PDPL Article 13 says that, when a controller collects personal data directly from the data subject, they must inform the individual about specific legal and practical details at the time of collection. This ensures the data subject is fully aware of how their personal data will be used, their rights, and any associated risks.
The law outlines seven mandatory disclosures that must be made before or during collection.
When collecting Personal Data directly from the Data Subject, the Controller shall take appropriate measures to inform the Data Subject of the following upon Collection:
Saudi PDPL Article 13 (1)
State Legal Basis
The legal basis for collecting their Personal Data.
Saudi PDPL Article 13 (2)
Explain Purpose and Scope
The purpose of the Collection, and shall specify the Personal Data whose Collection is mandatory and the Personal Data whose Collection is optional. The Data Subject shall be informed that the Personal Data will not be subsequently processed in a manner inconsistent with the Collection purpose or in cases other than those stated in Article (10) of this Law.
Saudi PDPL Article 13 (3)
Identify Data Collector
Unless the Collection is for security purposes, the identity of the person collecting the Personal Data and the address of its representative, if necessary.
Saudi PDPL Article 13 (4)
List Data Recipients
The entities to which the Personal Data will be disclosed, the capacity of such entities, and whether the Personal Data will be transferred, disclosed or processed outside the Kingdom.
Saudi PDPL Article 13 (5)
Describe Non-Collection Risks
The potential consequences and risks that may result from not collecting the Personal Data.
Saudi PDPL Article 13 (6)
Mention Data Subject Rights
The rights of the Data Subject pursuant to Article (4) herein. 7- Such other elements as set out in the Regulations based on the nature of the activity done by the Controller.
Saudi PDPL Article 13 (7)
Add Sector-Specific Details
Personal Data Collection is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed. The Regulations shall set out the provisions, controls and procedures related to what is stated in paragraphs (2) to (7) of this Article.
Explanation of Saudi PDPL Article 13
Data subjects must know why the collection is legally permitted:
Saudi PDPL Article 13 (1) says that, the controller must clearly tell the data subject what legal reason justifies collecting their personal data.
Mandatory vs. optional data and limits on reuse must be explained:
Saudi PDPL Article 13 (2) says that, the controller must state the purpose of collection, identify which data is required or optional, and clarify that it won’t be used for other purposes without legal basis.
Inform who is collecting the data and their location, unless for security purposes:
Saudi PDPL Article 13 (3) says that, the controller must disclose the identity and location of the collector, unless the data is being collected for security purposes.
Disclose who will receive the data and if it will be transferred outside Saudi Arabia:
Saudi PDPL Article 13 (4) says that, the controller must tell the data subject who else will receive their data, the nature of those recipients, and if the data will be processed abroad.
Notify of risks that may occur if the data isn't collected:
Saudi PDPL Article 13 (5) says that, the data subject must be told about any potential risks or consequences if they choose not to provide the requested personal data.
Explain what rights the data subject has under Article 4:
Saudi PDPL Article 13 (6) says that, the data subject must be reminded of their legal rights regarding their personal data, as defined in Article 4.
Additional required disclosures may apply depending on the controller’s activity:
Saudi PDPL Article 13 (7) says that, based on the industry or type of activity, the Regulations may require extra disclosures the controller must include during collection.
