Overview
Personal Data Protection Law (PDPL) Article 18 sets out the rules governing when Personal Data must be deleted and when it may be retained. The Article requires Controllers to destroy Personal Data without undue delay once the purpose of collection has been fulfilled unless a lawful reason justifies continued retention
It also allows retention only when the data no longer contains anything that can identify the Data Subject, in accordance with the controls set by the Regulations, when another legal basis requires retention for a specific period, or when the data is needed for an active judicial case. After these periods end, the data must be destroyed.
Article 18 ensures that Personal Data is not kept longer than necessary and that any remaining retention aligns with legal requirements set out in the Regulations.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 18
- The Controller shall, without undue delay, Destroy the Personal Data when no longer necessary for the purpose for which they were collected. However, the Controller may retain data after the purpose of the Collection ceases to exist; provided that it does not contain anything that may lead to specifically identifying Data Subject pursuant to the controls stipulated in the Regulations.
- In the following cases, the Controller shall retain the Personal Data after the purpose of the Collection ceases to exist:
- If there is a legal basis for retaining the Personal Data for a specific period, in which case the Personal Data shall be destroyed upon the lapse of that period or when the purpose of the Collection is satisfied, whichever longer.
- If the Personal Data is closely related to a case under consideration before a judicial authority and the retention of the Personal Data is required for that purpose, in which case the Personal Data shall be destroyed once the judicial procedures are concluded.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 18(1)
Removal When No Longer Needed
This provision establishes the core rule that Controllers must destroy Personal Data without undue delay once it is no longer necessary for the purpose for which it was collected.
It also allows the Controller to retain the data after the purpose ends, but only if the retained information no longer contains anything that may lead to identifying the Data Subject, in accordance with the controls set out in the Regulations.
This ensures that Personal Data is not kept in an identifiable form once there is no longer a valid purpose for retaining it.
Article 18(2)(a)
Retention Based on Legal Period
This provision explains that Personal Data may be retained after the original purpose ends if a specific legal basis requires it to be kept for an identified period. Once that legal period expires or the original purpose is satisfied, whichever is later, the data must be destroyed.
This ensures compliance with mandated retention periods while preventing indefinite storage once the allowed timeframe ends.
Article 18(2)(b)
Retention for Judicial Needs
This provision allows retention of Personal Data when it is directly relevant to an active judicial case and must be preserved for that purpose. The Controller is permitted to hold the data until the legal proceedings are fully concluded. Once the judicial process ends, the retention is no longer justified and the Personal Data must be destroyed.
This prevents continued storage of data once legal requirements no longer apply.
