KSA PDPL CHECKLIST
This complete KSA PDPL Checklist is designed to help organizations comply with Saudi Data Laws. By following this KSA PDPL Checklist, you can ensure all articles and provisions are met. Below is the detailed table for the KSA PDPL Checklist.
| CHAPTER | SUB CHAPTER | TO DOS | COMPLIANT (YES / NO) | NOTES |
|---|---|---|---|---|
| 1- General provisions | ||||
| “ | Article 1: Definations | PDPL terms defined and communicated ? | ||
| “ | Article 2: Scope of Application | identified and documented purpose of data processing ? | ||
| “ | Article 3: Processing Standards | identified data processing activities ? | ||
| “ | Article 41: Data Confidentiality Obligation | Are data confidentiality obligations enforced during and after engagement? | ||
| “ | Article 42: Issuance of Implementing Regulations | Is the issuance of new regulations from the Competent Authority being monitored? | ||
| “ | Article 43: Effective Date of the Law | Are compliance measures ready for the Law’s effective date? | ||
| 2- Rights of Data Subject | ||||
| “ | Article 4: Rights of Data Subjects | Is the lawful basis for PII processing documented? | ||
| “ | Are data subjects informed about data collection, purpose, and their rights? | |||
| “ | Are procedures for handling Data Subject Access Requests (DSAR) defined and documented? | |||
| “ | Are obligations resulting from automated processing decisions identified and addressed? | |||
| “ | Is there a process to provide a copy of PII to data subjects upon verified request? | |||
| “ | Is there a process ensuring data subjects can access their personal data per PDPL requirements? | |||
| “ | Is there a defined process for data subjects to access and correct their PII? | |||
| “ | Is there a process for individuals to request and obtain their personal data in a clear format? | |||
| “ | Is there a mechanism for data subjects to object to processing? | |||
| “ | Is the method and timing of obtaining consent determined and documented? | |||
| “ | Is there a mechanism provided to modify or withdraw consent? | |||
| “ | Can data subjects request correction of their personal data if inaccurate? | |||
| “ | Is there a process for deleting data no longer needed for the purpose it was collected? | |||
| “ | Article 9: Limitations on Access to Personal Data | Are conditions for limiting data access defined and implemented regarding security and regulations? | ||
| “ | Article 21: Responding to Data Subject Rights Requests | Is a process implemented to ensure timely and accurate responses to Data Subject requests? | ||
| “ | Are requirements for data subject notices determined and documented? | |||
| “ | Is there a process for notifying sub-processors of corrections, deletions, or withdrawals? | |||
| 3- Consent and Data Processing | ||||
| “ | Article 5: Consent for Data Processing | Are processes implemented to ensure explicit consent is obtained before processing? | ||
| “ | Is clear information provided to data subjects regarding the controller and processing activities? | |||
| “ | Article 6: Processing Exceptions | Are lawful exceptions identified where consent is not required for data processing? | ||
| “ | Article 7: Prohibition on Conditioning Consent | Are services reviewed to ensure they are not conditioned on consent unless essential? | ||
| “ | Article 24: Processing of Credit Data | Are procedures in place to verify explicit consent and notify subjects regarding Credit Data processing? | ||
| “ | Article 25: Use of Personal Data for Advertising and Awareness-Raising | Are procedures established to obtain consent for advertising materials and provide an opt-out mechanism? | ||
| “ | Article 26: Processing Personal Data for Marketing Purposes | Are procedures established to obtain explicit consent before using Personal Data for marketing purposes? | ||
| “ | Article 27: Processing Personal Data for Scientific, Research, or Statistical Purposes | Are procedures established to securely process and anonymize data for research purposes? | ||
| 4- Data Collection, Use, and Disclosure | ||||
| “ | Article 8: Selection and Monitoring of Data Processors | Are processes implemented to select and monitor data processors for compliance? | ||
| “ | Article 10: Data Collection | Is data collected directly from data subjects and used only for the purpose for which it was collected? | ||
| “ | Article 11: Data Collection Methods | Are data collection methods clear, direct, secure, and free from deception? | ||
| “ | Article 12: Privacy Policy | Is a privacy policy made available to data subjects prior to collection, specifying purposes and rights? | ||
