Overview
PDPL Implementing Regulation Article 19 sets clear requirements for applying the data minimization principle during the collection and retention of Personal Data. It obligates Controllers to collect only the minimum amount of data necessary for a specific Processing purpose, determine necessity through structured tools such as data maps, and avoid gathering any unnecessary data.
The Regulation also requires Controllers to retain only the minimal amount of Personal Data needed to fulfil the Processing purpose.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 19: Data Minimisation
- The Controller shall collect only the minimum amount of Personal Data necessary to achieve the purpose of the Processing, and ensure the following:
- Collecting only the necessary Personal Data that is directly related to the purpose of Processing, and this shall be determined using appropriate means, including data maps that indicate the need for each collected data and link it to each objective of the Processing or other means.
- Provide necessary care to achieve the purpose of the Processing without collecting unnecessary Personal Data.
- The Controller shall retain the minimal Personal Data necessary to achieve the purpose of the Processing.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
