KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 23 – Special Rules for Health Data Processing

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 10, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 23 establishes special rules and heightened safeguards for Processing Health Data because it is classified as Sensitive Personal Data under the PDPL. The Article requires strict access controls, limits Processing to only what is needed for providing Health Services or health insurance, and mandates that only the minimum number of staff may access such data.

These restrictions reinforce the PDPL principles of data minimization, confidentiality, and proportionality, ensuring that Health Data is handled with maximum protection and tightly controlled access.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 23

Without prejudice to this Law, the Regulations shall set out additional controls and procedures for the Processing of Health Data in a manner that ensures the privacy of the Data Subject and protects their rights under this Law. Such additional controls and procedures shall include the following:

  1. Restricting the right to access Health Data, including medical files, to the minimum number of employees or workers and only to the extent necessary to provide the required Health Services.

  2. Restricting Health Data Processing procedures and operations to the minimum extent possible of employees and workers as necessary to provide Health Services or offer health insurance programs.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 23 (1)

Restricted Health Access

This provision limits the right to access Health Data, including medical files, to the smallest number of employees or workers who genuinely need such access to deliver Health Services. The wording requires that access is strictly tied to necessity, meaning that no staff member may view or handle Health Data unless it is essential for providing the required service.

This ensures that exposure to medical information remains controlled and that confidentiality protections for Data Subjects are preserved.

PDPL Article 23 (2)

Minimal Necessary Processing

This clause requires that all Processing operations relating to Health Data be reduced to the minimum level needed to provide Health Services or operate health insurance programs. The emphasis is on limiting both the number of individuals involved and the scope of Processing activities.

The provision ensures that Processing aligns directly with a clear service need and that no additional or unnecessary Processing occurs beyond what is essential for fulfilling healthcare or insurance obligations.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), does all medical information count as “Health Data” for Article 23?
Yes, any Personal Data relating to a person’s physical or mental health is treated as Health Data. Article 23 adds special rules because this category is more sensitive.
Health Data is subject to PDPL rules plus additional conditions in Article 23. Consent may be required unless another PDPL basis applies, but the processing must still follow the special health-related rules.
Can a clinic share Health Data with a pharmacy to fulfill a prescription under Article 23?
Yes, if the disclosure is tied to providing the health service requested by the patient. The key is that the sharing must follow the PDPL and remain within the special rules for Health Data.
In a healthcare SaaS system, who is responsible for ensuring Article 23 compliance, the hospital or the software vendor?
The hospital (Controller) is responsible for ensuring that Health Data is handled in line with Article 23. The SaaS vendor processes the data only according to the Controller’s instructions.
Does Article 23 allow processing Health Data for analytics or research purposes without patient involvement?
Only if the processing meets PDPL conditions and fits within the special Health Data rules. If it is for a new purpose, you must reassess the legal basis and restrictions.
Can a fitness app in KSA rely on general PDPL rules, or does Article 23 apply to workout and wellness data?
If the data reflects a person’s health status, it may fall under Health Data, triggering Article 23. Apps should evaluate whether their metrics point to health conditions, not just general activity.
In hospitals, does Article 23 cover both digital medical records and handwritten notes from doctors?
Yes, the format does not matter. Any Personal Data related to health is covered by the special rules.
Can a healthcare provider share Health Data with insurers under Article 23?
Only if the processing complies with PDPL and fits a valid permitted basis. Article 23 does not give insurers automatic access and it depends on the purpose and legal basis.
What if a patient asks to use their Health Data for a new service, like transferring records to another hospital?
The disclosure is allowed if the patient requests the service and the PDPL conditions are met. Article 23 still applies because the data remains sensitive.
Does Article 23 allow using de-identified medical data without restrictions?
If the data is fully anonymized and cannot be linked back to a person, Article 23 generally does not apply. If there is any chance of re-identification, treat it as Health Data.
Common misconception, “Health Data can be processed the same way as regular Personal Data.” Is that correct under Saudi PDPL?
No, Article 23 creates stricter handling rules for Health Data. Controllers must apply additional care compared to standard Personal Data.
Does Article 23 change who is responsible for breach notifications when Health Data is involved?
No, the Controller still handles notifications under Article 20. Article 23 increases sensitivity but does not change the notification structure.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top