| “ | Article 13: Use and Disclosure | Are data subjects informed of the legal basis, purpose, and recipients of data upon collection? | ||
| “ | Article 14: Data collection verification | Are steps taken to verify that personal data is accurate, complete, and relevant to the purpose? | ||
| “ | Article 15: Right of access by the data subject | Is a formal process in place to confirm whether personal data is being processed and to provide access to that data upon request? | ||
| “ | Does the access response include all required details such as processing purposes, data categories, recipients, and retention periods? | |||
| “ | Is the identity of the data subject verified before any personal data is disclosed to prevent unauthorized access? | |||
| “ | Is a copy of the personal data provided free of charge (for the first copy) and in a commonly used electronic form? | |||
| “ | Article 16: Restrictions on Personal Data Disclosure | Are restrictions implemented to prevent disclosures that threaten security, safety, or legal rights? | ||
| “ | Article 23: Health Data Processing and Privacy | Is access to Health Data restricted to the minimum necessary employees for service provision? | ||
| “ | Article 28: Restrictions on Copying Official Documents | Are policies in place to prevent unauthorized copying of official documents identifying Data Subjects? | ||
| 5- Data Security and Retention | ||||
| “ | Article 17: Correction, Completion, and Updating | Is there a process to correct data and notify all relevant entities of the changes? | ||
| “ | Article 19: Data Security | Is the network segmented to prevent unauthorized access to customer data? | ||
| “ | Is pseudonymization determined and implemented where needed? | |||
| “ | Are adequate technical and administrative security measures implemented to protect personal data? | |||
| “ | Article 20: Breach Notification | Are security and privacy incident response policies documented and communicated? | ||
| “ | Are procedures in place to notify authorities and data subjects in case of a data breach? | |||
| “ | Are policies and procedures established to respond to data breaches including notification? | |||
| “ | Are security and privacy incidents logged, tracked, resolved, and communicated according to policy? | |||
| “ | Article 18: Data Retention and Destruction | Are data retention periods defined based on legal requirements and operational needs? | ||
| “ | Is personal data destroyed securely when no longer needed? | |||
| “ | Article 22: Data Impact Assessment | Is there a process to assess the impact of personal data processing for new products or services? | ||
| 6- Cross-Border Data Transfers | ||||
| “ | Article 29: Data Transfer Outside Kingdom | Is the protection level of personal data in the destination country assessed to be equivalent to KSA standards? | ||
| “ | Are policies established to regulate cross-border data transfers in compliance with the Law? | |||
| “ | Is the legal basis for transferring PII between jurisdictions identified and documented? | |||
| “ | Is the transfer limited to the minimum amount of Personal Data needed? | |||
| “ | Does the company process only legally binding PII disclosure requests? | |||
| 7- Competent Authority, Violations, and Penalties | ||||
| “ | Article 30: Appointment of Competent Authority | Are processes established to cooperate with the Competent Authority and appoint a DPO where required? | ||
| “ | Article 31: Records of Processing Activities | Are Records of Processing Activities (ROPA) maintained with all required details and available for the Authority? | ||
| “ | Article 33: Regulation and Licensing | Is the organization compliant with licensing requirements for commercial data protection activities? | ||
| “ | Article 34: Complaint Mechanism for Data Subjects | Is there a mechanism for data subjects to submit complaints regarding PDPL implementation? | ||
| “ | Article 35: Violations and Penalties | Are strict controls in place to prevent sensitive data disclosure and avoid criminal penalties? | ||
| “ | Article 36: Controls maturity | Are internal controls established to prevent general violations that could lead to administrative fines? | ||
| “ | Article 37: Procedures for Violations and Penalties | Is there a procedure to cooperate with Authority employees during inspections or violation seizures? | ||
| “ | Article 38: Compliance implementation | Are risks of fund confiscation and public publication of judgments managed through compliance? | ||
| “ | Article 39: Fines | Are disciplinary procedures in place for public entity employees who violate the PDPL? | ||
| “ | Is there a process to handle compensation claims for material or moral damage caused by violations? |
