Personal Data Destruction, Anonymization, and Pseudonymisation Guideline — Phase One: Personal Data Destruction emphasized that when an organization is required to destroy personal data under the Saudi PDPL, the data must be deleted in a way that it cannot be recovered, identified, or accessed again. Archiving or backing up data does not qualify as destruction. The controller must follow legal and cybersecurity requirements when deleting data and ensure others who received the data also destroy it. The guideline includes examples of techniques such as overwriting, degaussing, and shredding.
Data must be fully deleted, not just stored away. Notification and secure techniques are essential.
Phase One: Personal Data Destruction
In cases where the Controller is required to destroy personal data, it shall ensure that the data is permanently and irrevocably deleted, rendering it inaccessible, unrecoverable, and unidentifiable. Data archiving or backup processes shall not be considered data destruction techniques. Such processes shall be treated as personal data in accordance with the Law and its Implementing Regulations. Additionally, the Controller shall comply with the requirements of Article 18 of the Law and other applicable data destruction regulations. This Guideline does not relieve entities of their obligation to adhere to relevant controls, standards, and rules issued by the National Cybersecurity Authority or other competent authorities.
Destruction Circumstances:
The Controller shall destroy personal data in any of the following cases:
A) Upon the request of the data subject.
B) If the personal data is no longer necessary to fulfill the purposes of its collection.
C) If the data subject withdraws their consent to the collection of their personal data, where consent was the sole legal basis for data processing.
D) If the Controller becomes aware that the personal data is being processed in a manner that violates the Law.
Destruction Conditions:
The Controller, upon the destruction of personal data, shall:
A) Take appropriate measures to notify other entities to whom the Controller has disclosed the relevant personal data and request that they destroy it.
B) Take appropriate measures to notify individuals to whom personal data has been disclosed by any means and request that they destroy it.
C) Destroy all copies of the personal data stored in the Controller’s systems, including backups, taking into account any relevant regulatory requirements.
Examples of Destruction Techniques:
A) Data Overwriting and Secure Erasure (SE): Data overwriting involves replacing original data with random, meaningless data, rendering the original data irretrievable. Secure erasure is a more advanced data deletion technique than overwriting. It involves issuing a command to the device’s software to delete all data, including data residing in sectors not typically accessible through standard deletion processes.
B) Data Erasure (without Physical Media Destruction): This technique involves utilizing a degaussing device to neutralize the magnetic field that stores data, thereby rendering the data effectively unreadable. Degaussing is a secure and efficient technique that preserves the physical integrity of the storage device for reuse, making it the preferred technique for bulk data erasure operations. However, degaussing is limited to magnetic media and is not applicable to solid-state drives (SSDs) or flash-based storage.
C) Shredding and Distortion: Shredding assets into tiny shreds and physically distorting them to render the assets effectively unreadable
Explanation of Phase One: Personal Data Destruction
Situations requiring data destruction:
Phase One: Personal Data Destruction says that data must be destroyed when no longer needed, consent is withdrawn, processing is illegal, or the data subject asks.
Notify recipients, erase all copies:
Phase One: Personal Data Destruction also says that the controller must inform anyone it shared data with and delete all its copies, including backups.
Replace or wipe data irreversibly:
Phase One: Personal Data Destruction also says techniques like overwriting with random data or secure erasure commands ensure original data can’t be recovered.
Magnetic field-based erasure:
Phase One: Personal Data Destruction also says to use strong magnets to erase magnetic media (not SSDs), keeping devices reusable.
Physically destroy storage media:
Phase One: Personal Data Destruction also says to physically breaking or distorting storage devices to prevent reading or recovery of data.
