Personal Data Destruction, Anonymization, and Pseudonymisation Guideline – Introduction says that this guideline was issued by SDAIA to help organizations understand when and how to properly destroy, anonymize, or pseudonymize personal data under the KSA Personal Data Protection Law (PDPL). It supports entities in meeting their obligations under Article 18 of the Law and Articles 8 and 9 of the Implementing Regulation. While the guideline is informative and practical, it is not legally binding. Entities must always consult the actual Law and Regulations as the final authority.
SDAIA’s guide offers non-binding but practical instructions on how to destroy or depersonalize personal data in line with PDPL requirements.
Personal Data Destruction, Anonymization, and Pseudonymisation Guideline – Introduction
In fulfillment of its mandate to raise awareness among entities subject to the provisions of the Personal Data Protection Law the “Law” and its Implementing Regulations, and to enable those entities to understand their obligations under Article (18) of the Law and Articles (8) and (9) of the Implementing Regulations, the Saudi Data & AI Authority (SDAIA) has issued this Guideline to assist entities in determining the cases where personal data should be destroyed or anonymized. This Guideline also provides examples of techniques to aid in the destruction ,anonymization and Pseudonymisation of personal data. The terms and phrases used in this Guideline shall be construed in accordance with the definitions provided in the Law and its Implementing Regulations. This Guideline shall not be considered a binding legal document, nor shall it substitute consulting the Law and its Implementing Regulations, which shall constitute the regulatory reference for all matters related to the application of the Law’s provisions.
