- with Inhouse Counsel
- in United States
- with readers working within the Automotive and Construction & Engineering industries
Source: Rules Governing the Issuance of Accreditation Certificates for Controllers and Processers (Issue 1.0, 2026)
Saudi Arabia's personal data protection framework has taken another step towards a more structured compliance ecosystem. Saudi Data & AI Authority (SDAIA), as the Competent Authority for the Personal Data Protection Law (PDPL), has issued the Rules Governing the Issuance of Accreditation Certificates for Controllers and Processers (the Rules). The Rules introduce a formal accreditation certificate that can be issued to Controllers and Processors following an independent assessment by a licensed third party (a Licensee).
While accreditation is not positioned as a substitute for PDPL compliance, it creates a more visible and potentially more standardised way for organisations to evidence the maturity of their privacy governance, particularly in regulated, procurement-driven and cross-border operating models.
What is the accreditation certificate, and who issues it?
Under the Rules, an accreditation certificate is a certificate issued by a Licensee confirming that the
practices and procedures followed by a Controller or Processor in processing personal data comply with the PDPL, the PDPL Implementing Regulation, the Regulation on Personal Data Transfer Outside the Kingdom, and the requirements set out in the Rules. Importantly, the certificate is issued by the Licensee (an entity authorised by the Competent Authority), rather than being issued directly by SDAIA.
Who is in scope?
The Rules apply both to entities authorised to issue accreditation certificates and to applicants seeking accreditation, whether as Controllers or Processors. The definition of "Applicant" expressly covers Controllers and Processors operating within or outside the Kingdom. This is consistent with the PDPL's broad territorial reach and is a reminder that organisations outside Saudi Arabia that process personal data relating to individuals in the Kingdom should treat PDPL compliance as a core governance issue, not a peripheral one.
Readiness requirements: what must be in place before applying
Accreditation is not designed to be a rubber-stamp exercise. Before an application is filed, an applicant must already be registered in the National Register of Controllers and must be able to demonstrate that its processing practices align with the PDPL framework. Applicants must also disclose prior or existing complaints filed under the PDPL framework and disclose any violations previously identified by the Competent Authority.
Operationally, the Rules expect applicants to have established tools and procedures to verify compliant processing, documented and approved organisational, administrative and technical measures, and documented breach-handling procedures that are periodically reviewed. Applicants must also have qualified legal and technical personnel with at least three years of relevant experience, together with a designated Personal Data Protection Officer (DPO), and annual training and awareness plans that are credible across different roles.
Application and evaluation timeline
Applications are submitted through the means specified by the Competent Authority. The applicant must verify the list of authorised Licensees published on the Competent Authority platform and provide supporting documentation demonstrating compliance with the Rules' general and operational requirements. The Licensee must then evaluate the application and issue an assessment report within a maximum period of 90 business days from receipt of the application, notifying the applicant of the outcome and providing a copy of the report.
Validity, renewal and revocation
An accreditation certificate is valid for two years from the date of issuance. Renewal is available: the certified entity may submit a renewal application no less than 30 business days before the certificate expires, and renewal is approved upon verification that the entity continues to meet the relevant requirements. Where renewal is not possible for reasons tied to the Licensee's own licensing status (for example, suspension or revocation), the entity may submit a new application to another authorised Licensee.
The Rules also take a firm position on enforcement. A Licensee must revoke the certificate in specified circumstances, including where the certified entity fails to comply with the Rules or PDPL framework, or where it provides false information or fails to disclose required information. Following revocation, the entity must immediately cease using the accreditation certificate and implement a plan to address the consequences.
Corporate changes: accreditation continuity risk
A point that deserves early attention is that certificates issued under the Rules are deemed void in a number of corporate events, including transformation of the legal entity, as well as transformation, merger or division of the certified entity under the Companies Law. Certificates are also deemed void if the legal entity of the Licensee is dissolved.
It will be interesting to see how the market treats accreditation in transactions and reorganisations. For groups undertaking restructurings, joint ventures, spin-outs or M&A, accreditation may need to be treated as a stand-alone continuity workstream, similar to other regulated authorisations, particularly where business models rely on demonstrable compliance signals.
Publication and the "trust signal" effect
The Competent Authority will publish on its official websites a list of entities that have received accreditation certificates, including each certificate's validity duration and the certified entities' official contact details. Over time, this public list may become a practical due diligence tool for customers and counterparties assessing privacy posture, especially in outsourcing, cloud, data processing and platform arrangements.
Looking ahead: why this matters beyond compliance
Two aspects are worth watching. First, the Regulation on Personal Data Transfer Outside the Kingdom recognises a "certificate of accreditation" as one of the appropriate safeguards for certain cross-border transfers. This raises the possibility that accreditation may, in some cases, move from being a voluntary quality marker to a strategic enabler for operating models that depend on frequent international transfers, vendor ecosystems or group-wide processing arrangements. Second, as accredited entities become publicly visible, procurement and enterprise customers may begin to treat accreditation as a differentiator, and in some sectors, potentially as a soft requirement.
In practical terms, organisations should consider a focused readiness review before the application stage. This typically starts with mapping processing activities and confirming roles and accountability (Controller versus Processor) across business lines and group entities. It also means stress-testing governance, including DPO designation, decision-making routes, escalation lines and evidence trails that a Licensee is likely to expect to see. Contracting is another immediate priority: customer, vendor, cloud, outsourcing and intra-group agreements should be reviewed to ensure privacy obligations are operationally deliverable and that risk allocation aligns with the PDPL framework and the emerging accreditation environment. Finally, incident readiness should be treated as a living capability, supported by breach-handling procedures, testing and role-based training, not a set of static documents.
We work with clients on each of these readiness workstreams: from processing activity mapping and governance stress-testing to contract alignment and incident preparedness, helping organisations evaluate how PDPL obligations and emerging accreditation frameworks impact business strategy, contracting models, and data-driven operations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
