Saudi Data & AI Authority's Laws and Regulations

Policies & Regulations

The data produced, received, or dealt with by government and private entities is one of the most important national assets that contribute to improving performance and productivity and facilitating the provision of public services. As a result, Saudi Arabia aims to implement the best global practices for national data management and governance policies and controls, protect personal data, and increase the value learned from it in order to make strategic decisions, anticipate the future, and uphold the highest standards of accountability and transparency. The value of data as an economic resource that fosters innovation, supports economic transformations, and heightens national competitiveness is being sought after by nations all over the world. Governmental organizations on a national scale gather and process enormous amounts of data that can be used to support economic growth and elevate the Kingdom to pioneership in data-driven economies. In light of Vision 2030, the Kingdom seeks a new era that improves the efficiency of governmental entities, raises their standards of accountability and transparency, and promotes economic diversification and the use of data-driven services. This will play a significant part in the trust- and international partnership-based global economy.

In light of this, the Saudi Data & AI Authority and its legislative arm, the National Data Management Office, the national regulator and reference body for data management and governance, have created a data governance framework at the national level that outlines the laws and regulations for national data management and governance as well as the protection of personal data. This framework has been approved by the SDAIA Board of Directors.

Learn More about the Policies and Regulations:

Data classification Policy and Regulations

The Policy & Regulations set the framework for classifying the data received, produced, or dealt with by public entities, regardless of their source, form, or nature.

Personal Data Protection Law and The implementing Regulation

The law and The implementing Regulation set out the bases for the protection of personal data, the rights of data subjects, and the obligations of controllers

Rules of Procedure on Committees for Reviewing Violations of the Provisions of the Personal Data Protection Law and Its Implementing Regulations

The Rules of Procedure on Committees for Reviewing Violations of the Provisions of the Personal Data Protection Law aim to regulate and govern the committees' procedures in accordance with the PDP Law and its Implementing Regulations.

Rules for Appointing Personal Data Protection Officer

These rules clarify the cases in which a personal data protection officer must be appointed at controller to the application of the provisions of the personal data protection law and its implementing regulations, and the minimum requirements for appointment.

Data Sharing Policy and Regulations

The policy and regulations regulate the sharing of data produced by government entities with other government entities, private entities, and individuals.

Freedom of Information Policy and Regulations

The policy and the regulations outlines the fundamentals and guiding principles of data freedom and applies to requests made by individuals to access or obtain unprotected public data generated by public entities.

Open Data Policy and Regulations

The policy and regulations set out the regulatory frameworks for open data, which is a subset of public information.

Elaboration and Developing Privacy Policy Guideline

This guideline aims to guide entities subject to the provisions of Personal Data Protection Law and its Implementing Regulations, through the preparation and development of their privacy policy.

Minimum Personal Data Determination Guideline

This guideline has been developed for entities subject to the PDPL and its Implementing Regulations to assists these entities in fulfilling the purpose of processing Personal Data while avoiding the collection of unnecessary Personal Data.

The Rules Governing the National Register of Controllers Within the Kingdom

These rules aim to determine and understand the extent to which Controllers are obligated to register in the National Data Governance Platform.

Guidelines for Binding Common Rules (BCR) For Personal Data Transfers

This guideline aims to specify the obligations of the parties involved in the transfer when personal data is transferred or disclosed to a country or international organization that does not have an adequate level of protection for personal data.

Standard Contractual Clauses For Personal Data Transfers

These Clauses are one of the appropriate safeguards that Controllers and Processors may use in addition to the Binding Common Rules (BCR) and accreditation certificates from a body licensed by the Competent Authority.

Personal Data Destruction, Anonymization, and Pseudonymisation Guideline

This guideline aims to assist entities in determining the cases where personal data should be destroyed or anonymized.

Personal Data Disclosure Cases Guideline

This guideline aims to assist entities in determining the cases and restrictions of personal data disclosure.

Personal Data Processing Activities Records Guideline

This guideline aims to assist entities in preparing records of personal data processing activities.

Personal Data Breach Incidents Procedural Guide

This guide Aims to outline the necessary procedures to deal with personal data breaches and reduce the consequences and risks influencing Data Subjects in accordance with the Law and its Implementing Regulations.