Overview
PDPL Implementing Regulation Article 3 sets the core rules for how Controllers must handle Data Subject rights (DSR) requests. It specifies the actions a Controller must take when a request is received, including responding within set time limits, ensuring technical and organizational measures are in place, verifying identity, and documenting all requests.
It also sets out when a Controller may refuse a DSR request and confirms that legal guardians may exercise rights on behalf of Data Subjects who lack full or partial legal capacity.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 3: General provisions for Data Subject Rights
- The Controller shall, upon receiving a request from the Data Subject regarding their rights as stipulated in the Law, do the following:
- Act on the request of the Data Subject for exercising their rights under the Law within a period not exceeding (30) days and without delay. This period may be extended in case the implementation requires disproportionate effort, or if the Controller receives multiple requests from the data subject, provided that the extension does not exceed an additional (30) days and the Data Subject is notified in advance of the extension with the reasons for the delay.
- Take the necessary technical, administrative, and organizational measures to ensure a prompt response to requests related to exercising rights.
- Take appropriate measures to verify the identity of the requester before executing the request in accordance with relevant legal requirements.
- Take the necessary measures to document and keep record of all submitted, including oral requests.
- The Controller may refuse to act on request when it is repetitive, manifestly unfounded, or requires disproportionate efforts, in which the Data Subject shall be notified of such reason.
- In cases where the Data Subject fully or partially lacks legal capacity, their legal guardian shall exercise their rights on their behalf.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 3(1)
Controller Obligations for Data Subject Rights (DSR) Requests
This provision requires the Controller, upon receiving a request from the Data Subject regarding their rights as stipulated in the Law, to perform specific actions. The Controller must act in line with the conditions that follow and treat the request in accordance with the Law.
The provision introduces a structured list of steps, covering the response period, internal measures, identity verification, and documentation of requests.
Article 3(1)(a)
Thirty-Day (30 days) DSR Response and Extension
This provision states that the Controller must act on the request of the Data Subject for exercising their rights under the Law within a period not exceeding thirty days and without delay. It allows this period to be extended where implementing the request requires disproportionate effort or where the Controller receives multiple requests from the same Data Subject.
Any extension must not exceed an additional thirty days, and the Data Subject must be notified in advance of the extension together with the reasons for the delay. The provision therefore links the possibility of an extension to specific conditions and requires prior notice to the Data Subject.
Article 3(1)(b)
Technical, Administrative, and Organizational Measures
This provision requires the Controller to take the necessary technical, administrative, and organizational measures to ensure a prompt response to requests related to exercising rights. It focuses on the internal readiness of the Controller, making clear that appropriate measures must be in place so that rights requests can be handled without undue delay.
The measures mentioned cover technology, administration, and organizational arrangements.
Article 3(1)(c)
Verifying Requester Identity
This provision obliges the Controller to take appropriate measures to verify the identity of the requester before executing the request, in accordance with relevant legal requirements. It confirms that identity verification is a required step and links that verification to applicable legal rules.
The provision aims to ensure that the Controller only acts on requests submitted by the correct individual or an authorized party.
Article 3(1)(d)
Recording All Submitted Requests
This provision requires the Controller to take the necessary measures to document and keep record of all submitted requests, including oral requests. It covers both the act of documenting and the ongoing keeping of records.
By expressly mentioning oral requests, the provision clarifies that the documentation obligation is not limited to written submissions.
Article 3(2)
Conditions For Refusing DSR Requests
This provision states that the Controller may refuse to act on requests when they are repetitive, manifestly unfounded, or require disproportionate efforts. In such cases, the Data Subject must be notified of the reason for refusal.
The provision therefore, limits refusal to the specific cases mentioned and requires that the Data Subject receive an explanation.
Article 3(3)
Guardians Exercising Data Subject Rights
This provision specifies that, in cases where the Data Subject fully or partially lacks legal capacity, their legal guardian shall exercise their rights on their behalf.
It clarifies that the guardian steps in to exercise the rights granted under the Law whenever the Data Subject does not have full capacity.
