Implementing Regulation of PDPL Article 16 says that private-sector Controllers may process personal data based on a “Legitimate Interest” legal basis—but only if the purpose is lawful, proportionate, and within the data subject’s expectations. Sensitive data is explicitly excluded. Before proceeding, the Controller must perform and document a Legitimate Interest Assessment (LIA) to weigh their interests against the potential impact on data subjects.
Implementing Regulation of PDPL Article 16 (1)
Conditions for Use
Except in cases where the Controller is a Public Entity, the Controller may process Personal Data to achieve a Legitimate Interest provided that the following conditions are met:
a) Purpose shall not violate any of the laws in the Kingdom.
b) A balance between the rights and interests of the Data Subject and the Legitimate Interest of the Controller, so that the interests of the Controller do not affect the rights and interests of the Data Subject.
c) Processing shall not include Sensitive Data.
d) Processing shall be within the reasonable expectations of the Data Subject.
Implementing Regulation of PDPL Article 16 (2)
Example Use-Cases
Legitimate interests include the Disclosure of fraud operations, the protection of network and information security, and other Legitimate Interests that meet the conditions outlined in paragraph (1) of this article.
Implementing Regulation of PDPL Article 16 (3)
Assessment Requirement
According to the provisions of paragraph (4) of Article (6) of the Law, before Processing Personal Data for Legitimate Interests, the Controller shall conduct and document an assessment of the proposed Processing and its impact on the rights and interests of Data Subjects. The assessment shall include the following:
a) Identification of the proposed Processing and its purposes, as well as the type of data and categories of Data Subjects.
b) Evaluation of the purpose to ensure that it is legitimate and compliant with the laws in the Kingdom.
c) Verification of the necessity to process Personal Data to achieve the legitimate purpose of the Controller.
d) Evaluation of whether the proposed Processing will cause any potential harm to Data Subjects or their ability to exercise their legally established rights.
e) Identification of any measures that shall be taken to avoid potential risks or harms, in accordance with the provisions of paragraph (2) of Article (25) of this Regulation.
Implementing Regulation of PDPL Article 16 (4)
Modify If Harmful
If the assessment outlined in paragraph (3) of this article indicates that the proposed Processing will in any way violate any laws, infringe on the rights and interests of Data Subjects, cause harm to them or any other party, the Controller shall modify the proposed Processing and conduct a new assessment, or consider relying on another legal basis.
Explanation of Implementing Regulation of PDPL Article 16
When legitimate interest can be used:
Implementing Regulation of PDPL Article 16 (1) says, private entities (not public bodies) can rely on legitimate interest only if the purpose is lawful, expected, and doesn’t harm the data subject.
Illustrative examples of legitimate interest:
Implementing Regulation of PDPL Article 16 (2) says, examples include fraud detection and cybersecurity protection—provided the criteria in paragraph 1 are met.
Document the risk-benefit assessment:
Implementing Regulation of PDPL Article 16 (3) says, controllers must conduct a full assessment before processing, evaluating purpose, necessity, impact, and safeguards.
Adjust or abandon if risks outweigh interests:
Implementing Regulation of PDPL Article 16 (4) says, if the assessment reveals risk or illegality, the processing must be modified or rely on another legal basis.
