Overview
Elaboration and Developing Privacy Policy Guideline — Eighth: Personal Data Subjects Rights (DSR) explains the obligation of the Controller to clearly inform Data Subjects of their rights related to the collection and processing of Personal Data, the methods available for exercising those rights, the communication channels used to receive requests, and the timeframe for responding.
It also sets out the specific rights that must be communicated to Data Subjects in accordance with the Law and its Implementing Regulations.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Eighth: Personal Data Subjects Rights
The Controller shall clarify the rights of Data Subjects regarding the collection and processing of their data as specified in Law, along with the method of exercising these rights. The Controller shall also provide appropriate communication channels to respond to Data Subjects' requests related to their rights according to their choice and availability. These channels may include: (emails, text messages, communication via electronic applications). The Controller shall also specify the time taken for response.
- The Right to be informed, which includes informing Data Subjects of the legal basis and purpose of collecting data while ensuring that Data Subjects' data will not be subsequently processed in any way inconsistent with the purpose of collecting such data, for which Data Subjects provided their explicit or implicit consent.
- The Right to access their Personal Data held by the Controller, which includes Data Subjects' access to their Personal Data upon request or through means provided by the Controller that enables Data Subjects to have access to their Personal Data Automatically without the need to submit a request.
- The Right to request access to Personal Data held by the Controller in a readable and clear format consistent with the content of records, whether such Personal Data is in a commonly used format if feasible, or providing a printed hard copy of such data.
- The Right to request correction, completeness, and update of Personal Data held by the Controller.
- The Right to request the destruction of Personal Data held by the Controller if Personal Data is no longer necessary to achieve the purpose for which it was collected.
- The Right to withdraw consent for Personal Data Processing at any time, unless there is a legal basis that requires otherwise, in addition to elaborating how to withdraw such consent by providing means and methods to ensure a prompt response to requests related to exercising rights according to measures stated in Article (12) of the Implementing Regulation of the Law.
- The Right to submit any complaint related to applying the provisions of the Law to the Competent Authority.
- The Right to claim compensation for material or moral damage if the Data Subject is harmed as a result of any violation stipulated in the Law and its Implementing Regulations.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Communication of Data Subject Rights (DSR)
1. Right to Be Informed
2. Right of Access to Personal Data
3. Right to Obtain Data in a Clear Format
4. Right to Correction and Update
5. Right to Request Data Destruction
6. Right to Withdraw Consent
This provision allows Data Subjects to withdraw their consent for Personal Data Processing at any time, unless a legal basis requires otherwise. It also requires the Controller to explain how consent may be withdrawn and to provide means that ensure a prompt response, in accordance with Article (12) of the Implementing Regulation of the Law.
7. Right to Complaint
8. Right to Compensation
This provision allows Data Subjects to claim compensation for material or moral damage if they are harmed as a result of violations of the Law or its Implementing Regulations.
