PDPL Article 18 sets rules for how long personal data can be retained and when it must be destroyed. Controllers must delete personal data when it is no longer needed, unless:
They anonymize it (remove identifiers), or
There is a legal reason to keep it, or
It’s needed for an active legal case.
The Regulations will provide further details, especially on what qualifies as anonymization and how long data must be retained in special cases.
Saudi PDPL Article 18 (1)
Delete When Unneeded
The Controller shall, without undue delay, destroy the Personal Data when no longer necessary for the purpose for which they were collected. However, the Controller may retain data after the purpose of the Collection ceases to exist; provided that it does not contain anything that may lead to specifically identifying Data Subject pursuant to the controls stipulated in the Regulations.
In the following cases, the Controller shall retain the Personal Data after the purpose of the Collection ceases to exist:
Saudi PDPL Article 18 (2) (a)
Legal Retention Period
If there is a legal basis for retaining the Personal Data for a specific period, in which case the Personal Data shall be destroyed upon the lapse of that period or when the purpose of the Collection is satisfied, whichever longer.
Saudi PDPL Article 18 (2) (b)
Legal Retention Period
If the Personal Data is closely related to a case under consideration before a judicial authority and the retention of the Personal Data is required for that purpose, in which case the Personal Data shall be destroyed once the judicial procedures are concluded.
Explanation of Saudi PDPL Article 18
Data must be destroyed unless justified by anonymization or legal basis:
Saudi PDPL Article 18 (1) says, if the personal data is no longer needed, the controller must destroy it without delay unless it’s kept in a form that can’t identify the data subject.
Retention is allowed if a specific legal obligation applies:
Saudi PDPL Article 18 (2) (a) says, if a law requires data to be kept for a certain time, it may be retained — but must be destroyed after that period or when purpose is fulfilled, whichever is longer.
Data may be kept if linked to ongoing legal proceedings:
Saudi PDPL Article 18 (2) (b) says, data may be retained if needed for an active legal case, but must be destroyed once the judicial process ends.
