KSA PDPL » Saudi PDPL Article 9 – Limits on Data Subject Access Rights

Saudi PDPL Article 9 – Limits on Data Subject Access Rights

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: June 28, 2025
Updated: January 10, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 9 establishes the limits and restrictions that may apply to an individual’s right to access their personal data. It defines when a Controller may set time frames, restrict access, or prevent access entirely, including circumstances involving harm, security requirements, or obligations under other laws.

The Regulations and Article 16 specify the detailed cases where access must be restricted.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 9

The Controller may set time frames for exercising the right to access Personal Data stated in Paragraph (2) of Article (4) herein as stipulated in the Regulations. The Controller may limit the exercise of this right in the following cases:

If this is necessary to protect the Data Subject or other parties from any harm, according to the provisions set forth the Regulations.

If the Controller is a Public Entity and the restriction is required for security purposes, required by another law, or required to fulfill judicial requirements.

The Controller shall prevent the Data Subject from accessing Personal Data in any of the situations stated in Paragraphs (1, 2, 3, 4, 5) and (6) of Article (16) herein.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 9(1)

Setting Time Frames For Access

This provision allows Controllers to establish time frames for Data Subject access requests as defined in the Regulations. The Controller may apply such time frames to ensure that access is handled according to the procedures and requirements set out by the Law.

This provides structure for how and when access requests may be fulfilled.

PDPL Article 9(1)(a)

Limiting Access To Prevent Harm

This provision allows the Controller to limit a Data Subject’s access request when doing so is necessary to protect the Data Subject or another party from harm. The limitation must align with the requirements established in the Regulations.

This ensures that access does not create or increase risk to individuals.

PDPL Article 9(1)(b)

Limits Required For Public Entity Duties

This provision applies when the Controller is a public entity. It allows the Controller to restrict access when necessary for security purposes, when required by another law, or when needed to fulfill judicial requirements.

This ensures that access rights do not interfere with public sector duties that involve legal, security, or judicial obligations.

PDPL Article 9(2)

Mandatory Access Denial Conditions

This provision states that the Controller must prevent access to personal data when any of the situations listed in Article 16 paragraphs 1 through 6 apply. This creates mandatory denial scenarios defined elsewhere in the Law.

The Controller must follow these limitations to ensure compliance with Article 16.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), can a company delay my access request by setting “access windows” or time limits?

Yes, a Controller can set time frames for exercising the access right, based on what the Regulations allow. A practical rule is, access is not always instant, it can follow regulated timelines and procedures.

Can a Saudi company refuse to show me my personal data if it could cause harm to me or someone else?

Yes, Saudi Personal Data Protection Law (KSA PDPL) allows limiting access when it is necessary to protect the Data Subject or other parties from harm. The restriction must align with the controls set out in the Regulations.

Does “harm” under Saudi Personal Data Protection Law (KSA PDPL) mean a company can block access just because it is inconvenient?

No, the rule of thumb is that inconvenience is not the same as protecting someone from harm. Article 9 frames harm as the reason for limiting access, and ties it to regulatory requirements.

If the Controller is a Saudi public entity, can it restrict access for security reasons?

Yes, public entities can restrict access when needed for security purposes, when required by another law, or to fulfill judicial requirements. This is a specific public sector limitation in Article 9.

I requested access from a government body in KSA, can they say “no” because another Saudi law requires secrecy?

Yes, Article 9 allows restriction for public entities when another law requires it, or when it is tied to security or judicial requirements. A practical rule is that public entity duties can override access in defined cases.

What’s the difference in Saudi Personal Data Protection Law (KSA PDPL) between “limiting access” and “preventing access completely”?

Limiting access means the Controller narrows or restricts how the access right is exercised in certain cases. Preventing access means the Controller must deny access entirely when specific conditions apply, which Article 9 links to Article 16 situations.

Can a private company in Saudi Arabia rely on the “public entity security” exception to deny access?

No, that specific ground is framed for Controllers that are public entities. Private Controllers would typically rely on other Article 9 bases, like preventing harm, and the Regulations.

If a company in KSA denies my access request, do they have to base it on something specific in Saudi PDPL?

Yes, the rule of thumb is that denial or restriction should map to a recognized limitation, like harm based limits, public entity duty limits, or the mandatory denial scenarios referenced through Article 16. Article 9 links these restrictions to the Regulations and Article 16.

In HR, can an employer limit what an employee sees if revealing it could harm someone else?

Potentially yes, Saudi Personal Data Protection Law (KSA PDPL) allows limiting access to protect the Data Subject or other parties from harm. In practice, organizations may restrict parts of an access response when third party harm is a realistic issue, following the Regulations.

In fintech or healthcare, can a Controller restrict access because it might create security risks?

If the Controller is a public entity, Article 9 allows restriction for security purposes and related legal or judicial requirements. For other Controllers, restrictions are typically framed around preventing harm and the controls in the Regulations.

Common misconception, “Saudi Personal Data Protection Law (KSA PDPL) access rights mean I can see everything, always.” Is that correct?

No, Article 9 is specifically about limits on access rights and when Controllers may restrict or even prevent access. The rule of thumb is, access exists, but it is not absolute, it can be limited by harm, public entity duties, and mandatory denial conditions referenced in the law.