saudi-pdpl.com

SAUDI PDPL

BLOG

Menu

FAQ

Table of Contents

Article 1

Article 2

Article 3

Article 4

Article 5

Article 6

Article 7

Article 8

Article 9

Article 10

Article 11

Article 12

Article 13

Article 14

Article 15

Article 16

Article 17

Article 18

Article 19

Article 20

Article 21

Article 22

Article 23

Article 24

Article 25

Article 26

Article 27

Article 28

Article 29

Article 30

Article 31

Article 32

Article 33

Article 34

Article 35

Article 36

Article 37

Article 38

Article 39

Article 40

Article 41

Article 42

Article 43

Article 16

The Controller shall not disclose Personal Data in the situations stated in Paragraphs (1, 2, 5) and (6) of Article (15) if the Disclosure:

  1. Represents a threat to security, harms the reputation of the Kingdom, or conflicts with the interests of the Kingdom.
  2. Affects the Kingdom’s relations with any other state.
  3. Prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures.
  4. Compromises the safety of an individual.
  5. Results in violating the privacy of an individual other than the Data Subject, as set out in the Regulations.
  6. Conflicts with the interests of a person that fully or partially lacks legal capacity.
  7. Violates legally established professional obligations.
  8. Involves a violation of an obligation, procedure, or judicial decision.
  9. Exposes the identity of a confidential source of information in a manner detrimental to the public interest.

FAQs

A Controller is required to delete your personal data when: 

  • It’s no longer necessary for the purpose it was originally collected. 
  • You withdraw your consent and no other legal basis supports its retention. 
  • It was processed unlawfully. 
  • A legally mandated retention period has expired (e.g. for financial or judicial requirements). 
  • If it relates to an ongoing judicial case, it must be retained only for as long as necessary for that case, then deleted 

Deletion must be implemented in a secure and irreversible manner: 

  • Digital data must be permanently erased (e.g., using secure wipe tools), ensuring it cannot be recovered. 
  • Paper records must be destroyed securely (e.g., shredding or incineration). 
  • Backups and archives must also be cleaned after expiry or judicial hold ends. 
  • Controllers should employ controlled mechanisms, technical tools and procedural checks to guarantee complete deletion.

How do they show they actually deleted it? 

Controllers must maintain a clear, auditable record of every deletion action, documenting: 

  • What personal data was deleted (data type or record ID). 
  • When it was deleted (timestamped). 
  • How it was destroyed (e.g., wiped or shredded). 
  • Who authorized or executed the deletion. 
  • Why was the deletion performed (e.g., purpose fulfilled, or consent withdrawn). 

These records serve as an essential audit trail for proving compliance to regulators like SDAIA.

Article 15
Article 17
Scroll to Top