Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 5 establishes consent as a core requirement before processing personal data or changing its purpose. It sets the conditions for obtaining valid consent, including cases where a legal guardian must provide it when an individual lacks full legal capacity.
The Article also grants individuals the right to withdraw their consent at any time, with Regulations defining the mechanisms for withdrawal and the controls that apply when consent is withdrawn.
SDAIA's Official PDPL Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 5
- Except for the cases stated in this Law, neither Personal Data may be processed nor the purpose of Personal Data Processing may be changed without the consent of the Data Subject. The Regulations Shall set out the conditions of the consent, the cases in which the consent must be explicit, and the terms and conditions related to obtaining the consent of the legal guardian if the Data Subject fully or partially lacks legal capacity.
- In all cases, Data Subject may withdraw the consent mentioned in Paragraph (1) of this Article at any time; the Regulations determines the necessary controls for such case.
Plain-Language PDPL Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
PDPL Article 5(1)
Consent Required For Processing
This provision makes clear that personal data cannot be processed without the consent of the individual unless an exception is provided elsewhere in the Law. It also prohibits changing the purpose of processing without obtaining consent.
The Regulations will describe the conditions for valid consent, including when explicit consent is required. The provision also states that consent may need to come from a legal guardian if the individual lacks full or partial legal capacity.
This ensures that consent is obtained in a manner that reflects the individual’s legal status and the requirements for proper authorization.
PDPL Article 5(2)
Right to Withdraw Consent
This is a separate, standalone right. It states that in all cases, the Data Subject has the right to withdraw their consent at any time.
The provision clarifies that the Implementing Regulations will determine the necessary controls and procedures for how this withdrawal is to be executed by Controllers. The right to withdraw is absolute for the Data Subject, but the practical mechanism for doing so will be standardized by the Regulations.
Frequently Asked Questions (FAQs)
As a rule of thumb, yes, consent is required unless the Saudi Personal Data Protection Law (KSA PDPL) provides an exception elsewhere. If you are unsure whether an exception applies, treat consent as the default starting point.
It can, the practical test is whether the reason for using the data has shifted. If the new use is a different purpose than what the person originally agreed to, consent is usually needed unless an exception applies.
Not automatically, it depends on whether the customer consented to processing for those different purposes. A practical rule is to separate core service use from optional analytics or profiling purposes when you design consent.
Use a conservative rule, explicit consent is required in certain cases, and the Implementing Regulations define when. If your use case feels higher impact or sensitive, treat explicit consent as a likely requirement in practice and verify against the Regulations.
Consent may need to come from a legal guardian when the person lacks full or partial legal capacity. The detailed terms and conditions for guardian consent are set by the Regulations.
Do not assume that, consent has its own conditions that the Regulations set out. If the HR activity goes beyond the original agreed purpose, you should treat it as a purpose change and check whether consent is required or an exception applies.
The right to withdraw is always there, and the practical mechanism is set by the Regulations. In practice, many organizations provide a clear, accessible way to withdraw, then align the internal process to the regulatory controls.
Typically the Controller is responsible for ensuring consent is obtained and managed properly for the processing it controls. A vendor acting as a Processor may support the tooling, but the Controller remains accountable for the consent position and purpose decisions
The user can withdraw at any time, and the Regulations set the controls for handling withdrawal. In practice, organizations stop the processing that relied on that consent, while following the regulatory process for how withdrawal is implemented.
