Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 2 defines when the PDPL applies, focusing on processing connected to individuals (data subjects) in Saudi Arabia, including processing conducted from outside the Kingdom.
The Article also specifies the limited circumstances where personal or family use falls outside the Personal Data Protection Law (PDPL), provided the data is not disclosed or made public. These rules establish the core territorial and material scope for determining when PDPL requirements apply.
SDAIA's Official PDPL Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 2
- The Law applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom. This includes the data of the deceased if it would lead to them or a member of their family being identified specifically.
- The scope of applying the Law excludes the individual’s Personal Data Processing for purposes that do not go beyond personal or family use, as long as the Data Subject did not publish or disclose it to others. The Regulations shall define personal and family use provided in this Paragraph.
Plain-Language PDPL Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
PDPL Article 2(1)
PDPL Territorial And Material Scope
This provision explains that the PDPL applies to any processing of personal data related to individuals when the processing occurs inside Saudi Arabia. It also covers processing carried out from outside the Kingdom if the data relates to individuals located in Saudi Arabia.
The text makes clear that the focus is on whether the data is connected to individuals in the Kingdom, not where the processing party is located.
The provision also specifies that data about deceased individuals is covered when it can lead to their identification or the identification of a family member.
PDPL Article 2(2)
Personal And Family Use Exception
This provision identifies a narrow exemption for processing that is strictly for personal or family use.
The exemption applies only when the individual does not publish or disclose the data to others. Once the data is shared outside personal or family boundaries, the exemption no longer applies.
The Regulations will further define what qualifies as personal and family use under this rule. The provision makes it clear that only private, non-disclosed activities fall outside the Law.
Frequently Asked Questions (FAQs)
Yes, if you process Personal Data relating to individuals in Saudi Arabia, Saudi PDPL can still apply even when processing is done from outside the Kingdom. A practical rule is: if your processing targets or involves people located in KSA, treat it as in-scope.
Typically yes, if you process Personal Data related to individuals in Saudi Arabia as part of those sales and deliveries. The scope focuses on the connection to individuals in the Kingdom, not just where your company is based.
The key question is whether the Personal Data relates to individuals in Saudi Arabia, and whether processing is connected to them in the Kingdom. In practice, organizations treat KSA-based individuals as in-scope when the processing relationship is rooted in their presence in KSA.
Yes, when the processing relates to individuals in Saudi Arabia and happens in the Kingdom, or is done from outside the Kingdom for individuals in KSA. A simple rule is: if the employment is KSA-based and the HR processing touches those individuals, treat it as in scope.
Yes, it can be in scope if it could lead to identifying the deceased person or a member of their family. In practice, organizations handle such records carefully when they still point to identifiable relatives.
Not necessarily, the personal or family use exception is intended for activities that stay within personal or family boundaries. If it is used for business follow-ups, it is typically treated as outside that narrow exception.
Usually no, if it is strictly personal or family use and you do not publish or disclose it to others outside that context. The moment it is shared beyond the private personal or family setting, the exception can stop applying.
No, once you publish or disclose the Personal Data to others, the personal or family use exception does not apply. A practical rule is: private use stays out of scope, public sharing brings it back into scope.
Yes, because the exception depends on not publishing or disclosing the data to others. If it was made accessible beyond personal or family boundaries, it is typically treated as no longer covered by that exception.
It is mainly based on the link to individuals in Saudi Arabia and processing in the Kingdom, including processing from outside KSA for individuals in KSA. A useful rule is: focus on the data subject’s connection to KSA and where processing occurs, not just your corporate address.
No, the scope is framed around individuals in Saudi Arabia, not nationality. In practice, organizations treat residents, visitors, and anyone whose data is processed in KSA as potentially in scope.
