# Saudi PDPL — Personal Data Protection Assessment > Draft and validate data protection compliance documentation under Saudi Arabia's Personal Data Protection Law (Royal Decree M/19 of 2021, amended 2023) and its Implementing Regulations. Covers data inventory, consent, cross-border transfers, and 72-hour breach notification. Tags: Saudi Arabia, PDPL, SDAIA, Privacy, Data protection ## Example Prompts - Draft our Saudi PDPL compliance documentation - Check our PDPL document for lawful basis and 72-hour breach notification - Validate compliance for SDAIA and data subject rights URL: https://rakenne.app/skills/sa-pdpl-data-protection-assessment/index.md Try this skill: https://rakenne.app/a/?skill=sa-pdpl-data-protection-assessment ## Overview Draft and validate data protection compliance documentation under Saudi Arabia's Personal Data Protection Law (Royal Decree M/19 of 2021, amended 2023) and its Implementing Regulations. Covers data inventory, consent, cross-border transfers, and 72-hour breach notification. ## Example Conversation > **You:** We need Saudi PDPL compliance documentation. We have to document lawful basis per processing, cross-border transfers (SDAIA), 72-hour breach notification, data subject rights, retention, and DPO. Can you draft it and run the checker? > **Agent:** I’ll draft the compliance document with data inventory, lawful basis per activity, cross-border transfer mechanism (SDAIA adequacy or safeguards), data subject rights (know, access, correct, destroy, object, portability), 72-hour breach notification to SDAIA, retention periods, and DPO/privacy responsible designation. Then I’ll run `sa_pdpl_compliance_checker`. > **Agent:** Created `sa-pdpl-compliance.md`. Running `sa_pdpl_compliance_checker`… > **Agent:** Check **PASS** — lawful basis per processing is documented, cross-border transfer mechanism is in place, data subject rights are addressed, 72-hour breach notification to SDAIA is documented, retention periods are specified, and DPO is designated. Ready for legal review. ## What the Tools Validate **`sa_pdpl_compliance_checker`** scans the compliance document for: - **Lawful basis** — Each processing activity must have a specified lawful basis under the PDPL (e.g. consent, contract, legal obligation). - **Cross-border transfer mechanism** — SDAIA adequacy list or permitted exemptions/safeguards must be documented. - **Data subject rights** — Right to know, access, correct, destroy, object, and portability must be addressed. - **Breach notification** — Procedure for notifying SDAIA within **72 hours** (and affected individuals where required) must be documented. - **Data retention periods** — Retention periods for personal data must be specified. - **DPO / privacy responsible** — Designation of a DPO or privacy responsible must be documented where required. **Output:** PASS if all are present; otherwise FAIL with a line per missing element. Fix gaps and re-run until the check passes. ## Output Excerpt **Compliance document (excerpt):** ```markdown ## Lawful basis - Customer onboarding and KYC: consent and legal obligation (AML). - HR and payroll: contract performance and legal obligation. - Marketing: consent; opt-out mechanism available. ## Breach notification - Breaches that pose a risk to rights are reported to SDAIA within **72 hours** of becoming aware. Affected individuals are notified in accordance with the PDPL and Implementing Regulations. Internal incident register maintained. ## Retention - Customer data: 5 years after relationship end (legal requirement); then deleted or anonymised. - HR data: per labour law and internal retention schedule. ``` **sa_pdpl_compliance_checker report (excerpt):** ``` === SAUDI PDPL COMPLIANCE CHECK === Result: PASS Document: sa-pdpl-compliance.md Lawful basis is specified per processing activity. Cross-border transfer mechanism (SDAIA adequacy or safeguards) is documented. Breach notification procedure (72 hours to SDAIA) is documented. Data retention periods are specified. Document meets Saudi PDPL compliance expectations. ``` ## Getting Started Add your source materials to the project workspace (e.g. data inventory or transfer list), then activate the *Saudi PDPL — Personal Data Protection Assessment* skill. The agent will guide you through drafting the compliance document and running `sa_pdpl_compliance_checker` until the check passes. --- Back to [Skill Library](https://rakenne.app/skills/index.md)