Overview
PDPL Implementing Regulation Article 27 establishes the organizational, technical, and administrative safeguards required for protecting Credit Data from unauthorized use, misuse, access, or disclosure. The Article reinforces alignment with Saudi Central Bank (SAMA) requirements, mandates compliance with sector-specific credit information controls, and requires Controllers to obtain and notify Data Subjects regarding Credit Data disclosures.
The regulation also ensures consistency with the Credit Information Law and the PDPL’s consent standards, especially those referenced under Article 11.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 27: Processing Credit Data
Without prejudice to the provisions of the Credit Information Law, the Controller shall take organizational, technical, and administrative measures to protect Credit Data from any unauthorized use, misuse, access by unauthorized individuals, use for purposes other than for which it was collected, and Disclosure. The Controller shall adopt the following controls and procedures:
- Adopt and implement requirements and controls issued by the Saudi Central Bank and other relevant authorities, which define the roles and responsibilities of employees of establishments providing credit information services and of the parties that have contracts with such establishments to process Credit Data.
- Controller shall obtain the consent of the Data Subject and notify them of any request to disclose their Credit Data in accordance with the provisions of the Credit Information Law, while considering the provisions stated in subparagraph (d) of paragraph (1) of Article 11 of the Regulation.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 27(1)
Credit Sector Alignment (SAMA)
This provision requires Controllers to apply the requirements and controls issued by the Saudi Central Bank (SAMA) and other relevant authorities. These controls define the roles and responsibilities of employees and contracted parties involved in processing Credit Data for credit information services.
