Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 26 establishes a clear legal boundary for the marketing use of Personal Data, ensuring that individuals have meaningful control over how their information is used in commercial outreach. The Article states that Personal Data may only be used for marketing if it was collected directly from the Data Subject and if the individual has provided consent in accordance with the PDPL.
Sensitive Personal Data is excluded entirely, prohibiting its use in all marketing contexts. The Article reinforces the PDPL’s core requirements of transparency, lawful processing, individual autonomy, and protection against inappropriate or intrusive marketing practices.
The Regulations will define further controls for how these conditions must be applied by controllers.
SDAIA's Official PDPL Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 26
With the exception of Sensitive Data, Personal Data may be processed for marketing purposes, if it is collected directly from the Data Subject and their consent is given in accordance with the provisions of Law; the Regulations shall set out the controls in such regard.
Plain-Language PDPL Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Direct-Source Requirement
The Article requires that Personal Data used for marketing must have been collected directly from the Data Subject. The text specifies that only data obtained through direct interaction with the individual may be used, meaning Personal Data acquired from third parties, indirect channels, or unrelated sources does not satisfy the Article’s conditions.
This preserves the integrity of data collection and ensures the individual understands the origin and intended use of their Personal Data.
Consent-Driven Processing
The Article further states that marketing use of Personal Data is permitted only when the Data Subject has given consent in accordance with the provisions of the PDPL. The wording requires that such consent meet all legal standards set out in the Law, ensuring that individuals voluntarily and knowingly authorize the marketing use of their Personal Data.
This clause prevents marketing activities based on assumptions, implied consent, or prior relationships that do not meet PDPL consent requirements.
Sensitive-Data Exclusion
The Article makes an explicit exception prohibiting the use of Sensitive Personal Data for marketing purposes. This categorical exclusion means that, regardless of consent or collection method, Sensitive Personal Data cannot be processed for marketing in any form.
The text reinforces the PDPL’s heightened protections for Sensitive Data by ensuring it is entirely removed from marketing workflows.
Regulatory Controls Framework
The Article concludes by stating that the Regulations will set out the controls governing marketing-related processing of Personal Data. This clause delegates procedural and operational details to the Implementing Regulations, which will clarify how controllers must apply the Article’s conditions, including the manner of obtaining consent, verifying direct collection, and ensuring compliance.
The Article’s wording confirms that the specifics of marketing controls are defined outside the Article itself.
Frequently Asked Questions (FAQs)
Not by default. Article 26 requires a valid legal basis for using Personal Data in marketing, and a past purchase does not automatically grant permission.
Using data for marketing refers to processing Personal Data for targeting, segmentation, or analytics. Sending marketing messages is the outbound communication itself. Article 26 focuses on the use of Personal Data that enables marketing activities.
Only if allowed under a valid basis consistent with Article 26. If the analysis has marketing intent, the customer must have agreed to such use or the processing must fit an approved PDPL condition.
Not without ensuring the new marketing purpose aligns with PDPL requirements. Article 26 prohibits repurposing Personal Data for marketing unless the legal conditions are met.
Not automatically. Article 26 applies because financial transactions contain Personal Data, and any marketing use requires a proper basis.
Only if the analytics serve a purpose other than marketing. If the analysis contributes to marketing, the opt-out must be respected.
No, Processors may not use the data for any purpose other than the Controller’s instructions. Article 26 makes clear that marketing use must be authorized by the Controller and follow PDPL rules.
No, because that would repurpose Personal Data for marketing unrelated to the original Controller. Article 26 restricts using data for marketing outside the intended relationship.
