KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 4 – Data Subject Rights (DSR)

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 10, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 4 establishes the core Data Subject Rights (DSR) under the PDPL. These rights give individuals control by allowing them to access their personal data, request its correction or updating, and request its destruction when appropriate.

The Article specifies the rights that must be enabled by Controllers and sets the foundation for lawful, transparent processing across the Kingdom.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 4

Data Subject shall have the following rights pursuant to this Law and as set out in the Regulations:

  1. The right to be informed about the legal basis and the purpose of the Collection of their Personal Data.

  2. The right to access their Personal Data held by the Controller, in accordance with the rules and procedures set out in the Regulations, and without prejudice to the provisions of Article (9) of this Law.

  3. The right to request obtaining their Personal Data held by the Controller in a readable and clear format, in accordance with the controls and procedures specified by the Regulations.

  4. The right to request correcting, completing, or updating their Personal Data held by the Controller.

  5. The right to request a Destruction of their Personal Data held by the Controller when such Personal Data is no longer needed by Data Subject, without prejudice to the provisions of Article (18) of this Law.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 4(1)

Right To Be Informed

This provision gives individuals the right to understand the legal basis and purpose for collecting their personal data. The Controller must provide clear information about why the data is collected and how it will be used.

 

This right ensures transparency and allows individuals to know the justification for any collection activity. It also helps individuals understand the context in which their data is processed.

PDPL Article 4(2)

Right To Access Data

This provision grants individuals the right to access personal data that the Controller holds about them. Access must follow the rules and controls specified in the Regulations, and the Saudi PDPL.

 

Individuals must also be able to obtain a copy of their personal data. The provision ensures visibility into the data held by the Controller and supports accountability in processing.

PDPL Article 4(3)

Right To Obtain Readable Copy

This provision gives individuals the right to request their personal data in a readable and clear format.

 

The Controller must follow the procedures established in the Regulations to provide the data in a format that the individual can easily understand.

 

This right supports transparency by ensuring that personal data is accessible and usable.

PDPL Article 4(4)

Right To Correct Or Update Data

This provision allows individuals to request correction, completion, or updating of their personal data.

 

When an individual identifies inaccurate, incomplete, or outdated information, they may ask the Controller to amend it.

 

The Controller must follow the procedural requirements defined in the Regulations. This right helps maintain data accuracy and ensures that personal data is current and reliable.

PDPL Article 4(5)

Right To Request Destruction

This provision grants individuals the right to request the destruction of their personal data when the data is no longer needed by the individual.

 

The Controller must assess whether the data is still required and act accordingly. The right is subject to the conditions and exceptions linked to Article 18.

 

This provision ensures that personal data is not retained beyond the period in which it is needed by the individual.

Frequently Asked Questions (FAQs)

Under Saudi Personal Data Protection Law (KSA PDPL), can I ask a company why they collected my phone number in the first place?

Yes, you can ask for the legal basis and the purpose behind collecting your Personal Data. A good rule of thumb is, if they collected it, they should be able to explain why and what it will be used for.

In KSA, does “right of access” mean I can see everything a company has about me in their CRM?

Generally yes, you can request access to the Personal Data the Controller holds about you, but access is handled under the rules and procedures set out in the Regulations. In practice, some access may be limited by the law’s access constraints referenced in Article 9.

What’s the difference between “access my data” and “get a readable copy” under Saudi Personal Data Protection Law (KSA PDPL) Article 4?

Access is about being able to view what the Controller holds about you. A readable copy is about receiving your Personal Data in a clear, understandable format when you request it.

Can I ask for my data in a format I can actually use, like a clear file instead of screenshots?

Yes, you can request your Personal Data in a readable and clear format. The Controller should follow the procedures in the Regulations to provide it in a way that is understandable.

If my address is wrong in an e-commerce account, can I ask the company to fix it under Saudi Personal Data Protection Law (KSA PDPL)?

Yes, you can request correction, completion, or updating of Personal Data held by the Controller. A practical rule is, if the data is inaccurate, incomplete, or outdated, you can ask for it to be amended.

For HR in KSA, can an employee ask to update their records, like nationality or emergency contact details?

Yes, the right to correct, complete, or update applies to Personal Data held by the Controller. In practice, HR records that are outdated or incomplete are a common use case for this right.

In Saudi Personal Data Protection Law (KSA PDPL), can I ask a company to delete my account and destroy my data because I do not need the service anymore?

Yes, you can request destruction of your Personal Data when it is no longer needed by you. In practice, the Controller still assesses whether it must retain some data, because this right is stated as being without prejudice to Article 18.

Does “destroy my Personal Data” under Saudi Personal Data Protection Law (KSA PDPL) mean the company must delete everything instantly?

Not necessarily, the right is to request destruction when the data is no longer needed by you, and it is linked to other legal provisions. A practical rule is, you can request it, but the Controller evaluates what it can destroy versus what it may still need to retain under the law.

If a fintech app denies my request to access my data, is that automatically a Saudi Personal Data Protection Law (KSA PDPL) violation?

Not automatically, because access is provided according to the rules and procedures in the Regulations, and it is also linked to the law’s access limitations. The practical next step is to ask the Controller which rule or limitation it is relying on.

Who is responsible for responding to a Data Subject Request (DSR), the app vendor or the business using the vendor?

The Controller is typically the one responsible, because Article 4 rights are described as being against the Controller holding the data. In practice, a Processor may help operationally, but the Controller remains the main point of accountability for enabling the rights.

No, the rights in Article 4 are framed as core Data Subject Rights under the law and the Regulations, not as something limited only to consent situations. A good rule is, if your data is collected and held by a Controller, these rights can still be relevant.

If I ask for my data in KSA, can the company give me a confusing export that I cannot understand?

No, you have a right to request your Personal Data in a readable and clear format. The rule of thumb is, the output should be understandable, not deliberately opaque.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top