Overview
Personal Data Protection Law (PDPL) Article 9 establishes the limits and restrictions that may apply to an individual’s right to access their personal data. It defines when a Controller may set time frames, restrict access, or prevent access entirely, including circumstances involving harm, security requirements, or obligations under other laws.
The Regulations and Article 16 specify the detailed cases where access must be restricted.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 9
- The Controller may set time frames for exercising the right to access Personal Data stated in Paragraph (2) of Article (4) herein as stipulated in the Regulations. The Controller may limit the exercise of this right in the following cases:
- If this is necessary to protect the Data Subject or other parties from any harm, according to the provisions set forth the Regulations.
- If the Controller is a Public Entity and the restriction is required for security purposes, required by another law, or required to fulfill judicial requirements.
- The Controller shall prevent the Data Subject from accessing Personal Data in any of the situations stated in Paragraphs (1, 2, 3, 4, 5) and (6) of Article (16) herein.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 9(1)
Setting Time Frames For Access
This provision allows Controllers to establish time frames for Data Subject access requests as defined in the Regulations. The Controller may apply such time frames to ensure that access is handled according to the procedures and requirements set out by the Law.
This provides structure for how and when access requests may be fulfilled.
Article 9(1)(a)
Limiting Access To Prevent Harm
This provision allows the Controller to limit a Data Subject’s access request when doing so is necessary to protect the Data Subject or another party from harm. The limitation must align with the requirements established in the Regulations.
This ensures that access does not create or increase risk to individuals.
Article 9(1)(b)
Limits Required For Public Entity Duties
This provision applies when the Controller is a public entity. It allows the Controller to restrict access when necessary for security purposes, when required by another law, or when needed to fulfill judicial requirements.
This ensures that access rights do not interfere with public sector duties that involve legal, security, or judicial obligations.
Article 9(2)
Mandatory Access Denial Conditions
This provision states that the Controller must prevent access to personal data when any of the situations listed in Article 16 paragraphs 1 through 6 apply. This creates mandatory denial scenarios defined elsewhere in the Law.
The Controller must follow these limitations to ensure compliance with Article 16.
