Overview
PDPL Implementing Regulation Article 9 sets the obligations a Controller must follow when anonymising personal data. It requires ensuring that re-identification is impossible, evaluating risks and impacts, implementing organizational and technical measures, and reviewing the effectiveness of anonymisation techniques.
It also clarifies that anonymised data is not treated as personal data under the Law.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 9: Anonymisation
- When a Controller anonymizes the Personal Data of a Data Subject, it shall comply with the following:
- Ensure that the re-identification of the Data Subject is impossible after Anonymisation.
- Evaluate the impact, including the possibility of re-identifying the Data Subject, in the circumstances specified in Paragraph (1) of Article 25 of this Regulation.
- Take the necessary organizational, administrative, and technical measures to avoid the risks, taking into account technological developments, methods of Anonymisation, and updates to those methods.
- Evaluate the effectiveness of the applied techniques for anonymising Personal Data and make necessary adjustments to ensure that re-identification of Data Subject is impossible.
- Anonymized data shall not be considered as Personal Data.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 9(1)
Conditions For Anonymisation
Article 9(1)(a)
Preventing Re-Identification
This provision requires the Controller to ensure that re-identifying the Data Subject is impossible after anonymisation. It sets a strict standard for anonymisation by requiring that the resulting data cannot be linked back to the individual.
Article 9(1)(b)
Impact And Risk Evaluation
This provision requires the Controller to evaluate the impact of anonymisation, including the possibility of re-identifying the Data Subject, in the circumstances described in Article 25 paragraph (1) of the Regulation. It highlights the need for assessing risk and context when reviewing anonymisation practices.
Article 9(1)(c)
Technical, Administrative, And Organizational Measures
Article 9(1)(d)
Reviewing Technique Effectiveness
This provision requires the Controller to evaluate the effectiveness of the applied anonymisation techniques and make necessary adjustments to ensure that re-identification of the Data Subject is impossible. It establishes a continuous review obligation so that anonymisation remains secure over time.
Article 9(2)
Status Of Anonymised Data
This provision states that anonymised data is not considered personal data. It confirms that once data has been anonymised in accordance with paragraph (1), it no longer falls within the scope of personal data processing obligations.
