KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 25 – Restrictions on Direct Marketing and Awareness Messages

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 10, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 25 establishes restrictions on how Controllers may send advertising or awareness-raising materials through personal communication channels. The Article requires prior consent, except for awareness materials sent by Public Entities, provides individuals with a clear opt-out mechanism, and assigns the Regulations to determine the detailed rules governing these communications.

These requirements ensure that Personal Data is used for such outreach in a controlled and compliant manner under the Personal Data Protection Law (PDPL).

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 25

With the exception of the awareness-raising materials sent by Public Entities, Controller may not use personal means of communication, including the post and email, of the Data Subject to send advertising or awareness-raising materials, unless:

  1. Obtaining the prior consent of the targeted recipient for such materials.

  2. The sender of the material shall provide a clear mechanism, as set out in the Regulations, that enables the targeted recipient to request stopping receiving such materials if they desire so.

  3. The Regulations shall set out the provisions concerning the aforementioned advertising and awareness-raising materials, as well as the conditions and situations concerning the consent of the recipient to receive aforementioned materials.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 25(1)

Consent-Driven Outreach Requirements

This provision requires the Controller to obtain prior consent from the targeted recipient before sending any Direct Marketing or awareness-raising materials through personal communication channels. The text specifies that consent must be obtained in advance and specifically for such materials, meaning communication cannot occur unless the Data Subject has already agreed to receive it.

The requirement applies to all electronic and phone-based channels and ensures that outreach is conditioned on explicit permission rather than assumption or implied interest.

PDPL Article 25(2)

Mandatory Opt-Out Mechanism

This clause requires the sender to provide a clear mechanism, as defined in the Regulations, enabling the targeted recipient to request that such communications cease. The text emphasises that this mechanism must allow the recipient to stop receiving materials if they so desire, creating a direct and controllable means for individuals to discontinue outreach.

The obligation applies to every message and requires that the opt-out mechanism be accessible, compliant with regulatory specifications, and operational at all times.

PDPL Article 25(3)

Regulatory Marketing Conditions

This provision states that the Regulations will determine the governing rules for advertising and awareness-raising materials, including the conditions under which consent must be obtained and the specific situations in which such materials may be sent.

 

The text confirms that the detailed requirements are not contained in the Article itself but will instead be elaborated in the Regulations, which will define the procedural, contextual, and compliance-related elements necessary for lawful Direct Marketing and awareness activities.

These regulatory specifications ensure uniform standards across sectors and clarify obligations for controllers handling Personal Data for marketing purposes.

Frequently Asked Questions (FAQs)

Yes, direct marketing generally requires the Data Subject’s prior consent. Article 25 places clear limits on promotional outreach unless an allowed exception applies.
What is the difference between a “direct marketing message” and an “awareness message” under Article 25?
Direct marketing promotes a product or service, while an awareness message typically provides general information without commercial intent. Article 25 restricts both, but promotional messages face tighter controls.
Only if the customer has consented to receive marketing communications. Abandoned cart reminders are typically treated as marketing unless the Regulation clarifies otherwise.
Can a bank send credit card offers to existing customers under Article 25?
Only with valid consent or another allowed basis under PDPL. Having a customer relationship does not automatically permit marketing outreach.
Do “transactional messages” like receipts or order confirmations fall under Article 25?
No, transactional messages are not direct marketing. Article 25 applies to messages intended to promote, advertise, or raise product awareness.
It depends on the purpose. Purely functional guidance is not marketing, but promotional upsell content would fall under Article 25.
Are Processors allowed to send marketing messages on behalf of the Controller?
Only if the Controller has obtained the required consent and instructed the Processor accordingly. Processors cannot decide to send marketing on their own.
Does Article 25 allow “opt-out” instead of “opt-in” for marketing?
No, the default expectation is consent before sending direct marketing. Opt-out alone does not satisfy Article 25 requirements.
In HR, do internal announcements count as awareness messages under PDPL?
Internal operational notices usually are not considered marketing or public awareness messages. Article 25 focuses on communications directed at Data Subjects in a promotional or outreach context.
If the content aims to promote services, Article 25 applies and consent is needed. General educational content may be allowed depending on intent.
Common misconception, “If the message benefits the user, it is not marketing.” Is that true under KSA PDPL?
No, the benefit does not change the classification. If the message promotes a product or service, it is marketing.
Are awareness messages for public interest campaigns treated the same as commercial marketing?
No, Article 25 recognizes awareness messages as a distinct category, but they still face controls. The intent and content determine how the PDPL applies.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top