although does not incorporate all of the proposals that had been proposed in a consultation paper issued by the SDAIA in 2022, it however implemented some of the proposed amendments. Most importantly, the updated version of the PDPL introduces several concepts that will align the legislation and the proposed Saudi Data regime more effectively to the EU General Data Protection Regulation.
OVERVIEW
The proposed amendments suggested by SDAIA aim to enhance regulatory clarity, reduce compliance burdens, increase flexibility for data controllers, and strengthen data protection aligned with international standards, while ensuring SDAIA’s enforcement powers are clear. Some of the important changes are highlighted hereunder:
• Scope and Definitions Updates
- Some terms and phrases are clarified to align with the PDPL definitions, ensuring consistency across the regulation.
- The definition of “sensitive information” is narrowed; for example, memberships in private organizations and credit information are no longer classified as sensitive data.
• Data Controller Obligations and Registration
- The requirement for data controllers to register on an SDAIA electronic portal has been removed, easing administrative burdens.
- The obligation to appoint a compliance officer by data controllers is also removed, though future regulations will specify when personnel must be assigned for data protection.
• Data Collection and Processing Flexibility
- The amendments allow collecting personal data from sources other than the data subject and processing it for purposes other than originally intended, if necessary to protect lawful interests and without infringing on data subject rights.
- This introduces more flexibility for controllers in handling data while maintaining safeguards.
• Data Subject Rights and Consent
- The previous requirement for written consent has been replaced with more streamlined consent provisions, simplifying compliance.
- The obligation to provide free access to collected data to data subjects has been removed, reducing financial burdens on controllers.
• Data Breach Notification
- The immediate notification requirement to SDAIA in case of data breaches has been relaxed, allowing more practical response times.
• International Data Transfers
- New criteria for assessing the adequacy of data protection in other countries have been introduced, updated every four years or as needed, including compliance with binding international treaties.
- Rules for onward transfers of personal data outside Saudi Arabia have been added, inspired by GDPR principles but simplified for clarity.
- Risk assessment procedures for international transfers have been clarified without major changes.
• Exemptions and Compliance Flexibility
- New exemptions allow data controllers to be exempt from certain compliance requirements if appropriate safeguards are in place.
- Procedures for withdrawing exemptions are streamlined and clarified.
• Enforcement and SDAIA Powers
- SDAIA personnel now have explicit authority to investigate PDPL violations and initiate confiscation proceedings.
• Anonymisation and Data Minimization
- The amendments emphasize anonymisation by removing identifiers permanently to protect data subjects’ identities.
The exact text and copy of the draft Rules can be accessed here.
Should you need any clarification or would like to discuss any query related to the said development or generally any aspect related to the Law, please feel free to contact:
Salman Waris,
Founder
Privacy Academy
Email: salman.waris@techlegis.com
Ph: +971-585442415
