Overview
Elaboration and Developing Privacy Policy Guideline — Fourth: Collecting Personal Data Methods and Purposes explains how Controllers must disclose the methods used to collect Personal Data and clearly define the purposes for which such data is collected and processed.
It requires Controllers to distinguish between direct and indirect collection methods, specify lawful purposes and legal bases for processing, and ensure that collection practices remain transparent, proportionate, and limited to what is necessary.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Fourth: Collecting Personal Data Methods and Purposes
- The Controller shall divide methods of collecting Personal Data as specified in Clause (Second) into two main sections of collecting and processing Personal Data:
- Data to Be Collected Directly from Data Subject: Clarifying means used for collecting such data, such as e-forms that include empty fields, drop-down lists, radio buttons, etc.
- Data to Be Collected Indirectly: Clarifying means used for collecting such data, such as cookies technologies, automatic collection of information, website analytics, or interconnection with another entity.
- The Controller shall explicitly and clearly clarify the purpose of collecting Personal Data (such as providing public services or a service to Data Subject). Such purposes shall be related directly to the Controller's activity, not contravene with any legal provisions, and specify legal bases relied upon for collecting and processing data, provided that legal basis shall be one of the following: (Consent of Data Subject or his legal guardian; realized interest of Data Subject or legal requirement; agreement to which Data Subject is a party; public interest; security purposes; judicial requirements; protection of public health or safety; or preservation of vital interests of individuals (preserving their health or protecting their lives), or legitimate interests of the Controller).
- The Controller may rely on more than one legal basis at the same time, in addition to the possibility of collecting or processing Personal Data if it is collected from a publicly available source, in accordance with controls and procedures stipulated in Article (15) of the Implementing Regulation of the Law. Additionally, Personal Data may be processed if it does not include evidence of identity of its owner and the owner's identity has been anonymized as stated in Article (9) of the Implementing Regulation of the Law.
- In all cases, the content of Personal Data collected and processed shall be limited to the minimum necessary, and directly relevant to the purpose of collection and processing. Data content shall be appropriate, and methods and means of collecting Personal Data shall be clear, direct, and free from deception, manipulation or disinformation.
- When relying on the Data Subject’s consent as a legal basis for processing Personal Data, such consent shall not be a condition for providing a service or a benefit, unless such service or benefit is intimately related and relevant to Personal Data processing.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
A. Methods of Collecting Personal Data
This provision requires the Controller to distinguish between Personal Data collected directly from the Data Subject and data collected indirectly. It explains that direct collection includes tools such as electronic forms and selection interfaces, while indirect collection includes cookies technologies, automatic data collection, website analytics, or interconnection with other entities.
B. Purpose and Legal Basis of Collection
The Controller must clearly state the purpose of collecting Personal Data and ensure that such purpose is directly related to its activities and does not contravene legal provisions. The Controller must also identify the legal basis relied upon for collection and processing, selecting from the legally recognized bases listed in the provision.
C. Multiple Legal Bases and Special Processing Conditions
This provision allows the Controller to rely on more than one legal basis simultaneously. It also permits processing of Personal Data obtained from publicly available sources under the Implementing Regulation controls, and processing of anonymized data where the identity of the data owner cannot be established.
D. Limitation and Transparency of Data Collection
The Controller is required to limit collected and processed Personal Data to the minimum necessary and directly relevant to the stated purpose. Collection methods must be appropriate, clear, and free from deception, manipulation, or disinformation.
E. Consent-Based Processing Restrictions
Where consent is relied upon as a legal basis, this provision clarifies that consent must not be made a condition for providing a service or benefit, unless that service or benefit is directly and closely related to the processing of Personal Data.
