Overview
Personal Data Destruction, Anonymization, and Pseudonymisation Guideline — First: Personal Data Destruction explains when and how Controllers must permanently destroy personal data under the Saudi Personal Data Protection Law (PDPL).
It clarifies destruction triggers, mandatory conditions that must be met when destruction occurs, and acceptable technical destruction techniques, ensuring that personal data becomes permanently inaccessible, irrecoverable, and unidentifiable in compliance with Article 18 of the Law and related regulatory requirements.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
First: Personal Data Destruction
In cases where the Controller is required to destroy personal data, it shall ensure that the data is permanently and irrevocably deleted, rendering it inaccessible, unrecoverable, and unidentifiable. Data archiving or backup processes shall not be considered data destruction techniques. Such processes shall be treated as personal data in accordance with the Law and its Implementing Regulations. Additionally, the Controller shall comply with the requirements of Article 18 of the Law and other applicable data destruction regulations. This Guideline does not relieve entities of their obligation to adhere to relevant controls, standards, and rules issued by the National Cybersecurity Authority or other competent authorities.
- Destruction Circumstances: The Controller shall destroy personal data in any of the following cases:
- Upon the request of the data subject.
- If the personal data is no longer necessary to fulfill the purposes of its collection.
- If the data subject withdraws their consent to the collection of their personal data, where consent was the sole legal basis for data processing.
- If the Controller becomes aware that the personal data is being processed in a manner that violates the Law.
- Destruction Conditions: The Controller, upon the destruction of personal data, shall:
- Take appropriate measures to notify other entities to whom the Controller has disclosed the relevant personal data and request that they destroy it.
- Take appropriate measures to notify individuals to whom personal data has been disclosed by any means and request that they destroy it.
- Destroy all copies of the personal data stored in the Controller's systems, including backups, taking into account any relevant regulatory requirements.
- Examples of Destruction Techniques:
- Data Overwriting and Secure Erasure (SE): Data overwriting involves replacing original data with random, meaningless data, rendering the original data irretrievable. Secure erasure is a more advanced data deletion technique than overwriting. It involves issuing a command to the device's software to delete all data, including data residing in sectors not typically accessible through standard deletion processes.
- Data Erasure (without Physical Media Destruction): This technique involves utilizing a degaussing device to neutralize the magnetic field that stores data, thereby rendering the data effectively unreadable. Degaussing is a secure and efficient technique that preserves the physical integrity of the storage device for reuse, making it the preferred technique for bulk data erasure operations. However, degaussing is limited to magnetic media and is not applicable to solid-state drives (SSDs) or flash-based storage.
- Shredding and Distortion: Shredding assets into tiny shreds and physically distorting them to render the assets effectively unreadable.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Permanent and Irreversible Destruction
Legal and Regulatory Alignment
Controllers are required to comply with Article 18 of the Law and any other applicable data destruction regulations when destroying personal data. The guideline also confirms that compliance with this guidance does not replace obligations under cybersecurity controls, standards, or rules issued by the National Cybersecurity Authority (NCA) or other competent authorities.
