Overview
Personal Data Protection Law (PDPL) Article 12 requires Controllers to publish a clear and accessible privacy policy before collecting personal data. The policy must describe why personal data is collected, what types of data are collected, how the data will be processed, stored, and destroyed, and how individuals can exercise their rights.
This Article establishes the foundation for transparency and lawful data collection practices under the Personal Data Protection Law (PDPL).
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 12
The Controller shall use a privacy policy and make it available to Data Subjects for their information prior to collecting their Personal Data. The policy shall specify the purpose of Collection, Personal Data to be collected, the means used for Collection, Processing, storage and Destruction, and information about the Data Subject rights and how to exercise such rights.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Privacy Policy Must Be Provided Before Collection
This provision requires the Controller to prepare and use a privacy policy and make it available to Data Subjects before collecting any personal data.
The policy must describe the purpose for collecting the data and the types of personal data that will be collected. It must also explain the methods used for collection, the ways in which the data will be processed, how long it will be stored, and how it will be destroyed. The policy must include information about the Data Subject’s rights under the Law and instructions on how to exercise those rights.
This ensures that individuals receive the necessary information before any collection activity begins.
