Controllers must implement enhanced technical, organisational, and administrative safeguards to protect health data from unauthorized use, misuse, or processing beyond its original purpose. Specific requirements include: 

• Strict access controls: Only personnel who genuinely need access for their job functions can view or process your health information. Roles and permissions must be clearly defined and enforced.  

• Clear task ownership: Every stage of health data processing should have a documented owner responsible for compliance and oversight.  

• Comprehensive documentation: All processing steps from collection to deletion must be recorded to ensure traceability.  

• Regulatory alignment: Controllers must comply with sector-specific rules issued by authorities like the Ministry of Health, Saudi Health Council, and other regulators, and integrate those standards into internal policies.

Access to health data must be limited strictly on a need-to-know principle: 

• Only authorized employees or approved third-party processors, whose specific job responsibilities necessitate access, may handle your health information.  

• Access roles must be clearly defined, differentiated, and periodically reviewed to prevent unauthorized exposure.

Both health and credit data fall under the “sensitive personal data” category and require additional compliance: 

• Explicit consent is mandatory before processing. Legitimate interest cannot be used on a legal basis here. 

• Special organisational measures must be implemented, including: 

• Strict access controls and audit trails 

• Detailed data mapping and owner assignment 

• Minimum data collection aligned with purpose (“data minimisation”) 

• Adherence to both the PDPL and specific sectoral regulations (e.g., Ministry of Health rules or the Credit Information Law).  

• Notification of obligations for credit data: If your credit data is requested by another entity, the Controller must explicitly inform you.