PDPL Article 12 requires every controller to have a clear and accessible privacy policy in place before collecting personal data. This policy must explain what data will be collected, why it’s being collected, how it will be processed and stored, and inform individuals about their data rights and how to exercise them.
Controllers must publish a privacy policy that clearly explains what data is collected, why, and how individuals can exercise their rights.
Saudi PDPL Article 12 (1)
Publish Clear Policy
The Controller shall use a privacy policy and make it available to Data Subjects for their information prior to collecting their Personal Data. The policy shall specify the purpose of Collection, Personal Data to be collected, the means used for Collection, Processing, storage and Destruction, and information about the Data Subject rights and how to exercise such rights.
Explanation of Saudi PDPL Article 12
Data subjects must be informed of key details before data is collected:
Saudi PDPL Article 12 (1) says, before collecting any personal data, the controller must make a privacy policy available. It must include the purpose of collection, types of data, processing methods, storage, destruction practices, and how data subjects can exercise their rights.
