Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 6 defines the specific situations where personal data may be processed without obtaining consent. These exceptions apply when contacting the individual is not feasible, when processing is required by law or by a prior agreement, when a public entity must perform security or judicial functions, or when the Controller has a legitimate interest that does not affect the rights of the Data Subject and does not involve Sensitive Data.
The Regulations will set the detailed conditions and controls for applying each exception.
SDAIA's Official PDPL Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 6
In the following cases, Processing of Personal Data shall not be subject to the consent referred to in Paragraph (1) of Article (5) herein:
- The Processing serves actual interests of the Data Subject, but communicating with the Data Subject is impossible or difficult.
- The Processing is pursuant to another law or in implementation of a previous agreement to which the Data Subject is a party.
- The Controller is a Public Entity and the Processing is required for security purposes or to satisfy judicial requirements.
- The Processing is necessary for the purpose of legitimate interest of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed. Related provisions and controls are set out in the Regulations.
Plain-Language PDPL Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
PDPL Article 6(1)
Benefit When Contact Is Impossible (Actual Interests)
This provision allows processing without consent when it is necessary to achieve a clear benefit for the Data Subject and when contacting the individual is impossible or difficult. The provision applies to situations where obtaining consent is not feasible and the processing serves the Data Subject’s actual interests.
This ensures that necessary processing can occur when practical or urgent constraints prevent contacting the individual.
PDPL Article 6(2)
Processing Required By Law Or Agreement
This provision states that consent is not required when processing is carried out under another law or to implement a previous agreement involving the Data Subject. The text covers circumstances where an existing legal obligation or contractual requirement already governs the processing.
This ensures that Controllers may fulfill legal or agreed upon duties without seeking separate consent.
PDPL Article 6(3)
Processing For Public Entity Functions
This provision applies when the Controller is a public entity and the processing is required for security purposes or to meet judicial requirements. The text recognizes the need for public entities to perform specific functions that rely on personal data.
It allows processing without consent when such activities fall within these defined purposes.
PDPL Article 6(4)
Processing For Legitimate Interest
This provision allows processing when it is necessary for the Controller’s legitimate interest, provided the rights and interests of the Data Subject are not harmed and the data processed is not sensitive. The Regulations will define the related provisions and controls.
This exception ensures that necessary non-sensitive processing may occur when the Controller’s legitimate interest justifies it and the individual’s rights remain protected.
Frequently Asked Questions (FAQs)
It can, the practical test is whether the reason for using the data has shifted. If the new use is a different purpose than what the person originally agreed to, consent is usually needed unless an exception applies.
Not automatically, it depends on whether the customer consented to processing for those different purposes. A practical rule is to separate core service use from optional analytics or profiling purposes when you design consent.
Use a conservative rule, explicit consent is required in certain cases, and the Implementing Regulations define when. If your use case feels higher impact or sensitive, treat explicit consent as a likely requirement in practice and verify against the Regulations.
Consent may need to come from a legal guardian when the person lacks full or partial legal capacity. The detailed terms and conditions for guardian consent are set by the Regulations.
Do not assume that, consent has its own conditions that the Regulations set out. If the HR activity goes beyond the original agreed purpose, you should treat it as a purpose change and check whether consent is required or an exception applies.
The right to withdraw is always there, and the practical mechanism is set by the Regulations. In practice, many organizations provide a clear, accessible way to withdraw, then align the internal process to the regulatory controls.
Typically the Controller is responsible for ensuring consent is obtained and managed properly for the processing it controls. A vendor acting as a Processor may support the tooling, but the Controller remains accountable for the consent position and purpose decisions
The user can withdraw at any time, and the Regulations set the controls for handling withdrawal. In practice, organizations stop the processing that relied on that consent, while following the regulatory process for how withdrawal is implemented.
