Overview
Elaboration and Developing Privacy Policy Guideline – Introduction explains how entities subject to the Saudi Personal Data Protection Law (PDPL) must prepare and develop a privacy policy. It clarifies how Controllers meet the Right to Be Informed obligation, outlines the mandatory elements that must be disclosed to Data Subjects, and supports compliance with Articles 4, 12, and 13 of the Law.
The Guideline also provides a standardized template and practical direction to ensure privacy policies are transparent, accurate, and aligned with PDPL requirements.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Introduction
This guideline aims to guide entities subject to the provisions of Personal Data Protection Law (Law) (Controllers operating within Kingdom, involved in Personal Data collection and processing, partially or entirely, through any means, as well as Controllers operating outside Kingdom, and involved in collecting and processing Personal Data of individuals residing in Kingdom, through any means, as long as it does not conflict with relevant laws and regulations) and its Implementing Regulations, through the preparation and development of their privacy policy, ensuring compliance with the “Right to Be Informed” stated in Article (4) of the Law, and further cited in Article (13) thereof. This also ensures entities' compliance with Article (12) provisions, which obligate entities to prepare a privacy policy, as follows: “The Controller shall use a privacy policy and make it available to Data Subjects for their information prior to collecting their Personal Data. The policy shall specify purpose of Collection, Personal Data to be collected, means used for Collection, Processing, Storage and Destruction, and information about the Data Subject rights and how to exercise such rights.”
This guideline shall also provide a standard template that can serve as guidance during the development of entities' privacy policy, to ensure that regulatory requirements are met, and to clarify basic elements that shall be taken into account during policy development. The Law and its Implementing Regulations may be used as reference to determine terms and phrases mentioned in this guideline, and to determine regulatory requirements, as viewing this guideline cannot replace the need to refer to the provisions of the Law and its Implementing Regulations. This guideline is not considered a binding regulatory document, since the Law and its Implementing Regulations provisions serve as regulatory reference for the application of its provisions.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Purpose of the Guideline
This Guideline is intended to help Controllers understand how to develop a privacy policy that complies with the Saudi Personal Data Protection Law and its Implementing Regulations.
It focuses on translating legal obligations into clear, usable disclosures that inform Data Subjects about how their Personal Data is collected, processed, stored, and protected.
Right to Be Informed Obligations
The Guideline operationalizes the Right to Be Informed by explaining how Articles 4, 12, and 13 of the Law require Controllers to provide transparent and accessible information before collecting Personal Data.
A privacy policy is the primary mechanism through which this right is fulfilled, ensuring Data Subjects are aware of purposes, processing activities, and their statutory rights.
Use of Templates and Legal References
To support consistent compliance, the Guideline includes a standard privacy policy template and clarifies the minimum elements that must be addressed during policy development.
While the Guideline provides practical direction, it does not replace the Law or its Implementing Regulations, which remain the authoritative legal reference for determining compliance obligations and regulatory interpretation.
