What Is a 'Controller' and Why Does It Matter?
Under the PDPL, any organization that determines how and why your personal data is processed is called a Controller. This could be your employer, a hospital, a government department, a landlord's property management company, or any business you interact with in Saudi Arabia.
A Processor is a third party that handles data on behalf of the Controller — for example, a payroll company or a cloud storage provider. Both Controllers and Processors carry legal responsibilities, but the Controller is your primary point of accountability.
---
The Core Principles Organizations Must Follow
The PDPL requires that personal data be processed according to strict principles:
- Purpose Limitation: Data must be collected for a specific, clear, and legitimate purpose. A company cannot collect your data for one reason and then use it for something entirely different.
- Data Minimization: Only the minimum amount of data necessary to achieve the stated purpose may be collected. Organizations cannot demand excessive personal information.
- Accuracy: Controllers must take steps to ensure your data remains accurate and up-to-date throughout the processing period.
- Storage Limitation: Data must not be kept longer than necessary. Once the purpose is fulfilled, it must be securely destroyed.
- Security: Organizations must implement technical and organizational measures to protect your data from loss, unauthorized access, or breach.
---
Lawful Grounds for Processing Your Data
Organizations generally need your consent to process your personal data. However, the law allows processing without consent in specific situations, including:
- When processing is necessary to protect vital interests (e.g., a medical emergency)
- When it serves a legitimate public interest
- When required to fulfill a legal obligation
- When necessary to execute a contract to which you are a party
As an expat, you will most commonly encounter this in employment contexts — your employer may process certain data to fulfill payroll, visa, or legal reporting obligations without needing separate consent for each action.
---
Data Protection by Design and Default
One of the more forward-looking requirements of the PDPL is the obligation on Controllers to implement data protection by design and by default. This means:
- Privacy protections must be built into systems and processes from the outset — not added as an afterthought
- Default settings on any platform or service must be the most privacy-protective options available
- Organizations must conduct a Data Protection Impact Assessment (DPIA) before starting any processing that could present significant risks to your privacy
This is particularly relevant when dealing with apps, digital government services, and healthcare platforms in Saudi Arabia.
---
The Data Protection Officer (DPO)
In certain cases specified by SDAIA regulations, organizations are required to appoint a Data Protection Officer (DPO). The DPO's role includes:
- Providing internal guidance on compliance
- Monitoring adherence to the PDPL
- Acting as a point of contact for data subjects and SDAIA
- Conducting training and awareness programs
If you have a data-related concern about a company, asking whether they have a DPO — and contacting that person directly — is a practical first step.
---
Disclosure and Sharing of Your Data
Organizations cannot disclose your personal data to third parties without your consent, unless a specific legal exception applies. This means:
- Your employer cannot freely share your personal details with other companies
- A hospital cannot pass your medical records to insurers without your knowledge
- A landlord cannot share your ID details with marketing companies
If you discover your data has been shared without a lawful basis, you have grounds to file a complaint with SDAIA.
---
Practical Steps for Expats
- Ask for a privacy notice whenever you sign up for a service or start a new job in Saudi Arabia
- Question excessive data requests — if a service asks for more information than seems necessary, you are within your rights to ask why it is needed
- Request your data in writing if you suspect it is being misused
- Document everything: Keep records of consent forms, privacy policies, and any communications about your data
- Report violations to SDAIA if an organization refuses to cooperate or has clearly breached the law