Overview
Elaboration and Developing Privacy Policy Guideline – Privacy Policy Key Elements explains the mandatory information that must be included in a privacy policy under the Saudi Personal Data Protection Law (PDPL).
It clarifies the scope of disclosures required to ensure transparency, lawful processing, and effective communication with Data Subjects regarding how their Personal Data is collected, used, retained, shared, and protected.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Privacy Policy Key Elements
Privacy policy clarifies Personal Data to be collected, purpose of processing (Articles (5), (6), (10), and (15) of the Law shall be referenced to determine processing legal bases), method of use, legal basis for collecting and processing, entities to which such data shall be disclosed, geographical scope of processing, data retention period, method of data destruction, Data Subject’s rights and method of exercising them, and mechanism for communicating with the entity. It also clarifies the entities’ commitment to making individuals’ data available to them in a clear and accessible manner when collected, such as linking it to their websites or applications.
The Controller, depending on the nature of its activity, shall include the legal requirements mentioned below upon preparing its privacy policy:
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Clarifying Personal Data and Processing Details
This element explains that a privacy policy must clearly state the Personal Data that will be collected, the purpose of processing, and the method of use. It requires the policy to describe how Personal Data is processed so that individuals understand what data is collected and how it is used by the entity.
