KSA PDPL » Saudi PDPL Article 28 – Restriction on Copying Official Documents

Saudi PDPL Article 28 – Restriction on Copying Official Documents

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 10, 2025
Updated: January 11, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 28 establishes clear restrictions on copying official documents that can identify an individual. Copies of passports, national IDs, and similar documents may not be made unless a specific law requires it or a competent public authority formally instructs the controller to copy such materials.

These limits ensure that copying only occurs when authorized under the PDPL and the Regulations. This framework restricts the handling of official identification documents to situations with a defined legal or governmental basis.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 28

It is not permissible to copy official documents where Data Subjects are identifiable, except where it is required by law, or when a competent public authority requests copying such documents pursuant to the Regulations.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Copying Requires Legal Basis

Article 28 states that a controller is not permitted to copy official documents that make a Data Subject identifiable unless a specific legal requirement applies. Copying is only allowed when a law mandates it or when a competent public authority issues a formal request in accordance with the Regulations. This ensures that sensitive identification materials such as passports or national identity documents are not copied without a lawful and clearly defined basis.

The Article restricts duplication of these documents to situations where legal authority explicitly requires or authorizes the action.

Authority Directed Copying

The Article further explains that copying official documents becomes permissible when a competent public authority instructs the controller to make such copies under the Regulations. This condition confirms that the controller may only proceed when the request is formally issued and aligned with the regulatory framework. By requiring such authorization, the Article ensures that any copying of official documentation is controlled, monitored, and limited to authorized government or public sector functions.

This maintains accountability and prevents unauthorized handling of identification information.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), can businesses make copies of national IDs or passports for convenience?

Not by default. Article 28 restricts copying official documents unless an exception applies or another law permits it.

Does taking a photo of a customer’s ID for onboarding count as “copying” under Article 28?

Yes, creating a digital or physical copy is considered copying. Article 28 applies regardless of format.

In e commerce, can we ask customers to upload their ID to verify their identity?

Only if a legal requirement or valid PDPL basis supports collecting a copy of the ID. Convenience or internal preference is not enough.

What is the difference between “viewing” an ID and “copying” it under PDPL?

iewing allows a business to check identity without storing a copy. Copying means creating a record, which is restricted under Article 28.

In HR, can employers keep copies of employee IDs for payroll or residency compliance?

Yes, if another law requires it, such as labor, immigration, or tax regulations. Article 28 allows copying when mandated by law.

Can a SaaS platform request users to upload official documents for KYC?

Only if the Controller has a valid legal basis for collecting those copies. Article 28 prevents collecting official document copies without justification.

Does masking part of the ID number allow us to store the document under Article 28?

Masking reduces risk but does not bypass Article 28. The key question is whether copying the document itself is permitted.

In fintech, can we store scanned IDs to prevent fraud?

Only if supported by a legal requirement or a PDPL-aligned basis that fits within Article 28’s restrictions. Fraud prevention alone does not automatically permit copying.

Can hotels in Saudi Arabia copy guest passports during check in?

Only if required by applicable regulations. Article 28 allows copying when another law mandates it.

Common misconception, “If the customer uploads their ID voluntarily, it is allowed.” Is that correct under the KSA PDPL?

No, voluntary upload does not override Article 28 restrictions. The Controller still needs a permitted ground to keep the copy.

Does Article 28 apply to both Saudi and foreign official documents?

Yes, it applies to official documents used to identify individuals, regardless of nationality.

If an organization only needs certain details from an official document, can it store those without keeping a copy?

Yes, storing extracted information is different from copying the full document. Article 28 restricts copying, not lawful collection of necessary data points.