PDPL Compliance Statement
Global Healthcare Compass is built to comply with the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL). This statement details our commitment to protecting Saudi patient data through sovereign infrastructure and strict regulatory adherence.
PDPL Overview & Commitment
The Saudi Personal Data Protection Law (PDPL) establishes comprehensive requirements for the collection, processing, and protection of personal data within the Kingdom. As a healthcare platform serving Saudi patients, GHC operates under the highest standards of PDPL compliance.
GHC Compliance Statement
GHC is built to meet Saudi PDPL requirements through sovereign data infrastructure, comprehensive patient rights implementation, and continuous regulatory monitoring.
Scope of Application
This compliance statement applies to all personal and health data of Saudi residents and citizens processed through the GHC platform, regardless of their location at the time of service.
Data Residency & Sovereignty
All personal and health data of Saudi patients is stored, processed, and maintained exclusively within Kingdom borders, ensuring complete data sovereignty as required by PDPL Article 25.
Saudi Data Infrastructure
- Primary and backup servers are hosted within the Kingdom's borders
- Data backups and disaster recovery systems maintained within Kingdom borders
- All data processing, analytics, and algorithm computations performed on Saudi infrastructure
- Data access restricted to authorized personnel subject to Saudi jurisdiction
Cross-Border Data Transfers
Cross-border data transfers occur only with explicit patient consent for specific healthcare purposes (medical travel, specialist consultations) and under appropriate safeguards as per PDPL Article 26.
Personal Data Categories
GHC processes the following categories of personal data in accordance with PDPL classification requirements:
Basic Personal Data
- Name, national ID, date of birth, nationality
- Phone number, email address, residential address
- Gender, age, preferred language
Sensitive Personal Data
- Medical conditions, symptoms, diagnoses
- Treatment history, medications, allergies
- Patient-reported outcomes, satisfaction scores
Biometric Data
- Facial recognition for identity verification (opt-in only)
- Voice patterns for telehealth authentication (with consent)
Financial Data
- Payment method information (tokenized)
- Insurance coverage details and claim information
Legal Basis for Processing
GHC processes personal data under the following legal bases as defined in PDPL Article 6:
Explicit Consent
Primary legal basis for health data processing. Patients provide informed, specific, and revocable consent for each processing purpose.
Contract Performance
Processing necessary for healthcare service delivery, appointment booking, and care coordination as outlined in our terms of service.
Vital Interests
Emergency processing to protect patient life or health in critical medical situations, as permitted under PDPL Article 6(1)(d).
Legitimate Interest
Platform improvement, security monitoring, and anonymized research, balanced against patient rights and interests.
Patient Rights Under PDPL
Saudi patients have comprehensive rights over their personal data. GHC provides accessible mechanisms to exercise these rights:
How to Exercise Your Rights
Reach our Data Protection Officer through the contact page.
Go to contact →Responses within 30 days, in line with PDPL.
Right of Access
Obtain confirmation of data processing and access to your complete health record in a structured, machine-readable format.
Right of Rectification
Correct inaccurate personal data and complete incomplete information, subject to medical record integrity requirements.
Right of Erasure
Request deletion of personal data when no longer necessary, subject to medical record retention obligations.
Right of Portability
Receive your health data in FHIR R4 format and transmit it to another healthcare provider of your choice.
Technical & Organizational Measures
GHC implements comprehensive security measures as required by PDPL Article 22 to ensure appropriate protection of personal data:
Technical Safeguards
- AES-256 encryption for data at rest and TLS 1.3 for data in transit
- Multi-factor authentication and role-based access controls with audit logging
- 24/7 security monitoring with anomaly detection and automated incident response
- Encrypted backups with tested disaster recovery procedures
Organizational Measures
- Regular PDPL compliance training for all personnel with data access
- Comprehensive data protection policies and procedures reviewed annually
- Documented incident response procedures with breach notification protocols
- Independent security audits and penetration testing performed quarterly
Data Breach Notification
GHC is committed to transparent and prompt notification of any personal data breaches as required by PDPL Article 30:
Breach Response Procedure
- SDAIA notification: Notification to SDAIA within 72 hours of breach discovery
- Patient Notification: Direct patient notification within 72 hours if high risk to rights and freedoms
- Mitigation: Immediate containment measures and remediation actions
Regulatory Oversight & Compliance
GHC operates under continuous regulatory oversight to ensure ongoing PDPL compliance:
Saudi Data & AI Authority (SDAIA)
Ongoing compliance with the Personal Data Protection Law as administered by SDAIA and the National Data Management Office (NDMO)
Operating in line with the Personal Data Protection Law and SDAIA / NDMO requirements
Ministry of Health Coordination
Healthcare-specific compliance coordination with MOH digital health regulations
Aligned with National Digital Health Strategy 2030