Overview
PDPL Implementing Regulation Article 16 sets the rules for when a Controller may rely on Legitimate Interest as a legal basis for processing Personal Data. It defines the conditions that must be met, describes examples of qualifying interests, and requires a documented assessment to evaluate necessity, impact, and safeguards.
It also explains when proposed processing must be modified or replaced if it risks violating laws or affecting Data Subject Rights (DSR).
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 16: Processing for Legitimate Interest
- Except in cases where the Controller is a Public Entity, the Controller may process Personal Data to achieve a Legitimate Interest provided that the following conditions are met:
- Purpose shall not violate any of the laws in the Kingdom.
- A balance between the rights and interests of the Data Subject and the Legitimate Interest of the Controller, so that the interests of the Controller do not affect the rights and interests of the Data Subject.
- Processing shall not include Sensitive Data.
- Processing shall be within the reasonable expectations of the Data Subject.
- Legitimate interests include the Disclosure of fraud operations, the protection of network and information security, and other Legitimate Interests that meet the conditions outlined in paragraph (1) of this article.
- According to the provisions of paragraph (4) of Article (6) of the Law, before Processing Personal Data for Legitimate Interests, the Controller shall conduct and document an assessment of the proposed Processing and its impact on the rights and interests of Data Subjects. The assessment shall include the following:
- Identification of the proposed Processing and its purposes, as well as the type of data and categories of Data Subjects.
- Evaluation of the purpose to ensure that it is legitimate and compliant with the laws in the Kingdom.
- Verification of the necessity to process Personal Data to achieve the legitimate purpose of the Controller.
- Evaluation of whether the proposed Processing will cause any potential harm to Data Subjects or their ability to exercise their legally established rights.
- Identification of any measures that shall be taken to avoid potential risks or harms, in accordance with the provisions of paragraph (2) of Article (25) of this Regulation.
- If the assessment outlined in paragraph (3) of this article indicates that the proposed Processing will in any way violate any laws, infringe on the rights and interests of Data Subjects, cause harm to them or any other party, the Controller shall modify the proposed Processing and conduct a new assessment, or consider relying on another legal basis.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 16(1)
Conditions For Legitimate Interest
This provision describes the conditions that must be met for a Controller to rely on Legitimate Interest when processing Personal Data. It specifies that the purpose must comply with the laws of the Kingdom and that a balance must exist between the Controller’s interest and the rights and interests of the Data Subject.
It also limits such processing by excluding Sensitive Data and requiring that the processing falls within what the Data Subject can reasonably expect.
