Overview
Personal Data Destruction, Anonymization, and Pseudonymisation Guideline — Second: Anonymization sets out the requirements Controllers must meet to ensure that personal data is irreversibly anonymized so that data subjects are no longer identifiable.
It clarifies when anonymized data falls outside the scope of the Saudi Personal Data Protection Law (PDPL), and specifies the impact assessment, organizational, administrative, and technical measures Controllers must implement to prevent re identification in the circumstances outlined in Paragraph (1) of Article 25 of the Implementing Regulation.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Second: Anonymization
The Controller shall ensure that all direct and indirect personally identifiable information is irreversibly anonymized, rendering the data subject unidentifiable. Data that has been rendered anonymous shall no longer be considered personal data and, consequently, shall not fall within the scope of the Personal Data Protection Law.
The Controller, upon the anonymization of personal data, shall:
- Ensure that the anonymized data is rendered irreversibly anonymous, making it impossible to re-identify the data subject.
- Conduct an impact assessment, including an evaluation of the potential for re-identification under the circumstances specified in Paragraph (1) of Article 25 of the Implementing Regulation.
- Implement appropriate organizational, administrative, and technical measures to mitigate risks, ensuring that these measures are up-to-date and aligned with technological advancements and evolving anonymization techniques.
- Evaluate the effectiveness of implemented anonymization techniques and implement requisite adjustments
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Anonymization Purpose and Legal Effect
This introductory provision explains that anonymization requires the irreversible removal of all direct and indirect identifiers so that the data subject can no longer be identified. Once data is rendered anonymous in an irreversible manner, it ceases to be considered personal data and therefore falls outside the scope of the Personal Data Protection Law (PDPL). This clarifies the legal effect of anonymization under the Law, namely that data which has been irreversibly anonymized is no longer subject to the Personal Data Protection Law (PDPL).
A. Irreversibility Requirement
This requirement emphasizes that anonymization must make re identification impossible. Controllers must ensure that anonymized data cannot be linked back to a data subject, whether directly or indirectly. Any anonymization technique that allows re identification would fail to meet the standard set by the guideline.
