PDPL Article 25 prohibits controllers from using a data subject’s personal communication channels (like email, SMS, or post) to send advertising or awareness materials, unless certain conditions are met.
The only exception is awareness content sent by public entities (e.g., health alerts, government campaigns).
All other controllers must:
Get prior consent before sending marketing or awareness content.
Provide a clear opt-out mechanism.
Comply with Regulations that define consent conditions and communication requirements.
With the exception of the awareness-raising materials sent by Public Entities, Controller may not use personal means of communication, including the post and email, of the Data Subject to send advertising or awareness-raising materials, unless:
Saudi PDPL Article 25 (1)
Prior Consent Required
Obtaining the prior consent of the targeted recipient for such materials.
Saudi PDPL Article 25 (2)
Mandatory Opt-Out Mechanism
The sender of the material shall provide a clear mechanism, as set out in the Regulations, that enables the targeted recipient to request stopping receiving such materials if they desire so.
Saudi PDPL Article 25 (3)
Regulations Define Conditions
The Regulations shall set out the provisions concerning the aforementioned advertising and awareness-raising materials, as well as the conditions and situations concerning the consent of the recipient to receive aforementioned materials.
Explanation of Saudi PDPL Article 25
Advertising or awareness messages need recipient approval
Saudi PDPL Article 25 (1) says that, controllers must get clear, prior consent from the individual before sending marketing or awareness content to personal communication channels like email or SMS.
Individuals must be able to stop receiving these messages easily
Saudi PDPL Article 25 (2) says that, the sender must offer a clear, user-friendly way (as per the Regulations) for the recipient to unsubscribe or opt out of future communications.
Individuals must be able to stop receiving these messages easily
Saudi PDPL Article 25 (3) says that, the Regulations will set the detailed rules, including what types of messages require consent and how such consent should be obtained and recorded.
