Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 25 establishes restrictions on how Controllers may send advertising or awareness-raising materials through personal communication channels. The Article requires prior consent, except for awareness materials sent by Public Entities, provides individuals with a clear opt-out mechanism, and assigns the Regulations to determine the detailed rules governing these communications.
These requirements ensure that Personal Data is used for such outreach in a controlled and compliant manner under the Personal Data Protection Law (PDPL).
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 25
With the exception of the awareness-raising materials sent by Public Entities, Controller may not use personal means of communication, including the post and email, of the Data Subject to send advertising or awareness-raising materials, unless:
- Obtaining the prior consent of the targeted recipient for such materials.
- The sender of the material shall provide a clear mechanism, as set out in the Regulations, that enables the targeted recipient to request stopping receiving such materials if they desire so.
- The Regulations shall set out the provisions concerning the aforementioned advertising and awareness-raising materials, as well as the conditions and situations concerning the consent of the recipient to receive aforementioned materials.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 25(1)
Consent-Driven Outreach Requirements
This provision requires the Controller to obtain prior consent from the targeted recipient before sending any Direct Marketing or awareness-raising materials through personal communication channels. The text specifies that consent must be obtained in advance and specifically for such materials, meaning communication cannot occur unless the Data Subject has already agreed to receive it.
The requirement applies to all electronic and phone-based channels and ensures that outreach is conditioned on explicit permission rather than assumption or implied interest.
Article 25(2)
Mandatory Opt-Out Mechanism
This clause requires the sender to provide a clear mechanism, as defined in the Regulations, enabling the targeted recipient to request that such communications cease. The text emphasises that this mechanism must allow the recipient to stop receiving materials if they so desire, creating a direct and controllable means for individuals to discontinue outreach.
The obligation applies to every message and requires that the opt-out mechanism be accessible, compliant with regulatory specifications, and operational at all times.
Article 25(3)
Regulatory Marketing Conditions
This provision states that the Regulations will determine the governing rules for advertising and awareness-raising materials, including the conditions under which consent must be obtained and the specific situations in which such materials may be sent.
The text confirms that the detailed requirements are not contained in the Article itself but will instead be elaborated in the Regulations, which will define the procedural, contextual, and compliance-related elements necessary for lawful Direct Marketing and awareness activities.
These regulatory specifications ensure uniform standards across sectors and clarify obligations for controllers handling Personal Data for marketing purposes.
