KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 18 – Personal Data Retention and Destruction

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 10, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 18 sets out the rules governing when Personal Data must be deleted and when it may be retained. The Article requires Controllers to destroy Personal Data without undue delay once the purpose of collection has been fulfilled unless a lawful reason justifies continued retention

It also allows retention only when the data no longer contains anything that can identify the Data Subject, in accordance with the controls set by the Regulations, when another legal basis requires retention for a specific period, or when the data is needed for an active judicial case. After these periods end, the data must be destroyed.

Article 18 ensures that Personal Data is not kept longer than necessary and that any remaining retention aligns with legal requirements set out in the Regulations.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 18

  1. The Controller shall, without undue delay, Destroy the Personal Data when no longer necessary for the purpose for which they were collected. However, the Controller may retain data after the purpose of the Collection ceases to exist; provided that it does not contain anything that may lead to specifically identifying Data Subject pursuant to the controls stipulated in the Regulations.

  2. In the following cases, the Controller shall retain the Personal Data after the purpose of the Collection ceases to exist:

    1. If there is a legal basis for retaining the Personal Data for a specific period, in which case the Personal Data shall be destroyed upon the lapse of that period or when the purpose of the Collection is satisfied, whichever longer.

    2. If the Personal Data is closely related to a case under consideration before a judicial authority and the retention of the Personal Data is required for that purpose, in which case the Personal Data shall be destroyed once the judicial procedures are concluded.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 18(1)

Removal When No Longer Needed

This provision establishes the core rule that Controllers must destroy Personal Data without undue delay once it is no longer necessary for the purpose for which it was collected.

 

It also allows the Controller to retain the data after the purpose ends, but only if the retained information no longer contains anything that may lead to identifying the Data Subject, in accordance with the controls set out in the Regulations.

 

This ensures that Personal Data is not kept in an identifiable form once there is no longer a valid purpose for retaining it.

PDPL Article 18(2)(a)

Retention Based on Legal Period

This provision explains that Personal Data may be retained after the original purpose ends if a specific legal basis requires it to be kept for an identified period. Once that legal period expires or the original purpose is satisfied, whichever is later, the data must be destroyed.

 

This ensures compliance with mandated retention periods while preventing indefinite storage once the allowed timeframe ends.

PDPL Article 18(2)(b)

Retention for Judicial Needs

This provision allows retention of Personal Data when it is directly relevant to an active judicial case and must be preserved for that purpose. The Controller is permitted to hold the data until the legal proceedings are fully concluded. Once the judicial process ends, the retention is no longer justified and the Personal Data must be destroyed.

 

This prevents continued storage of data once legal requirements no longer apply.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), can we keep personal data “just in case” we might need it later?
No, Article 18 limits retention to the period needed to achieve the purpose of collection. Keeping data for hypothetical future use does not meet that standard.
In e commerce, can we retain customer information forever for marketing?
No, retention must align with the original collection purpose and Article 18’s requirements. Marketing alone does not justify indefinite retention.
Does Article 18 require us to set a specific retention period for each type of data?
Yes, you must determine how long the data is needed to achieve the purpose. The Regulation governs how retention periods and extensions are set.
Yes, Article 18 allows retention extension when there is a legal requirement or valid need to retain the data. The extension rules are set by the Regulation.
In HR, can employee files be kept after termination under Article 18?
Yes, but only as long as needed for the purpose or a valid extension ground. Once no longer needed, the data must be destroyed.
What does “destroying personal data” mean under Saudi PDPL?
Destruction means making the data unreadable or impossible to link back to a person. It is not the same as archiving or hiding it.
Can a SaaS vendor decide retention periods for the customer’s data?
No, the Controller sets the retention period because it determines the purpose of processing. The Processor follows the Controller’s instructions.
If data is stored in backups, does Article 18 still require destruction after the retention period ends?
Yes, backup copies are still subject to retention and destruction rules. They must be handled in a way that respects Article 18’s limits.
In fintech, can we retain KYC data longer “for safety” even if the purpose is completed?
Only if a valid retention extension applies under Article 18. Otherwise, KYC data must be destroyed once the original purpose is achieved.
If personal data is anonymized, does Article 18 still apply?
If the data is truly anonymized and cannot be linked to a person, Article 18 retention limits generally do not apply. If re identification is possible, treat it as personal data.
Common misconception, “Deleting data from the app is enough to meet PDPL destruction rules.” Is that correct?
No, destruction means making the data unreadable and irretrievable across all systems. Removing it from a user interface is not the same as destroying it.
Do we need to notify users when we destroy their data under Saudi PDPL?
Article 18 does not require user notification for routine destruction. The duty is to destroy data once no longer needed, following the Regulation’s rules.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top