Overview
PDPL Implementing Regulation Article 38 explains how and where the Regulation must be officially published and clarifies when it becomes legally effective. It ensures transparency by requiring...
Overview
PDPL Implementing Regulation Article 37 describes how Data Subjects may submit complaints to the Competent Authority (SDAIA) and sets out the procedural obligations governing how such complaints...
Overview
PDPL Implementing Regulation Article 36 defines how entities must conduct audits and checks on Personal Data Processing activities to ensure proper protection and compliance with the Saudi PDPL....
Overview
PDPL Implementing Regulation Article 35 establishes the authority of the Competent Authority (SDAIA) to issue the regulatory rules governing how licensing entities may provide accreditation certificates...
Overview
PDPL Implementing Regulation Article 34 establishes the mandate for the Competent Authority (SDAIA) to issue the formal rules governing registration in the National Register of Controllers under...
Overview
PDPL Implementing Regulation Article 33 establishes the mandatory requirements for Controllers to maintain Records of Personal Data Processing activities (RoPA) under the Saudi PDPL. It specifies...
Overview
PDPL Implementing Regulation Article 32 explains when a Controller must appoint a Personal Data Protection Officer (DPO) under the Saudi PDPL. It describes the scenarios that trigger mandatory...
Overview
PDPL Implementing Regulation Article 31 sets limits on photographing or copying official documents issued by Public Entities when these documents contain identifiable Personal Data. Controllers...
Overview
PDPL Implementing Regulation Article 30 sets the conditions for collecting or Processing Personal Data for scientific, research, or statistical purposes without obtaining consent. The Article...
Overview
PDPL Implementing Regulation Article 29 defines the rules for Processing Personal Data for direct marketing purposes, requiring Controllers to obtain valid consent, clearly identify themselves...
Overview
PDPL Implementing Regulation Article 28 establishes the rules for sending advertising or awareness materials to individuals, particularly when there is no prior interaction with the Controller....
Overview
PDPL Implementing Regulation Article 27 establishes the organizational, technical, and administrative safeguards required for protecting Credit Data from unauthorized use, misuse, access, or disclosure....
Overview
PDPL Implementing Regulation Article 26 establishes the organizational, technical, and administrative controls required to protect Health Data from unauthorized use, misuse, collection, or breach....
Overview
PDPL Implementing Regulation Article 25 establishes the requirement for Controllers to conduct a written impact assessment (DPIA) when certain types of high-risk Personal Data Processing occur....
Overview
PDPL Implementing Regulation Article 24 sets out the obligations of Controllers when a Personal Data Breach occurs. The Article requires timely notification to the Competent Authority within seventy...
Overview
PDPL Implementing Regulation Article 23 defines the security obligations that Controllers must implement to protect Personal Data and maintain the privacy of Data Subjects. It requires Controllers...
Overview
PDPL Implementing Regulation Article 22 sets the obligations on Controllers when correcting, completing, or updating Personal Data. The Article defines the types of corrections covered, establishes...
Overview
PDPL Implementing Regulation Article 21 sets out the obligations that apply when a Public Entity collects Personal Data from sources other than the Data Subject, processes it for a new purpose,...
Overview
PDPL Implementing Regulation Article 20 establishes strict requirements for when and how Personal Data may be disclosed, including disclosures from publicly available sources, disclosures for...
Overview
PDPL Implementing Regulation Article 19 sets clear requirements for applying the data minimization principle during the collection and retention of Personal Data. It obligates Controllers to collect...
Overview
PDPL Implementing Regulation Article 18 sets the requirements a Controller must follow when processing Personal Data for a purpose different from the one for which it was originally collected....
Overview
PDPL Implementing Regulation Article 17 sets the requirements that govern how Controllers select, instruct, monitor, and supervise Processors. It specifies the contractual guarantees that must...
Overview
PDPL Implementing Regulation Article 16 sets the rules for when a Controller may rely on Legitimate Interest as a legal basis for processing Personal Data. It defines the conditions that must...
Overview
PDPL Implementing Regulation Article 15 explains the conditions that apply when a Controller processes Personal Data collected from sources other than the Data Subject.
It sets criteria for necessity,...
Overview
PDPL Implementing Regulation Article 14 establishes the requirement for Controllers to retain evidence when processing personal data to achieve the Actual Interest of the Data Subject.
It requires...
Overview
PDPL Implementing Regulation Article 13 defines how legal guardians act on behalf of Data Subjects who fully or partially lack legal capacity. It sets out the guardian’s authority to exercise...
Overview
PDPL Implementing Regulation Article 12 sets out how a Data Subject may withdraw consent for processing their personal data.
It requires the Controller to provide consent withdrawal mechanisms,...
Overview
PDPL Implementing Regulation Article 11 sets out the requirements for obtaining valid consent from a Data Subject. It defines how consent must be given, the clarity required in processing purposes,...
Overview
PDPL Implementing Regulation Article 10 sets out the communication methods a Controller must make available for Data Subjects to exercise their rights (DSR).
It requires the Controller to provide...
Overview
PDPL Implementing Regulation Article 9 sets the obligations a Controller must follow when anonymising personal data. It requires ensuring that re-identification is impossible, evaluating risks...
Overview
PDPL Implementing Regulation Article 8 sets out when a Controller must destroy personal data and the steps required during the destruction process.
It lists the specific circumstances that trigger...
Overview
PDPL Implementing Regulation Article 7 sets out how a Data Subject may request correction of their personal data and the obligations on the Controller when accuracy is disputed.
It allows the...
Overview
Saudi PDPL Implementing Regulation Article 6 sets out the conditions under which a Data Subject may request a copy of their personal data in a readable and clear format.
It confirms that providing...
Overview
Saudi PDPL Implementing Regulation Article 5 explains the conditions under which a Data Subject may access their personal data held by a Controller.
It sets out the limitations that protect the...
Overview
Saudi PDPL Implementing Regulation Article 4 defines the information a Controller must provide to Data Subjects before or when collecting personal data. It lists the required disclosures, sets...
Overview
Saudi PDPL Implementing Regulation Article 3 sets the core rules for how Controllers must handle Data Subject rights (DSR) requests. It specifies the actions a Controller must take when a request...
Overview
Saudi PDPL Implementing Regulation Article 2 explains when an individual’s processing of personal data is excluded from the Personal Data Protection Law (PDPL). It defines personal or family use...
Overview
Saudi PDPL Implementing Regulation Article 1 defines the core terminology that applies across the Implementing Regulation of the Personal Data Protection Law (PDPL). These definitions clarify...