saudilaw.ai

Data

Data Breach in Saudi Arabia: Your Rights & Notifications?

Last updated 7/6/20260 viewsProvisional

Companies must notify SDAIA of data breaches under Article 13 of Saudi PDPL. Report non-compliance to SDAIA; penalties reach SAR 5,000,000.

If a company (known as a 'Controller' under the law) experiences a data breach that has resulted in — or is likely to result in — harm to you, they are legally required to act quickly. Under Article 13 of the Saudi Personal Data Protection Law (PDPL), the Controller must notify the Competent Authority (the Saudi Data & AI Authority, known as SDAIA) of the breach within a specified timeframe set by the regulations.

While the law focuses on the company's duty to notify the regulator, in practice you should also expect to be informed if your data has been compromised, particularly if there is a real risk of harm such as identity theft, financial loss, or reputational damage. The notification obligation exists precisely to protect your interests.

If you suspect a company has suffered a breach involving your data but has not informed you or acted responsibly, you can report this to SDAIA, which has supervisory authority over compliance with the PDPL under Article 18. Keep records of any suspicious account activity or communications, as these may support a complaint. Penalties for violations can reach SAR 5,000,000 under Article 19, which gives companies a strong incentive to handle breaches properly.

This is general legal information, not legal advice. For advice on your specific situation, consult a lawyer licensed in Saudi Arabia.

Related questions

Data Breach in Saudi Arabia: Your Rights &… | saudi-law.ai