KSA PDPL » Saudi PDPL Article 12 – Privacy Policy Requirements

Saudi PDPL Article 12 – Privacy Policy Requirements

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: June 30, 2025
Updated: January 10, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 12 requires Controllers to publish a clear and accessible privacy policy before collecting personal data. The policy must describe why personal data is collected, what types of data are collected, how the data will be processed, stored, and destroyed, and how individuals can exercise their rights.

This Article establishes the foundation for transparency and lawful data collection practices under the Personal Data Protection Law (PDPL).

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 12

The Controller shall use a privacy policy and make it available to Data Subjects for their information prior to collecting their Personal Data. The policy shall specify the purpose of Collection, Personal Data to be collected, the means used for Collection, Processing, storage and Destruction, and information about the Data Subject rights and how to exercise such rights.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Privacy Policy Must Be Provided Before Collection

This provision requires the Controller to prepare and use a privacy policy and make it available to Data Subjects before collecting any personal data.

The policy must describe the purpose for collecting the data and the types of personal data that will be collected. It must also explain the methods used for collection, the ways in which the data will be processed, how long it will be stored, and how it will be destroyed. The policy must include information about the Data Subject’s rights under the Law and instructions on how to exercise those rights.

This ensures that individuals receive the necessary information before any collection activity begins.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), do all businesses need a Privacy Policy even if they collect very little data?

Yes, if you collect or process any Personal Data, you typically need a clear Privacy Policy. Article 12 focuses on transparency, so even small scale processing requires users to understand how their data is handled.

Does a Privacy Policy under Saudi PDPL have to be shown before a user signs up, or can it be hidden in the footer?

Privacy Policy must be accessible before or at the time you collect Personal Data. In practice, placing it only in a hard to find area does not meet the transparency expectation.

For e commerce sites in KSA, can we group all types of data uses under one generic statement in the Privacy Policy?

No, Article 12 expects clarity about how Personal Data is processed. A general catch all statement is usually not enough to explain the actual practices involved.

In a fintech app, does the Privacy Policy need to list the legal basis for processing?

It needs to explain how Personal Data is processed and the key information required by the PDPL. While the article does not spell out a list of items, the expectation is to provide meaningful clarity to users.

Can a mobile app rely on a generic global Privacy Policy for Saudi users?

Not safely, because Article 12 requires compliance with Saudi PDPL, which may differ from global privacy statements. In practice, local additions or a localized policy are usually needed.

Does Saudi PDPL require the Privacy Policy to be written in Arabic?

Article 12 does not specify a language, but transparency requires the policy to be understandable to users. In practice, providing Arabic for Saudi audiences is common to meet that expectation.

Is a Terms of Service page the same as a Privacy Policy under Article 12?

No, they serve different purposes. A Privacy Policy explains how Personal Data is processed, while terms focus on service use and conditions.

If we change our data practices, can we update the Privacy Policy silently without notifying users?

Article 12 focuses on transparency, so silent changes typically do not meet that expectation. Users should be able to understand how their data is processed at all times.

For HR departments in Saudi Arabia, do internal staff need access to the company Privacy Policy?

Yes, if employees’ Personal Data is processed, they should be able to understand how it is used. Article 12 applies broadly, not only to customer facing services.

Does a Processor need its own Privacy Policy under KSA PDPL Article 12?

The requirement is directed at Controllers providing information to Data Subjects. A Processor may publish a policy for transparency, but the Controller remains responsible for the PDPL information duties.

Common misconception, “Our Privacy Policy only needs to say we protect data.” Is that enough under Saudi PDPL?

No, Article 12 requires meaningful clarity on how data is processed, not just assurances. A vague statement does not meet the transparency requirement.

Can a company bury important PDPL disclosures in long legal text to avoid rewriting the Privacy Policy?

No, Article 12 emphasizes clear transparency. If the information is not understandable to the user, it does not satisfy the requirement in practice.