Employee Data Privacy

Saudi Arabia - Breach Notification

 Download as a PDF

Are there any data breach notification requirements? 


markus-spiske-303121A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances. 


Under Saudi Arabia’s Personal Data Protection Law (PDPL), controllers (such as employers) are required to immediately inform the regulatory authority of any “personal data leaks, damage or unauthorised access”. If a breach causes “gross harm” to a data subject (such as an employee in the context of employment) or to their personal data, employers should immediately inform the affected data subject. There are expected to be executive regulations in the future, which would provide more detailed information regarding when a data subject should be informed of a personal data breach.


Note that cloud service providers are required to notify customers of security breaches under the Saudi Cloud Computing Regulatory Framework and may need to inform the Communications and Information Technology Commission in certain instances (severe breaches or breaches that involve ‘Level 3’ or above sensitive content).

UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk