Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 26 establishes a clear legal boundary for the marketing use of Personal Data, ensuring that individuals have meaningful control over how their information is used in commercial outreach. The Article states that Personal Data may only be used for marketing if it was collected directly from the Data Subject and if the individual has provided consent in accordance with the PDPL.
Sensitive Personal Data is excluded entirely, prohibiting its use in all marketing contexts. The Article reinforces the PDPL’s core requirements of transparency, lawful processing, individual autonomy, and protection against inappropriate or intrusive marketing practices.
The Regulations will define further controls for how these conditions must be applied by controllers.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 26
With the exception of Sensitive Data, Personal Data may be processed for marketing purposes, if it is collected directly from the Data Subject and their consent is given in accordance with the provisions of Law; the Regulations shall set out the controls in such regard.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Direct-Source Requirement
The Article requires that Personal Data used for marketing must have been collected directly from the Data Subject. The text specifies that only data obtained through direct interaction with the individual may be used, meaning Personal Data acquired from third parties, indirect channels, or unrelated sources does not satisfy the Article’s conditions.
This preserves the integrity of data collection and ensures the individual understands the origin and intended use of their Personal Data.
Consent-Driven Processing
The Article further states that marketing use of Personal Data is permitted only when the Data Subject has given consent in accordance with the provisions of the PDPL. The wording requires that such consent meet all legal standards set out in the Law, ensuring that individuals voluntarily and knowingly authorize the marketing use of their Personal Data.
This clause prevents marketing activities based on assumptions, implied consent, or prior relationships that do not meet PDPL consent requirements.
Sensitive-Data Exclusion
The Article makes an explicit exception prohibiting the use of Sensitive Personal Data for marketing purposes. This categorical exclusion means that, regardless of consent or collection method, Sensitive Personal Data cannot be processed for marketing in any form.
The text reinforces the PDPL’s heightened protections for Sensitive Data by ensuring it is entirely removed from marketing workflows.
Regulatory Controls Framework
The Article concludes by stating that the Regulations will set out the controls governing marketing-related processing of Personal Data. This clause delegates procedural and operational details to the Implementing Regulations, which will clarify how controllers must apply the Article’s conditions, including the manner of obtaining consent, verifying direct collection, and ensuring compliance.
The Article’s wording confirms that the specifics of marketing controls are defined outside the Article itself.
