GHC·Build 1.0.0·KSA
Saudi Compliance

PDPL Compliance Statement

Global Healthcare Compass is built to comply with the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL). This statement details our commitment to protecting Saudi patient data through sovereign infrastructure and strict regulatory adherence.

PDPL Overview & Commitment

The Saudi Personal Data Protection Law (PDPL) establishes comprehensive requirements for the collection, processing, and protection of personal data within the Kingdom. As a healthcare platform serving Saudi patients, GHC operates under the highest standards of PDPL compliance.

GHC Compliance Statement

GHC is built to meet Saudi PDPL requirements through sovereign data infrastructure, comprehensive patient rights implementation, and continuous regulatory monitoring.

Scope of Application

This compliance statement applies to all personal and health data of Saudi residents and citizens processed through the GHC platform, regardless of their location at the time of service.

Data Residency & Sovereignty

All personal and health data of Saudi patients is stored, processed, and maintained exclusively within Kingdom borders, ensuring complete data sovereignty as required by PDPL Article 25.

Saudi Data Infrastructure

  • Primary and backup servers are hosted within the Kingdom's borders
  • Data backups and disaster recovery systems maintained within Kingdom borders
  • All data processing, analytics, and algorithm computations performed on Saudi infrastructure
  • Data access restricted to authorized personnel subject to Saudi jurisdiction

Cross-Border Data Transfers

Cross-border data transfers occur only with explicit patient consent for specific healthcare purposes (medical travel, specialist consultations) and under appropriate safeguards as per PDPL Article 26.

Personal Data Categories

GHC processes the following categories of personal data in accordance with PDPL classification requirements:

Basic Personal Data

  • Name, national ID, date of birth, nationality
  • Phone number, email address, residential address
  • Gender, age, preferred language

Sensitive Personal Data

  • Medical conditions, symptoms, diagnoses
  • Treatment history, medications, allergies
  • Patient-reported outcomes, satisfaction scores

Biometric Data

  • Facial recognition for identity verification (opt-in only)
  • Voice patterns for telehealth authentication (with consent)

Financial Data

  • Payment method information (tokenized)
  • Insurance coverage details and claim information

Legal Basis for Processing

GHC processes personal data under the following legal bases as defined in PDPL Article 6:

Explicit Consent

Primary legal basis for health data processing. Patients provide informed, specific, and revocable consent for each processing purpose.

Contract Performance

Processing necessary for healthcare service delivery, appointment booking, and care coordination as outlined in our terms of service.

Vital Interests

Emergency processing to protect patient life or health in critical medical situations, as permitted under PDPL Article 6(1)(d).

Legitimate Interest

Platform improvement, security monitoring, and anonymized research, balanced against patient rights and interests.

Patient Rights Under PDPL

Saudi patients have comprehensive rights over their personal data. GHC provides accessible mechanisms to exercise these rights:

How to Exercise Your Rights

Reach our Data Protection Officer through the contact page.

Go to contact

Responses within 30 days, in line with PDPL.

Right of Access

Obtain confirmation of data processing and access to your complete health record in a structured, machine-readable format.

Right of Rectification

Correct inaccurate personal data and complete incomplete information, subject to medical record integrity requirements.

Right of Erasure

Request deletion of personal data when no longer necessary, subject to medical record retention obligations.

Right of Portability

Receive your health data in FHIR R4 format and transmit it to another healthcare provider of your choice.

Technical & Organizational Measures

GHC implements comprehensive security measures as required by PDPL Article 22 to ensure appropriate protection of personal data:

Technical Safeguards

  • AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Multi-factor authentication and role-based access controls with audit logging
  • 24/7 security monitoring with anomaly detection and automated incident response
  • Encrypted backups with tested disaster recovery procedures

Organizational Measures

  • Regular PDPL compliance training for all personnel with data access
  • Comprehensive data protection policies and procedures reviewed annually
  • Documented incident response procedures with breach notification protocols
  • Independent security audits and penetration testing performed quarterly

Data Breach Notification

GHC is committed to transparent and prompt notification of any personal data breaches as required by PDPL Article 30:

Breach Response Procedure

  • SDAIA notification: Notification to SDAIA within 72 hours of breach discovery
  • Patient Notification: Direct patient notification within 72 hours if high risk to rights and freedoms
  • Mitigation: Immediate containment measures and remediation actions

Regulatory Oversight & Compliance

GHC operates under continuous regulatory oversight to ensure ongoing PDPL compliance:

Saudi Data & AI Authority (SDAIA)

Ongoing compliance with the Personal Data Protection Law as administered by SDAIA and the National Data Management Office (NDMO)

Operating in line with the Personal Data Protection Law and SDAIA / NDMO requirements

Ministry of Health Coordination

Healthcare-specific compliance coordination with MOH digital health regulations

Aligned with National Digital Health Strategy 2030