PDPL Article 27 says that personal data can be used for scientific, research, or statistical purposes without the data subject’s consent, but only under strict conditions. These conditions ensure that individual privacy is protected even when data is used to generate insights, studies, or reports.
Consent is not required if:
The data does not identify the person.
If it will be anonymized before disclosure to others, and it’s not sensitive data.
If required by another law or contract involving the data subject.
The Regulations will define the detailed controls to make sure this kind of processing remains lawful and ethical.
Personal data may be collected or processed for scientific, research, or statistical purposes without the consent of the Data Subject in the following situations:
Saudi PDPL Article 27 (1)
Non-Identifiable Data Use
If it does not specifically identify the Data Subject.
Saudi PDPL Article 27 (2)
Anonymize Before Disclosure
If evidence of the Data Subject’s identity will be destroyed during the Processing and prior to Disclosure of such data to any other entity, if it is not Sensitive Data.
Saudi PDPL Article 27 (3)
Required by Law or Contract
If personal data is collected or processed for these purposes is required by another law or in implementation of a previous agreement to which the Data Subject is a party.
The Regulations shall set out the controls required by the provisions of this Article.
Explanation of Saudi PDPL Article 27
Data may be used for research if it doesn’t identify the person
Saudi PDPL Article 27 (1) says that, consent is not needed if the personal data is used in a way that doesn’t reveal the individual’s identity.
Identity must be destroyed before sharing, if data is not sensitive
Saudi PDPL Article 27 (2) says that, if the data will be anonymized before being shared, and it’s not sensitive data, consent is not required.
Individuals must be able to stop receiving these messages easily
Saudi PDPL Article 27 (3) says that, if data processing is mandated by another law or a prior agreement with the data subject, it can be used without needing new consent.
