Saudi Arabia Personal Data Protection Law: Third public consultation to provide greater clarity on the regulations

On 27 April 2025, the Saudi Data & AI Authority (SDAIA) in the Kingdom of Saudi Arabia (KSA) issued the third public consultation relating to the KSA Personal Data Protection Law (PDPL) Implementing Regulations (PDPL Regulations), this time with proposed amendments. The core objective of the development remains to protect personal data in a balanced manner, ensuring the preservation of data subjects’ rights and enhancing confidence in services that involve personal data processing. The draft amendments seek to provide greater clarity on the procedures and controls outlined in the current version of the PDPL Regulations to assist in their enforcement. This article explains the relevance of the consultation to organisations and summarises key changes introduced by the draft.

Why the draft amendments matter

Key objectives of the draft amendments include:

• Providing greater clarity on the procedures and controls outlined in the Implementing Regulations to the PDP;
• Assisting enforcement bodies and enforcements procedures; and
• Contributing to the core objectives to protect personal data and ensuring the preservation of data subjects’ core rights and enhancing confidence in services that involve personal data processing. 

These amendments respond to key challenges organisations have faced since the PDPL came into effect – particularly around uncertainty in how to apply certain obligations in practice, in areas such as controller registration, privacy notices, records of processing activities, direct marketing and data breach handling. The proposed changes aim to close these gaps by providing practical guidance, enabling organisations to better understand what is expected of them on a practical level.

Key proposals of the draft amendments 

The draft suggests amendments to the definitions set out in the PDPL Regulations and various articles, with some articles rephrased or introduced for clarity. It also proposes the repeal of various supplemental rules issued by SDAIA.

The following list sets out some noteworthy, proposed changes:

1. The role of a Data Protection Officer (DPO)

The draft amendments consolidate and clarify the responsibilities of the DPO role, promoting accountability by requiring organisations to appoint an individual with clearly defined responsibilities, making it easier to embed the role effectively within existing governance structures. 

The draft proposes that the revised provisions in the PDPL Regulations replace the standalone Rules for Appointing Personal Data Protection Officers (which could be repealed). If the amendments are implemented, organisations could have clearer guidance on what the role entails. The responsibilities in the draft include communicating with the regulator, supporting internal compliance, reporting personal data breaches, handling complaints and overseeing audits and impact assessments.

2. Controller registration

The draft clarifies the cases where organisations must register as controllers, consolidating the existing requirements – currently set out in the separate Rules Governing the National Register of Controllers (proposed to be repealed) – into the draft. The revised text outlines specific scenarios triggering mandatory registration – such as being a public entity, primarily processing personal data, transferring data outside KSA, handling sensitive data, or processing data of individuals lacking legal capacity.

This change helps address previous uncertainty by providing clearer criteria for when to register. 

3. Privacy notices and policies

To support greater clarity and transparency across the lifecycle of processing operations, the draft also introduces specific requirements for privacy notices, where a new Article (Article 18) has been introduced to reinforce that privacy notices must be written in simple, accessible language that all audiences can easily understand. The draft amendments also include a requirement that the privacy notice uses the same language typically used to deliver services or products to the relevant group of the organization’s data subjects. The amendments also update the language obligations as previously, simplified language was only required when dealing with data subjects who lacked full or partial legal capacity. This has now been extended to apply in all cases, reinforcing the importance of clear and accessible communication for all data subjects.

4. Retention of Records of Processing Activities (ROPA)

In parallel, updates have been proposed to clarify how organisations must maintain their ROPAs. The draft simplifies the ROPA requirements by outlining core obligations stating controllers must retain records for a defined period, ensure they are accurate and up to date, and provide them to the competent authority upon request. Whilst the proposal suggests that the detailed list of ROPA contents is removed from the PDPL Regulations, if implemented, organisations could refer to the Personal Data Processing Activities Records Guideline for further guidance. 

5. Direct marketing

Transparency and communication are also central to the revised rules on how consent and control must be managed in direct marketing. The draft amendments suggest updates on how organizations can carry out direct marketing in compliance with the PDPL. 

The key requirement remains the same, in that organisations must obtain consent before sending marketing materials, ensuring data subjects have the option to withdraw consent – and if so, the organisation must stop the marketing without undue delay. However, it is proposed that the current obligation to include the sender’s identity is removed, addressing practical challenges, particularly for organisations using automated tools or third-party platforms. This change strikes a better balance where data subjects retain control over their data, while businesses gain flexibility without being constrained by rigid rules.

6. Complaints and inspections

This balance between user rights and operational clarity also extends to how organisations respond to oversight and complaints. The draft introduces a new provision requiring controllers to respond to requests from the competent authority within 10 business days of receipt. This sets a defined timeframe for regulatory cooperation, helping to ensure timely responses and greater accountability.

In parallel, the previous time limit for data subjects to submit complaints to the competent authority has been removed. This change recognises the potential barriers individuals may face in promptly filing complaints and aims to make the complaints process more accessible. 
 

Next steps

The draft law is open for consultation until 27 May 2025, offering the public an opportunity to share feedback directly on the website here. 

If you would like advice on how the draft amendments may impact your business, or support with preparing a response to the public consultation, please contact Lamisse Bajunaid, a partner leading the KSA’s Intellectual Property, Technology and Commercial practice.