KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 28 – Restriction on Copying Official Documents

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: December 26, 2025
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 28 establishes clear restrictions on copying official documents that can identify an individual. Copies of passports, national IDs, and similar documents may not be made unless a specific law requires it or a competent public authority formally instructs the controller to copy such materials.

These limits ensure that copying only occurs when authorized under the PDPL and the Regulations. This framework restricts the handling of official identification documents to situations with a defined legal or governmental basis.
 

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 28

It is not permissible to copy official documents where Data Subjects are identifiable, except where it is required by law, or when a competent public authority requests copying such documents pursuant to the Regulations.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Copying Requires Legal Basis

Article 28 states that a controller is not permitted to copy official documents that make a Data Subject identifiable unless a specific legal requirement applies. Copying is only allowed when a law mandates it or when a competent public authority issues a formal request in accordance with the Regulations. This ensures that sensitive identification materials such as passports or national identity documents are not copied without a lawful and clearly defined basis.

The Article restricts duplication of these documents to situations where legal authority explicitly requires or authorizes the action.

Authority Directed Copying

The Article further explains that copying official documents becomes permissible when a competent public authority instructs the controller to make such copies under the Regulations. This condition confirms that the controller may only proceed when the request is formally issued and aligned with the regulatory framework. By requiring such authorization, the Article ensures that any copying of official documentation is controlled, monitored, and limited to authorized government or public sector functions.

This maintains accountability and prevents unauthorized handling of identification information.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top