KSA PDPL » PDPL Implementing Regulation Article 4 – Right to be Informed

PDPL Implementing Regulation Article 4 – Right to be Informed

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 11, 2025
Updated: January 12, 2026

Overview

Saudi PDPL Implementing Regulation Article 4 defines the information a Controller must provide to Data Subjects before or when collecting personal data. It lists the required disclosures, sets out exceptions, and establishes conditions for informing individuals when data is collected from third parties.

It also provides rules for situations involving sensitive data, automated decisions, continuous processing, additional purposes, and cases where Data Subjects have limited legal capacity.

SDAIA's Official PDPL Implementing Regulation Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 4: Right to be informed

If the Personal Data is collected directly from the Data Subject, the Controller shall, before or when collecting the Data, take the necessary measures to inform the Data Subject of the following:

Controller’s identity, its contact details, and any other details related to the channels established by the Controller for the purpose of communicating in relation with Personal Data protection.

Contact details of the data protection officer appointed by the Controller, where applicable.

The legal basis and a specific, clear, and explicit purpose for collecting and Processing Personal Data.

The period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period.

Explanation about Data Subject’s rights, as stipulated in Article (4) of the Law and the mechanisms for exercising those rights.

Explanation on how to withdraw consent given to process of any Personal Data.

Explaining whether collecting or Processing Personal Data is mandatory or optional.

The provisions of paragraph (1) of this article shall not apply if the information specified in sub-paragraphs (a) to (g) is already available to the Data Subject, or if providing such information conflicts with any of the existing laws in the Kingdom.

If Personal Data is collected directly from an individual other than the Data Subject, the Controller shall, without undue delay and within a period not exceeding (30) days, take necessary steps to inform the Data Subject of the provisions specified in paragraph (1) of this article, in addition to the categories of Personal Data being processed and the source from which the Controller obtained it.

The provisions of paragraph (3) of this article shall not apply in any of the following conditions if:

The information is already available to the Data Subject.

The implementation is not possible or requires disproportionate effort.

The Controller obtained the data in accordance with a law.

The Controller is a Public Entity and the Collection of Personal Data is for security purposes, or to fulfil judicial requirements, or to achieve a Public Interest.

The Personal Data is subject to professional confidentiality provisions established by law.

When a Controller whose activities require continuous and a large scale Processing of Personal Data on individuals that fully or partially lack legal capacity, or continuous monitoring of Data Subjects, adoption of new technologies, or making automated decisions based on Personal Data, shall take the necessary measures to inform the Data Subject of what is stipulated in paragraph (1) of this Article, in addition to the following:

Means and methods of collecting and Processing Sensitive Data, where applicable.

Means and procedures taken to protect Personal Data.

Indicate whether decisions will be made based solely on automated Processing of Personal Data.

When the Controller engages in additional Processing of Personal Data for a purpose other than the one for which it was initially collected for, it shall provide the Data Subject with the necessary information in accordance with the provisions of this article, before conducting the additional Processing.

The Controller shall provide the required information in an appropriate language as stipulated in this Article when aware that the Data Subject fully or partially lacks legal capacity.

Plain-Language PDPL Implementing Regulation Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Implementing Regulation Article 4(1)

Transparency Obligations For Controllers

This provision requires the Controller, when collecting personal data directly from the Data Subject, to take necessary measures before or at the time of collection to inform the Data Subject of specific details. It sets the foundation for transparency by establishing that information must be provided as part of the collection process.

The subparagraphs that follow define the exact disclosures the Controller must communicate.

PDPL Implementing Regulation Article 4(1)(a)

Controller Identity Disclosure

This provision requires informing the Data Subject of the Controller’s identity, contact details, and any details related to channels established for communication on personal data protection.

It ensures the Data Subject knows who is responsible for the processing and how they may communicate with the Controller regarding matters related to personal data.

PDPL Implementing Regulation Article 4(1)(b)

Personal Data Protection Officer (DPO) Contact

This provision requires the Controller to disclose the contact details of the appointed data protection officer where applicable.

It ensures that the Data Subject is aware of how to reach the designated person responsible for overseeing compliance and responding to matters related to personal data protection.

PDPL Implementing Regulation Article 4(1)(c)

Legal Basis and Purpose

This provision requires informing the Data Subject about the legal basis and a specific, clear, and explicit purpose for collecting and processing personal data.

It ensures that the Data Subject understands the reason for the collection and the lawful basis supporting it.

PDPL Implementing Regulation Article 4(1)(d)

Retention Period Explanation

This provision requires the Controller to explain the period for which personal data will be stored or, when not possible, the criteria used to determine that period.

It establishes transparency regarding how long the data will remain in the Controller’s possession.

PDPL Implementing Regulation Article 4(1)(e)

Data Subject Rights (DSR) Information

This provision requires explaining the Data Subject’s rights as stipulated in Article 4 of the Law and the mechanisms available to exercise those rights.

It ensures that the Data Subject is aware of their entitlements and understands how to act on them.

PDPL Implementing Regulation Article 4(1)(f)

Consent Withdrawal Information

This provision requires explaining how the Data Subject may withdraw consent given for processing personal data.

It ensures the Data Subject is informed of the method for reversing consent when consent is the basis for processing.

PDPL Implementing Regulation Article 4(1)(g)

Mandatory Or Optional Nature

This provision requires informing the Data Subject whether collecting or processing personal data is mandatory or optional.

It clarifies whether providing the data is a requirement or a choice.

PDPL Implementing Regulation Article 4(2)

When Initial Disclosures Are Not Required

This provision states that the obligations listed in subparagraphs (a) to (g) of paragraph (1) do not apply when the information is already available to the Data Subject or when providing the information would conflict with existing laws in the Kingdom.

