Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Saudi Arabia: SDAIA publishes further guidelines to support PDPL compliance

On September 3, 2024, the Saudi Data & Artificial Intelligence Authority (SDAIA) shared via LinkedIn three guidelines intended to support the implementation of the provisions of the Personal Data Protection Law (PDPL) and its Regulations and encourage entities to adopt best practices. SDAIA published the following guidelines:

  • Personal Data Disclosure Cases Guideline (guidelines on disclosure cases);
  • Personal Data Processing Activities Records Guideline (guidelines on processing records);
  • Personal Data Destruction, Anonymization, and Pseudonymization Guideline (guidelines on destruction, anonymization, and pseudonymization).

Disclosure cases

In particular, the guidelines on disclosure cases provide clarification on the exceptions in which controllers are allowed to disclose personal data:

  • consent of the data subject;
  • personal data collected from a publicly available source;
  • disclosure is requested by a public entity to serve a public interest, for security purposes, to implement another law, or to fulfill judicial requirements;
  • disclosure is necessary to safeguard public health, public safety, or the life or health of specific individuals; and
  • disclosure is limited to subsequent personal data processing that does not result in the identification of the personal data subject or any other individual in particular.

The guidelines on disclosure cases also provide for the circumstances in which controllers shall not disclose personal data, including if the disclosure endangers the safety of an individual. Additionally, the controller shall include personal data disclosure activities in the personal data processing activities records, as well as document their dates, methods, and purposes.

Processing records

The guidelines on processing records set out the minimum items that must be included in the records, such as:

  • information of the data protection officer (DPO), wherever the appointment of a DPO is required;
  • a description of the personal data categories being processed and data subject categories;
  • the retention period for personal data and, where possible, specific retention periods for each category of personal data;
  • categories of recipient entities to whom the personal data has been or will be disclosed; and
  • description of operations of personal data transfer outside Saudi Arabia.

The guidelines on processing records further specify the details that must be provided in each item, including a sample template.

Destruction, anonymization, and pseudonymization

The guidelines on destruction, anonymization, and pseudonymization outline the cases in which the controller shall destroy personal data, as well as examples of destruction techniques, including:

  • data overwriting and secure erasure (SE);
  • data erasure without physical media destruction; and
  • shredding and distortion.

Furthermore, the guidelines on destruction, anonymization, and pseudonymization establish the requirements for anonymizing personal data applicable to controllers, including conducting an impact assessment and an evaluation of the potential for re-identification.

The guidelines on destruction, anonymization, and pseudonymization also provide a list of commonly used pseudonymization techniques, such as:

  • data generalization;
  • data aggregation;
  • data encryption; and
  • data masking.

You can read the guidelines on disclosure cases here and the LinkedIn post here, the guidelines on processing records here and the LinkedIn post here, and the guidelines on destruction, anonymization, and pseudonymization here and the LinkedIn post here.