Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 4 establishes the core Data Subject Rights (DSR) under the PDPL. These rights give individuals control over how their personal data is collected, accessed, corrected, updated, and deleted.
The Article specifies the rights that must be enabled by Controllers and sets the foundation for lawful, transparent processing across the Kingdom.
Saudi PDPL Article 4
Data Subject shall have the following rights pursuant to this Law and as set out in the Regulations:
- The right to be informed about the legal basis and the purpose of the Collection of their Personal Data.
- The right to access their Personal Data held by the Controller, in accordance with the rules and procedures set out in the Regulations, and without prejudice to the provisions of Article (9) of this Law.
- The right to request obtaining their Personal Data held by the Controller in a readable and clear format, in accordance with the controls and procedures specified by the Regulations.
- The right to request correcting, completing, or updating their Personal Data held by the Controller.
- The right to request a Destruction of their Personal Data held by the Controller when such Personal Data is no longer needed by Data Subject, without prejudice to the provisions of Article (18) of this Law.
Explanation of Saudi PDPL Article 4
Article 4(1)
Right To Be Informed
This provision gives individuals the right to understand the legal basis and purpose for collecting their personal data. The Controller must provide clear information about why the data is collected and how it will be used.
This right ensures transparency and allows individuals to know the justification for any collection activity. It also helps individuals understand the context in which their data is processed.
Article 4(2)
Right To Access Data
This provision grants individuals the right to access personal data that the Controller holds about them. Access must follow the rules and controls specified in the Regulations.
Individuals must also be able to obtain a copy of their personal data. The provision ensures visibility into the data held by the Controller and supports accountability in processing.
Article 4(3)
Right To Obtain Readable Copy
This provision gives individuals the right to request their personal data in a readable and clear format.
The Controller must follow the procedures established in the Regulations to provide the data in a format that the individual can easily understand.
This right supports portability and transparency by ensuring that personal data is accessible and usable.
Article 4(4)
Right To Correct Or Update Data
This provision allows individuals to request correction, completion, or updating of their personal data.
When an individual identifies inaccurate, incomplete, or outdated information, they may ask the Controller to amend it.
The Controller must follow the procedural requirements defined in the Regulations. This right helps maintain data accuracy and ensures that personal data is current and reliable.
Article 4(5)
Right To Request Destruction
This provision grants individuals the right to request the destruction of their personal data when the data is no longer needed by the individual.
The Controller must assess whether the data is still required and act accordingly. The right is subject to the conditions and exceptions linked to Article 18.
This provision ensures that personal data is not retained beyond the period in which it is needed by the individual.
Related PDPL Regulations, Rules & Guidelines
- Saudi PDPL Article 1 (16)
- Saudi PDPL Article 9
- Saudi PDPL Article 12
- Saudi PDPL Article 16
- Saudi PDPL Article 21
- PDPL Implementing Regulation Article 3
- PDPL Implementing Regulation Article 4
- PDPL Implementing Regulation Article 5
- PDPL Implementing Regulation Article 6
- PDPL Implementing Regulation Article 7
- PDPL Implementing Regulation Article 8