It creates specific exceptions to the disclosure requirement.

PDPL Implementing Regulation Article 4(3)

Informing When Data Comes From Others

This provision requires the Controller, when collecting personal data directly from an individual other than the Data Subject, to inform the Data Subject without undue delay and within thirty days. The Controller must provide the information specified in paragraph (1) and also disclose the categories of personal data and the source from which it was obtained.

It ensures that the Data Subject is aware of processing even when the data is collected indirectly.

PDPL Implementing Regulation Article 4(4)

Exceptions To Third Party Notification

This provision lists the conditions under which the obligations in paragraph (3) do not apply. It creates a defined set of scenarios in which notifying the Data Subject is not required.

PDPL Implementing Regulation Article 4(4)(a)

Information Already Known

This provision exempts notification when the information is already available to the Data Subject. It avoids duplicating information the Data Subject already possesses.

PDPL Implementing Regulation Article 4(4)(b)

Disproportionate Or Impossible Implementation

This provision exempts the Controller when implementation is not possible or requires disproportionate effort. It acknowledges practical limitations that may prevent compliance.

PDPL Implementing Regulation Article 4(4)(c)

Compliance With Law

This provision exempts notification when the Controller obtained the data in accordance with a law. It recognizes that lawful acquisition may override the need for additional notice.

PDPL Implementing Regulation Article 4(4)(d)

Public Entity Purposes

This provision exempts notification when the Controller is a Public Entity and the collection of personal data is for security purposes, judicial requirements, or achieving a Public Interest. It defines specific public sector scenarios that do not require notice.

PDPL Implementing Regulation Article 4(4)(e)

Professional Confidentiality Restrictions

This provision exempts notification when the personal data is subject to professional confidentiality provisions established by law. It ensures consistency with legal confidentiality obligations.

PDPL Implementing Regulation Article 4(5)

Large Scale Or Continuous Processing

This provision requires Controllers engaged in continuous or large-scale processing of personal data of individuals lacking full or partial legal capacity, or in continuous monitoring or automated decision making, to inform the Data Subject of the details listed in paragraph (1), along with additional requirements.

It expands transparency obligations in high-impact processing scenarios.

PDPL Implementing Regulation Article 4(5)(a)

Sensitive Data Methods

This provision requires informing the Data Subject about the means and methods of collecting and processing sensitive data where applicable. It highlights the need for transparency in sensitive data handling.

PDPL Implementing Regulation Article 4(5)(b)

Protection Measures

This provision requires the Controller to inform the Data Subject about the means and procedures used to protect personal data. It clarifies the security arrangements associated with processing.

PDPL Implementing Regulation Article 4(5)(c)

Automated Decision Making

This provision requires indicating whether decisions will be made based solely on automated processing of personal data. It ensures the Data Subject is aware of automated decision making activities.

PDPL Implementing Regulation Article 4(6)

Additional Purpose Processing

This provision requires that when the Controller engages in additional processing of personal data for a purpose different from the original one for which it was collected, it must provide the Data Subject with the necessary information in accordance with this article.

The information must be provided before undertaking the additional processing.

PDPL Implementing Regulation Article 4(7)

Appropriate Language Requirement

This provision requires the Controller to provide the required information in an appropriate language when the Data Subject fully or partially lacks legal capacity.

It ensures effective communication tailored to the Data Subject’s needs.

Frequently Asked Questions (FAQs)

Does Article 4 of the PDPL Implementing Regulation require businesses to always inform individuals before collecting Personal Data?

Yes, the rule of thumb is that individuals must be informed at or before collection. Article 4 reinforces transparency as a core expectation under the Saudi Personal Data Protection Law (KSA PDPL).

If my company collects data indirectly, do we still need to inform the person?

Typically yes, unless another PDPL article provides an exception. Article 4 emphasizes that individuals should understand how and why their data is used.

Does providing a privacy policy on a website satisfy the right to be informed?

It often does if the policy is clear, accessible, and provided at the right time. Article 4 focuses on meaningful notice, not just posting a document.

In a mobile app, where should the information be displayed to meet Article 4 requirements?

The article does not prescribe placement, but in practice it should appear before or during data collection. Users must see it without needing to search.

Does Article 4 require controllers to notify Data Subjects about updates to their privacy policy?

The article does not detail update procedures. However, maintaining transparency generally means informing individuals when material changes occur.

If an employee is providing their data to HR, does Article 4 apply?

Yes, employees have the same right to be informed as any other Data Subjects. HR functions must follow the PDPL Implementing Regulation.

Does Article 4 cover verbal notice, or must it be written?

The article does not mandate a specific format. Written notice is common because it is clearer and easier to verify, but the key is that the individual understands the information.

Is it enough to inform individuals once, even if processing changes later?

Not if the purpose or method of processing changes materially. Article 4 supports ongoing transparency so individuals remain aware of how their data is used.

Can a controller rely on “implied notice” by assuming the Data Subject already knows the practice?

No, assumptions do not meet the standard. Article 4 requires explicit information.

Does the right to be informed apply to anonymous data?

No, it applies only when Personal Data is being processed. Anonymous data is outside PDPL scope.

Who is responsible for ensuring individuals are properly informed under Article 4?

The controller. Processors may assist, but the accountability sits with the controller.

What is a common misconception about Article 4 of the PDPL Implementing Regulation?

Many think simply having a privacy notice somewhere on a website is enough. Article 4 requires timing, clarity, and relevance, not just availability.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Table of Contents

← PDPL Compliance Ecosystem