Overview
PDPL Implementing Regulation Article 8 sets out when a Controller must destroy personal data and the steps required during the destruction process.
It lists the specific circumstances that trigger destruction duties, describes the notifications and actions the Controller must take when data has been shared with others, and clarifies that the article operates alongside the destruction requirements established under Article 18 of the Law.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 8: Right to Request Destruction of Personal Data
- The Controller shall destroy the Personal Data in any of the following cases:
- Upon Data Subject's request.
- If the Personal Data is no longer necessary to achieve the purpose for which it was collected.
- If the Data Subject withdraws their consent, and consent was the sole legal basis for Processing.
- If the Controller becomes aware that the Personal Data is being processed in a way that violates the Law.
- When destroying Personal Data, the Controller shall take the following steps:
- Take appropriate measures to notify other parties to whom the Controller disclosed the concerned Personal Data and request their Destruction.
- Take the appropriate measures to notify the individuals to whom the Personal Data has been disclosed by any means and request its Destruction.
- Destroy all copies of the Personal Data stored in the Controller's systems, including backups, in accordance with relevant regulatory requirements.
- The provisions of this article shall not prejudice the requirements specified in Article 18 of the Law and the legal requirements established by the relevant Competent Authorities.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 8(1)
Cases Requiring Destruction
This provision states that the Controller must destroy personal data in certain defined situations. These situations are listed in subparagraphs (a) through (d).
The provision establishes mandatory destruction duties that arise when particular conditions are present and ensures that personal data is removed when retention can no longer be justified.
Article 8(1)(a)
Mandatory Destruction Cases
Article 8(1)(b)
Purpose No Longer Exists
Article 8(1)(c)
Consent Withdrawal When Consent Was Sole Basis
Article 8(1)(d)
Processing Violates The Law
This provision requires destruction when the Controller becomes aware that the personal data is being processed in a way that violates the Law. It creates an obligation to remove data that is being handled unlawfully.
Article 8(2)
Steps Required During Destruction
This provision lists the actions a Controller must take when destroying personal data. The required steps are specified in subparagraphs (a) through (c). It establishes procedural duties that accompany destruction, particularly when data has been shared with others or is stored in multiple forms.
Article 8(2)(a)
Notify Third Parties
Article 8(2)(b)
Notify Individuals Who Received Data
This provision requires the Controller to notify individuals to whom the personal data has been disclosed by any means and to request its destruction. It applies where disclosure occurred to identifiable individuals rather than organizational parties.
Article 8(2)(c)
Destroy All Copies
This provision requires the Controller to destroy all copies of the personal data stored in its systems, including backups, in accordance with relevant regulatory requirements. It ensures that destruction is comprehensive and includes secondary or archived versions.
Article 8(3)
Co-Existence With Law and Regulatory Requirements
This provision clarifies that the destruction obligations outlined in this article operate alongside, and do not override, the specific requirements set out in Article 18 of the PDPL Law and any other legal requirements established by relevant Competent Authorities. It ensures that Controllers must comply with both sets of rules.
For example, Article 18 of the Law states that personal data must be destroyed when it is no longer necessary for its purpose but allows for retention in specific cases, such as when required by law or for ongoing judicial proceedings.
Therefore, a Data Subject’s request for destruction (under Article 8(1)(a) of this Regulation) must be evaluated against these higher-level legal retention obligations. If such an obligation applies, the Controller must retain the data as required by Article 18 of the Law, but must still follow the notification and procedural steps in Article 8(2) where possible and appropriate. This provision harmonizes the procedural details of the Regulation with the foundational legal principles of the Personal Data Protection Law.
