KSA PDPL » PDPL Implementing Regulation Article 1 – Definitions

PDPL Implementing Regulation Article 1 – Definitions

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 11, 2025
Updated: January 11, 2026

Overview

Saudi PDPL Implementing Regulation Article 1 defines the core terminology that applies across the Implementing Regulation of the Personal Data Protection Law (PDPL). These definitions clarify how SDAIA expects Controllers and Processors to interpret key legal terms when fulfilling their PDPL compliance obligations.

Article 1 acts as the reference point for critical concepts such as personal data breach, direct marketing, anonymisation, explicit consent, legitimate interest, and pseudonymisation.

SDAIA's Official PDPL Implementing Regulation Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 1: Definitions

The terms and phrases used in this Regulation shall have the meanings assigned to them in Article (1) of the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443H and amended by Royal Decree No. (M/148) dated 5/9/1444 AH. The following terms and phrases - wherever used in this Regulation - shall have the meanings assigned to them, unless the context requires otherwise:

Regulation: The Implementing Regulation of the Law.

Direct Marketing: Communicate with the Data Subject by any direct physical or electronic means with the aim of directing marketing material; this includes but is not limited to advertisements or promotions.

Personal Data Breach: Any incident that leads to the Disclosure, Destruction, or unauthorized access to Personal Data, whether intentional or accidental, and by any means, whether automated or manual.

Vital Interest: Any interest necessary to preserve the life of a Data Subject.

Actual Interest: refers to any moral or material interest of the Data Subject that is directly linked to the purpose of Processing Personal Data, and the Processing is necessary to achieve that interest.

Legitimate Interest: refers to any necessary interest of the Controller that requires the Processing of Personal Data for a specific purpose, provided it does not adversely affect the rights and interests of the data subject.

Pseudonymisation: Conversion of the main identifiers that indicate the identity of the Data Subject into codes that make it difficult to directly identify them without using additional data or information. The pseudonymised data or additional information should be kept separately, and appropriate technical and administrative controls should be implemented to ensure that they are not specifically linked to the data subject's identity.

Anonymisation: Removal of direct and indirect identifiers that indicate the identity of the Data Subject in a way that permanently makes it impossible to identify the Data Subject.

Explicit Consent: Direct and explicit consent given by the Data Subject in any form that clearly indicates the Data Subject's acceptance of the Processing of their Personal Data in a manner that cannot be interpreted otherwise, and whose obtention can be proven.

Plain-Language PDPL Implementing Regulation Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

The Implementing Regulation begins by defining the foundational terms that apply across all regulatory clauses. These definitions ensure consistent interpretation of the Regulation and clarify how SDAIA expects Controllers and Processors to apply PDPL concepts in practical environments.

While PDPL Law Article 1 provides the core legal definitions, the Implementing Regulation expands on operational and contextual meanings that directly influence compliance, governance, and risk management.

Every definition in this Article should be read as binding guidance for how terms must be interpreted when implementing controls, managing risk, or applying PDPL obligations in real systems, processes, and activities.

PDPL Implementing Regulation Article 1(1)

Regulation

This definition confirms that terms used in the Implementing Regulation correspond to the meanings assigned in PDPL Article 1 unless explicitly stated otherwise.

The purpose is to maintain consistency across the PDPL ecosystem so that Controllers and Processors interpret obligations uniformly.

The Law remains the primary reference point, and the Implementing Regulation elaborates only where technical or operational specificity is required. If a term appears in both documents, the meaning in the Law prevails unless the Regulation refines its scope for implementation.

PDPL Implementing Regulation Article 1(2)

Direct Marketing

Direct marketing refers to any communication directed at an individual for promotional, advertising, or marketing purposes. This applies to physical channels such as printed mailers as well as digital channels such as SMS, email, push notifications, or in-app messages.

The definition captures any communication designed to influence behavior or promote services, products, or offers. Under the PDPL, this definition is important because direct marketing often requires valid consent, respect for the Data Subject’s right to object, and the obligation to avoid intrusive or excessive outreach.

SDAIA interprets direct marketing broadly, and Controllers should assume that any targeted promotional activity falls within this definition.

