KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

PDPL Implementing Regulation Article 1 – Definitions
PDPL Implementing Regulation Article 2 – Personal or Family Use
PDPL Implementing Regulation Article 3 – General Provisions of Data Subject Rights (DSR)
PDPL Implementing Regulation Article 4 – Right to be Informed
PDPL Implementing Regulation Article 5 – Right of Access to Personal Data
PDPL Implementing Regulation Article 6 – Right to Request Access to Personal Data
PDPL Implementing Regulation Article 7 – Right to Request Correction of Personal Data
PDPL Implementing Regulation Article 8 – Right to Request Destruction of Personal Data
PDPL Implementing Regulation Article 9 – Anonymisation
PDPL Implementing Regulation Article 10 – Means of Communication
PDPL Implementing Regulation Article 11 – Consent
PDPL Implementing Regulation Article 12 – Consent withdrawal
PDPL Implementing Regulation Article 13 – Legal Guardian
PDPL Implementing Regulation Article 14 – Processing to Serve the Actual Interest of Data Subject
PDPL Implementing Regulation Article 15 – Collecting Data from Third Parties
Load More

PDPL Implementing Regulation Article 28 – Processing Data for Advertising or Awareness Purposes

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: December 23, 2025
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

PDPL Implementing Regulation Article 28 establishes the rules for sending advertising or awareness materials to individuals, particularly when there is no prior interaction with the Controller. It defines how consent must be collected, documented, and respected, and it mandates transparent communication practices, clear sender identification, and simple opt-out mechanisms.

The Article strengthens Data Subject control over marketing communication, ensures compliance with the Telecommunication and Information Technology Act, and prevents misleading or intrusive advertising practices.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 28: Processing Data for Advertising or Awareness Purposes

  1. Controller shall obtain the Consent from the targeted recipient before sending advertising or awareness material in case of the absence of a prior interaction between the Controller and the targeted recipient.

  2. Conditions for obtaining the targeted recipient's consent for advertising or awareness materials shall be as follows:

    1. Consent shall be given freely, and no misleading methods shall be used to obtain it.

    2. Targeted recipient shall be enabled to specify the options related to advertising or awareness material subject to consent.

    3. Consent of a targeted recipient consent shall be documented in a manner that can be verified in the future.

  3. Without prejudice to the Telecommunication and Information Technology Act or any other related laws, before using communication methods for the purpose of sending advertising or awareness materials, including the post and email of the Data Subject, the Controller shall commit to the following:

    1. Clearly mention sender's name without hiding their identity.

    2. Provide a mechanism that enables the Data Subject to opt out of receiving advertising and awareness materials when desired, and ensure that the procedures for opting out of receiving such materials are easy, straightforward, and at least as easy as the procedures for giving consent to receive them.

    3. Stop sending advertising or awareness materials as soon as the target recipient requests it.

    4. The cessation of receiving advertising or awareness materials shall be free of charge.

    5. Keep material evidence of consent from the targeted recipient to receive advertising or awareness materials.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 28(1)

Consent Before Marketing

This provision requires Controllers to obtain the recipient’s consent before sending advertising or awareness materials when no prior interaction exists between the parties.

Article 28(2)(a)

Free Genuine Consent

This sub-provision requires that consent be freely given and that misleading methods must not be used to obtain it.

Article 28(2)(b)

Selectable Marketing Choices

This sub-provision requires that recipients be able to choose or specify the types of advertising or awareness material they are consenting to receive.

Article 28(2)(c)

Documented Verifiable Consent

This sub-provision requires the Controller to document consent in a way that can be verified in the future.

Article 28(3)(a)

Transparent Sender Identity

This sub-provision requires the Controller to clearly display the sender’s name and not hide their identity when using communication channels for advertising or awareness materials.

Article 28(3)(b)

Opt Out Mechanism

This sub-provision requires Controllers to provide a mechanism that allows the Data Subject to opt out of receiving advertising or awareness materials.

Easy Opt Out Process

This sub-provision requires that the opt-out process be easy, straightforward, and at least as easy as the process of giving consent.

Article 28(3)(c)

Stop Upon Request

This sub-provision requires Controllers to stop sending advertising or awareness materials immediately once the recipient requests it.

Article 28(3)(d)

Free Opt Out

This sub-provision requires that opting out of advertising or awareness materials must be free of charge.

Article 28(3)(e)

Maintain Consent Evidence

This sub-provision requires Controllers to retain material evidence showing that the targeted recipient consented to receive advertising or awareness materials.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top