Saudi Arabia: Saudi Data and AI Authority opened consultation on proposed amendments to Implementing Regulation of Personal Data Protection Law including data protection regulations

On 27 April 2025, the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) opened a consultation on the proposed amendments to the Implementing Regulation of the Personal Data Protection Law (PDPL) until 27 May 2025. The amendments would revise controller obligations, modify definitions, and adjust procedural requirements. Changes would include the removal of the definitions for "direct marketing" and "personal data breach". Furthermore, the proposed amendments would introduce new requirements for drafting Privacy Policies in clear and service-consistent language, revise consent procedures for marketing communications, and modify obligations regarding direct marketing, including consent withdrawal and sender identification. The amendments also update responsibilities for Personal Data Protection Officers, restructure recordkeeping obligations for Personal Data processing, and adjust procedures for reporting to the Competent Authority. Provisions concerning complaint handling procedures would also be restructured.