KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 24 – Additional Controls for Credit Data

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 10, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 24 establishes specific controls for Processing Credit Data given the sensitive nature of financial information and its connection to an individual’s economic identity. The Article requires Controllers to implement measures to verify that explicit consent has been given when required for the collection, change of purpose, disclosure, or publishing of Credit Data, and to notify the Data Subject whenever any entity requests disclosure of their Credit Data.

These rules enhance transparency and ensure that Credit Data is handled in accordance with the additional controls set out in the Regulations and the Credit Information Law.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 24

Without prejudice to this Law, the Regulations shall set out additional controls and procedures for the Processing of Credit Data in a manner that ensures the privacy of the Data Subject and protects their rights under this Law and the Credit Information Law. Such controls and procedures shall include the following:

  1. Implementing appropriate measures to verify that the Data Subject has given their explicit consent to the Collection of the Personal Data, changing the purpose of the Collection, or Disclosure or Publishing of the Personal Data in accordance with the provisions of this Law and the Credit Information Law.

  2. Requiring that the Data Subject be notified when a request for Disclosure of their Credit Data is received from any entity.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 24(1)

Consent Verification Requirements

This clause requires the Controller to implement measures that verify the Data Subject has given explicit consent before their Credit Data is collected, used for a new purpose, disclosed, or published. Because the text lists Collection, change of purpose, Disclosure, and Publishing, the requirement applies universally across all Processing stages.

The Controller must be able to prove that consent was explicit and tied to the described Processing, and must ensure that Processing aligns with both the PDPL and the Credit Information Law.

PDPL Article 24(2)

Notification Before Disclosure Requests

This provision requires that the Data Subject be notified whenever any entity requests Disclosure of their Credit Data. The text specifies that notification must occur upon receipt of the request itself rather than after a Disclosure decision is made. This ensures that the Data Subject is aware of who is seeking access and can take protective steps if necessary.

 

The notification obligation enhances transparency and reinforces the Data Subject’s financial privacy rights by ensuring they are informed before their Credit Data is shared.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), what exactly counts as “Credit Data” for Article 24?
Credit Data refers to Personal Data connected to a person’s creditworthiness or financial reliability. Article 24 applies special controls because this category can significantly affect an individual’s financial standing.
n fintech, does a customer’s repayment history fall under Article 24?
Yes, repayment behavior is typically considered Credit Data. Article 24 requires additional controls beyond standard PDPL rules.
Can a lender share Credit Data with a third party for marketing purposes?
Not without meeting PDPL requirements and the special controls in Article 24. Credit Data is highly sensitive and cannot be shared for unrelated purposes.
What is the main difference between Health Data rules in Article 23 and Credit Data rules in Article 24?
Both categories receive extra protection, but Article 24 focuses specifically on financial reliability. The purpose and risk profile differ, so each Article imposes its own controls.
Does Article 24 apply to non banking businesses that assess customers for installment payments?
Yes, if the data relates to the customer’s creditworthiness. Any Controller processing this type of information must consider the additional controls.
Are Processors allowed to determine how Credit Data is used?
No, only the Controller decides the purpose and conditions of use. Processors must follow the Controller’s instructions, especially given Article 24’s stricter requirements.
If a fintech app only checks a “credit score range” without storing the full score, is Article 24 still relevant?
It may be, because even partial indicators of creditworthiness can be considered Credit Data. The level of protection should reflect the sensitivity of the information.
Can Credit Data be used for automated decision making without human review?
Article 24 does not prohibit automation, but it expects heightened safeguards. The Controller must ensure the use aligns with PDPL requirements and does not cause unfair outcomes.
In SaaS credit scoring platforms, who is responsible for ensuring Article 24 compliance, the platform or the business using it?
The business using the platform is typically the Controller and therefore responsible. The SaaS provider supports the processing but does not set the legal basis.
Consent may be a basis, but Article 24 requires additional controls beyond consent. The Controller must ensure the processing meets the special requirements.
Does Article 24 limit how long Credit Data can be kept?
Yes, Credit Data must follow PDPL retention limits and the heightened expectations of Article 24. It cannot be stored longer than necessary for the purpose.
Common misconception, “Credit Data is just like regular financial data.” Is that correct under KSA PDPL?
No, Article 24 treats Credit Data as a special category requiring extra safeguards. Its potential impact on an individual makes it subject to stricter handling rules.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top