Saudi PDPL: Data Portability Rights in KSA Explained

Q: Is there a minimum timeframe for notifying me?

Yes, the notification must be made without undue delay . Ideally at the same time, the Controller reports the breach to SDAIA (usually within 72 hours). Unlike some laws that allow exceptions, the PDPL does not permit withholding or delaying notification to you, even if protective measures are in place.

Article 1

Article 2

Article 3

Article 4

Article 5

Article 6

Article 7

Article 8

Article 9

Article 10

Article 11

Article 12

Article 13

Article 14

Article 15

Article 16

Article 17

Article 18

Article 19

Article 20

Article 21

Article 22

Article 23

Article 24

Article 25

Article 26

Article 27

Article 28

Article 29

Article 30

Article 31

Article 32

Article 33

Article 34

Article 35

Article 36

Article 37

Article 38

Article 39

Article 40

Article 41

Article 42

Article 43

Article 18

The Controller shall, without undue delay, Destroy the Personal Data when no longer necessary for the purpose for which they were collected. However, the Controller may retain data after the purpose of the Collection ceases to exist; provided that it does not contain anything that may lead to specifically identifying Data Subject pursuant to the controls stipulated in the Regulations.
In the following cases, the Controller shall retain the Personal Data after the purpose of the Collection ceases to exist:
a) If there is a legal basis for retaining the Personal Data for a specific period, in which case the Personal Data shall be destroyed upon the lapse of that period or when the purpose of the Collection is satisfied, whichever longer.
b) If the Personal Data is closely related to a case under consideration before a judicial authority and the retention of the Personal Data is required for that purpose, in which case the Personal Data shall be destroyed once the judicial procedures are concluded.

FAQs

Do I get notified if there's a breach involving my data?

Yes, if your personal data is involved in a breach that could harm your rights or interests (such as fraud, identity theft, financial loss, or reputational damage), the Controller must notify you directly, without waiting.

What should the breach notification include?

The notice sent to you must contain:

A clear description of the breach (what happened and when)

The types of personal data affected (e.g., names, account details, health records)

Potential consequences you might face (like fraud or misuse)

What the Controller is doing or plans to do to contain the problem and prevent it from recurring

Advice on steps you should take to protect yourself, such as changing passwords or monitoring your accounts

Contact details of someone you can reach out to with questions (for example, their Data Protection Officer or support team)

Is there a minimum timeframe for notifying me?

Yes, the notification must be made without undue delay. Ideally at the same time, the Controller reports the breach to SDAIA (usually within 72 hours). Unlike some laws that allow exceptions, the PDPL does not permit withholding or delaying notification to you, even if protective measures are in place.

Table of Contents

Automate Your Privacy Compliance with GoTrust!