Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
There is no general data breach notification law in Saudi Arabia that applies to employers in relation to employee data. That said, while there are no general or employer specific requirements, cloud service providers are required to notify customers of security breaches and may need to inform the CITF in certain instances (severe breaches or breaches that involve ‘Level 3’ or above sensitive content).