Overview
PDPL Implementing Regulation Article 25 establishes the requirement for Controllers to conduct a written impact assessment (DPIA) when certain types of high-risk Personal Data Processing occur. These situations include Sensitive Data Processing, combining data from multiple sources, continuous or large-scale Processing, automated decision making, monitoring, and Processing activities likely to cause serious harm to Data Subjects. The Article defines the minimum mandatory components of a DPIA, the information that must be shared with Processors, and requires remediation and reassessment if the DPIA identifies potential harm.
This Article represents the core operational framework for Data Protection Impact Assessments (DPIA) under the Saudi PDPL.
PDPL Implementing Regulation Article 25
- The Controller shall prepare a written and documented assessment of the potential impacts and risks that may affect the Data Subject as a result of Personal Data Processing. Impact assessment shall be conducted in the following cases:
- Processing of Sensitive Data.
- Collecting, comparing, or linking two or more sets of Personal Data obtained from different sources.
- The activity of the Controller includes continuous and large scale Processing of Personal Data of those who fully or partially lack legal capacity, or Processing operations that by their nature require continuous monitoring of Data Subjects or Processing Personal Data using new technologies, or making decisions based on automated Processing of Personal Data.
- Providing a product or service that involves Processing Personal Data that is likely to cause serious harm to the privacy of Data Subjects.
- The impact assessment shall include at least the following elements:
- Purpose of the Processing and its legal basis.
- Description of the nature of the Processing to be conducted, the types and sources of Personal Data to be processed, and any entities to whom the Personal Data is to be disclosed.
- Description of the scope of the Processing, which identifies the type of Personal Data and the geographical scope of the Processing.
- Description of the context of the Processing, which identifies the relationship between the Data Subjects, the Controller, and the Processors, as well as any other relevant circumstances.
- Necessity and proportionality of the measures to be taken to enable the Controller and Processors to process the minimal Personal Data necessary to achieve the purposes of the Processing.
- Impact of the Processing, based on the severity of its impact, materially and morally, and the likelihood of any negative impact on Data Subjects, including any psychological, social, physical, or financial impact, and the likelihood of their occurrence.
- Measures that will be taken to prevent or limit the risks.
- The suitability of the measures envisaged to avoid identified risks.
- The Controller shall provide a copy of the impact assessment to any Processor acting on its behalf in relation to the relevant Processing.
- The Controller shall - if the assessment mentioned in this article indicates that the Processing operation will harm the privacy of the Data Subjects - address the reasons for that and re-conduct the assessment.
