PDPL Article 23 says that the processing of credit data must follow stricter rules, as defined in both the PDPL and the Credit Information Law. These rules are meant to ensure privacy and transparency when handling financial and credit-related personal data.
The controller must:
Verify explicit consent for collecting, disclosing, publishing, or changing the purpose of credit data processing.
Notify the data subject whenever any entity requests access to their credit data.
The Regulations provide detailed procedures and controls to operationalize these safeguards.
Without prejudice to this Law, the Regulations shall set out additional controls and procedures for the Processing of Credit Data in a manner that ensures the privacy of the Data Subject and protects their rights under this Law and the Credit Information Law. Such controls and procedures shall include the following:
Saudi PDPL Article 24 (1)
Verify Explicit Consent
Implementing appropriate measures to verify that the Data Subject has given their explicit consent to the Collection of the Personal Data, changing the purpose of the Collection, or Disclosure or Publishing of the Personal Data in accordance with the provisions of this Law and the Credit Information Law.
Saudi PDPL Article 24 (2)
Notify Disclosure Requests
Requiring that the Data Subject be notified when a request for Disclosure of their Credit Data is received from any entity.
Explanation of Saudi PDPL Article 24
Ensure consent for collection, purpose change, or disclosure of credit data
Saudi PDPL Article 24 (1) says that, controllers must take clear steps to confirm that the data subject explicitly agreed to any collection, repurposing, or disclosure of credit-related personal data.
Inform data subjects when someone requests access to their credit data
Saudi PDPL Article 24 (2) says that, if another entity asks to see someone’s credit data, the controller must notify the data subject before proceeding.
