PDPL Article 2 applies widely, including to foreign entities processing Saudi residents’ data. But it excludes purely personal/family use of data, as long as it stays private.
Saudi PDPL Article 2 (1)
Territorial and Material Scope
The Law applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom. This includes the data of the deceased if it would lead to them or a member of their family being identified specifically.
Saudi PDPL Article 2 (2)
Exemption for Private Use
The scope of applying the Law excludes the individual’s Personal Data Processing for purposes that do not go beyond personal or family use, as long as the Data Subject did not publish or disclose it to others. The Regulations shall define personal and family use provided in this Paragraph.
Explanation of Saudi PDPL Article 2
PDPL applies to:
The PDPL applies to:
- Any use of personal data (Processing) that happens inside Saudi Arabia, no matter who is doing it or how.
- It also applies to companies or organizations outside Saudi Arabia if they are handling personal data of people who live in the Kingdom (this is called extraterritorial application).
- Even data about deceased people is covered if that data can identify the deceased or a member of their family.
PDPL does not apply when:
The PDPL does not apply when:
- A person uses their own or someone else’s personal data just for private or family reasons, &
- They do not share or publish that data with others.
So, if you are keeping a personal contact list or family photo album and you don’t share it publicly, the PDPL doesn’t cover that.
