Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Saudi Arabia: SDAIA publishes further guidelines to support PDPL compliance
On September 3, 2024, the Saudi Data & Artificial Intelligence Authority (SDAIA) shared via LinkedIn three guidelines intended to support the implementation of the provisions of the Personal Data Protection Law (PDPL) and its Regulations and encourage entities to adopt best practices. SDAIA published the following guidelines:
- Personal Data Disclosure Cases Guideline (guidelines on disclosure cases);
- Personal Data Processing Activities Records Guideline (guidelines on processing records);
- Personal Data Destruction, Anonymization, and Pseudonymization Guideline (guidelines on destruction, anonymization, and pseudonymization).
Disclosure cases
In particular, the guidelines on disclosure cases provide clarification on the exceptions in which controllers are allowed to disclose personal data:
- consent of the data subject;
- personal data collected from a publicly available source;
- disclosure is requested by a public entity to serve a public interest, for security purposes, to implement another law, or to fulfill judicial requirements;
- disclosure is necessary to safeguard public health, public safety, or the life or health of specific individuals; and
- disclosure is limited to subsequent personal data processing that does not result in the identification of the personal data subject or any other individual in particular.
The guidelines on disclosure cases also provide for the circumstances in which controllers shall not disclose personal data, including if the disclosure endangers the safety of an individual. Additionally, the controller shall include personal data disclosure activities in the personal data processing activities records, as well as document their dates, methods, and purposes.
Processing records
The guidelines on processing records set out the minimum items that must be included in the records, such as:
- information of the data protection officer (DPO), wherever the appointment of a DPO is required;
- a description of the personal data categories being processed and data subject categories;
- the retention period for personal data and, where possible, specific retention periods for each category of personal data;
- categories of recipient entities to whom the personal data has been or will be disclosed; and
- description of operations of personal data transfer outside Saudi Arabia.
The guidelines on processing records further specify the details that must be provided in each item, including a sample template.
Destruction, anonymization, and pseudonymization
The guidelines on destruction, anonymization, and pseudonymization outline the cases in which the controller shall destroy personal data, as well as examples of destruction techniques, including:
- data overwriting and secure erasure (SE);
- data erasure without physical media destruction; and
- shredding and distortion.
Furthermore, the guidelines on destruction, anonymization, and pseudonymization establish the requirements for anonymizing personal data applicable to controllers, including conducting an impact assessment and an evaluation of the potential for re-identification.
The guidelines on destruction, anonymization, and pseudonymization also provide a list of commonly used pseudonymization techniques, such as:
- data generalization;
- data aggregation;
- data encryption; and
- data masking.
You can read the guidelines on disclosure cases here and the LinkedIn post here, the guidelines on processing records here and the LinkedIn post here, and the guidelines on destruction, anonymization, and pseudonymization here and the LinkedIn post here.