Implementing Regulation of PDPL Article 4 outlines what a Controller must disclose to a Data Subject when collecting their Personal Data. If data is collected directly, the Controller must provide specific information—such as their identity, purpose of processing, storage period, and rights of the Data Subject—either before or at the time of collection. This ensures individuals know what’s happening with their data and why.
If the data is collected indirectly (from someone other than the Data Subject), the Controller must notify the Data Subject within 30 days, unless the data is already known to the individual or notifying them is not feasible due to disproportionate effort or legal limitations.
Further, if a Controller uses new technologies, monitors individuals continuously, or makes automated decisions, they must also inform Data Subjects about automated decisions, data protection methods, and use of Sensitive Data. Any change in the purpose of processing also triggers an obligation to inform the individual again. The explanation must be provided in a language suitable for individuals with limited or no legal capacity.
Implementing Regulation of PDPL Article 4 (1)
Inform Before Collection
If the Personal Data is collected directly from the Data Subject, the Controller shall, before or when collecting the Data, take the necessary measures to inform the Data Subject of the following:
a) Controller’s identity, its contact details, and any other details related to the channels established by the Controller for the purpose of communicating in relation with Personal Data protection.
b) Contact details of the data protection officer appointed by the Controller, where applicable.
c) The legal basis and a specific, clear, and explicit purpose for collecting and Processing Personal Data.
d) The period for which the Personal Data will be stored, or if that is not possible,the criteria used to determine that period.
e) Explanation about Data Subject’s rights, as stipulated in Article (4) of the Law and the mechanisms for exercising those rights.
f) Explanation on how to withdraw consent given to process of any Personal Data.
g) Explaining whether collecting or Processing Personal Data is mandatory or optional.
Implementing Regulation of PDPL Article 4 (2)
Exceptions to Notice
The provisions of paragraph (1) of this article shall not apply if the information specified in sub-paragraphs (a) to (g) is already available to the Data Subject, or if providing such information conflicts with any of the existing laws in the Kingdom.
Implementing Regulation of PDPL Article 4 (3)
Indirect Collection Notice
If Personal Data is collected directly from an individual other than the Data Subject, the Controller shall, without undue delay and within a period not exceeding (30) days, take necessary steps to inform the Data Subject of the provisions specified in paragraph (1) of this article, in addition to the categories of Personal Data being processed and the source from which the Controller obtained it.
Implementing Regulation of PDPL Article 4 (4)
Exemptions from Indirect Notice
The provisions of paragraph (3) of this article shall not apply in any of the following conditions if:
a) The information is already available to the Data Subject.
b) The implementation is not possible or requires disproportionate effort.
c) The Controller obtained the data in accordance with a law.
d) The Controller is a Public Entity and the Collection of Personal Data is for security purposes, or to fulfil judicial requirements, or to achieve a Public Interest.
e) The Personal Data is subject to professional confidentiality provisions established by law.
Implementing Regulation of PDPL Article 4 (5)
High-Risk Processing Notice
When a Controller whose activities require continuous and a large scale Processing of Personal Data on individuals that fully or partially lack legal capacity, or continuous monitoring of Data Subjects, adoption of new technologies, or making automated decisions based on Personal Data, shall take the necessary measures to inform the Data Subject of what is stipulated in paragraph (1) of this Article, in addition to the following:
a) Means and methods of collecting and Processing Sensitive Data, where applicable.
b) Means and procedures taken to protect Personal Data.
c) Indicate whether decisions will be made based solely on automated Processing of Personal Data.
Implementing Regulation of PDPL Article 4 (6)
Inform on Purpose Change
When the Controller engages in additional Processing of Personal Data for a purpose other than the one for which it was initially collected for, it shall provide the Data Subject with the necessary information in accordance with the provisions of this article, before conducting the additional Processing.
Implementing Regulation of PDPL Article 4 (7)
Accessible Language Required
The Controller shall provide the required information in an appropriate language as stipulated in this Article when aware that the Data Subject fully or partially lacks legal capacity.
Explanation of Implementing Regulation of PDPL Article 4
Notify Data Subjects when data is collected directly:
Implementing Regulation of PDPL Article 4 (1) says, controllers must inform individuals about identity, purpose, rights, retention, and consent.
When info is already known or disclosure conflicts with law:
Implementing Regulation of PDPL Article 4 (2) says, controllers don’t need to inform if the individual already knows, or if law prohibits it.
30-day deadline for informing when data is collected indirectly:
Implementing Regulation of PDPL Article 4 (3) says, if data is not collected directly, notify the Data Subject within 30 days and include data source.
Certain conditions exempt notification on indirect collection
Implementing Regulation of PDPL Article 4 (4) says, notice not required if info is already known, disclosure is impossible, or legally restricted.
Extra transparency for automated decisions or special categories
Implementing Regulation of PDPL Article 4 (5) says, controllers must give extra details if using AI, monitoring, or processing sensitive data.
Data Subject must be notified of any new processing purpose
Implementing Regulation of PDPL Article 4 (6) says, if the data is to be used for a new reason, inform the Data Subject beforehand.
Clear, appropriate language for those lacking legal capacity:
Implementing Regulation of PDPL Article 4 (7) says, if dealing with minors or others without full legal capacity, use suitable language.
