Overview
PDPL Implementing Regulation Article 12 sets out how a Data Subject may withdraw consent for processing their personal data.
It requires the Controller to provide consent withdrawal mechanisms, cease processing upon withdrawal, take steps to notify and request destruction from recipients of the data, and clarifies that withdrawal does not affect processing based on other lawful grounds.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 12: Consent withdrawal
- Data Subject has the right to withdraw their consent for Processing their Personal Data at any time, and they shall inform the Controller of this through any available means according to Article (4) of this Regulation.
- Before requesting consent from the Data Subject, the Controller shall establish procedures that allow for the withdrawal of that consent and take the necessary measures to ensure their implementation, with the procedures for withdrawing consent being similar to or easier than those for obtaining it.
- In the event of consent withdrawal, the Controller shall cease Processing without undue delay from withdrawal request. The withdrawal of consent shall not affect the lawfulness of Processing based on consent before its withdrawal.
- When the Data Subject withdraws their consent for Processing their data, the Controller shall take appropriate measures to notify those to whom the Personal Data has been disclosed and request its Destruction through any available means.
- Consent withdrawal shall not affect the Processing of Personal Data that is based on other legal basis.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 12(1)
Right To Withdraw Consent
This provision states that the Data Subject may withdraw consent for processing their personal data at any time. It requires the Data Subject to inform the Controller of the withdrawal using any available means specified under Article 4 of the Regulation.
It establishes consent withdrawal as a right that can be exercised without time limitation.
Article 12(2)
Procedures For Consent Withdrawal
This provision requires the Controller, before requesting consent from the Data Subject, to establish procedures that enable the Data Subject to withdraw consent and to take the measures necessary to implement those procedures. It also states that the withdrawal process must be similar to or easier than the process for giving consent.
It ensures that withdrawal is accessible and does not create unnecessary barriers.
Article 12(3)
Processing Must Halt After Withdrawal
This provision states that the Controller must cease processing without undue delay once a consent withdrawal request is received. It also clarifies that withdrawal does not affect the lawfulness of processing carried out based on consent before the withdrawal.
It ensures both prompt action and recognition of prior lawful processing.
Article 12(4)
Notifying Data Recipients
This provision requires the Controller to take appropriate measures to notify parties to whom personal data has been disclosed and to request its destruction using any available means when the Data Subject withdraws consent.
It ensures that the implications of consent withdrawal extend to all parties who received the data.
