Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 24 establishes specific controls for Processing Credit Data given the sensitive nature of financial information and its connection to an individual’s economic identity. The Article requires Controllers to implement measures to verify that explicit consent has been given when required for the collection, change of purpose, disclosure, or publishing of Credit Data, and to notify the Data Subject whenever any entity requests disclosure of their Credit Data.
These rules enhance transparency and ensure that Credit Data is handled in accordance with the additional controls set out in the Regulations and the Credit Information Law.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 24
Without prejudice to this Law, the Regulations shall set out additional controls and procedures for the Processing of Credit Data in a manner that ensures the privacy of the Data Subject and protects their rights under this Law and the Credit Information Law. Such controls and procedures shall include the following:
- Implementing appropriate measures to verify that the Data Subject has given their explicit consent to the Collection of the Personal Data, changing the purpose of the Collection, or Disclosure or Publishing of the Personal Data in accordance with the provisions of this Law and the Credit Information Law.
- Requiring that the Data Subject be notified when a request for Disclosure of their Credit Data is received from any entity.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 24(1)
Consent Verification Requirements
This clause requires the Controller to implement measures that verify the Data Subject has given explicit consent before their Credit Data is collected, used for a new purpose, disclosed, or published. Because the text lists Collection, change of purpose, Disclosure, and Publishing, the requirement applies universally across all Processing stages.
The Controller must be able to prove that consent was explicit and tied to the described Processing, and must ensure that Processing aligns with both the PDPL and the Credit Information Law.
Article 24(2)
Notification Before Disclosure Requests
This provision requires that the Data Subject be notified whenever any entity requests Disclosure of their Credit Data. The text specifies that notification must occur upon receipt of the request itself rather than after a Disclosure decision is made. This ensures that the Data Subject is aware of who is seeking access and can take protective steps if necessary.
The notification obligation enhances transparency and reinforces the Data Subject’s financial privacy rights by ensuring they are informed before their Credit Data is shared.