PDPL Implementing Regulation Article 1(3)

Personal Data Breach

A personal data breach covers any incident in which Personal Data is exposed, accessed, destroyed, altered, or disclosed without proper authorization. This definition covers both intentional and accidental events. It also includes unauthorized access by internal employees, external parties, or automated tools or systems.

Breaches may occur due to security failures, human error, or malicious activity. Under the PDPL, this definition triggers mandatory reporting obligations to SDAIA and impacts the requirement to notify Data Subjects when their rights or interests may be harmed.

The broad scope ensures that Controllers maintain high vigilance and treat any compromise of Personal Data as a regulated incident.

PDPL Implementing Regulation Article 1(4)

Vital Interest

Vital interest refers to processing that is strictly necessary to protect the life of a Data Subject. This is a narrow legal basis that applies only in emergency situations where the Data Subject cannot provide consent, such as medical crises, life-threatening events, or urgent interventions to preserve safety. The definition does not extend to broader welfare scenarios, operational needs, or beneficial services.

Controllers must interpret this basis cautiously and document why the processing was essential to protect life. SDAIA’s expectation is that vital interest is invoked rarely and only when processing is indispensable for survival or immediate physical protection.

PDPL Implementing Regulation Article 1(5)

Actual Interest

Actual interest refers to a moral or material benefit to the Data Subject that is directly tied to the specific purpose of processing. The processing must be necessary to achieve this benefit, and the interest must relate directly to the individual rather than the Controller.

This definition reinforces that certain processing activities may be justified when they genuinely serve the Data Subject’s needs, provided that the connection between the interest and the processing is direct, demonstrable, and specific.

This interest is not a substitute for consent or legitimate interest and should only be applied when processing is clearly aligned with the Data Subject’s personal benefit.

PDPL Implementing Regulation Article 1(6)

Legitimate Interest

Legitimate interest refers to a necessary interest of the Controller that requires the processing of Personal Data for a specific purpose. However, it may only be relied upon if it does not adversely affect the rights or interests of the Data Subject. This introduces a balancing test requirement, meaning Controllers must assess whether their operational or business needs outweigh potential privacy impacts.

The interest must be real, specific, and documented. SDAIA expects Controllers to avoid broad or vague interpretations and to rely on this basis only when the processing is essential and proportionate. Legitimate interest does not permit intrusive or unexpected processing.

PDPL Implementing Regulation Article 1(7)

Pseudonymisation

Pseudonymisation refers to the processing of identifiers in a way that makes it difficult to directly identify a Data Subject without additional information. The key feature is that the identifiers are separated from the dataset and stored independently. Even though the identity is obscured, re-identification remains technically possible if the additional information is accessed or combined.

SDAIA requires Controllers to implement strong administrative, technical, and access-control measures to ensure that pseudonymised data cannot be easily relinked to individuals. This technique reduces privacy risks but does not remove the dataset from PDPL scope because the data is still considered Personal Data.

PDPL Implementing Regulation Article 1(8)

Anonymisation

Anonymisation refers to the permanent removal of both direct and indirect identifiers so that a Data Subject can no longer be identified by any means. Unlike pseudonymisation, anonymisation must be irreversible. This requires technical methods that eliminate the possibility of re-identification, even when combined with other datasets or external information. Once anonymised, the data is no longer Personal Data and is outside PDPL scope.

SDAIA sets a high bar for anonymisation because weak or reversible methods pose significant privacy risks. Controllers must ensure that anonymisation techniques are robust, tested, and consistent with data protection best practices.

PDPL Implementing Regulation Article 1(9)

Explicit Consent

Explicit consent is a direct, unambiguous, and affirmative indication from the Data Subject demonstrating acceptance of a specific processing activity. The consent must be clear, intentional, and capable of being proven by the Controller. It cannot rely on assumptions, silence, pre-ticked boxes, or ambiguous language.

Consent must relate to a defined purpose, and Data Subjects must be informed of their rights, including the right to withdraw consent at any time. The definition reinforces the PDPL’s emphasis on transparency and user autonomy. Controllers must ensure that every act of obtaining consent is documented and that records can be presented to SDAIA when required.

Frequently Asked Questions (FAQs)

What is the main purpose of Article 1 of the PDPL Implementing Regulation?

Article 1 provides the official definitions used throughout the PDPL Implementing Regulation. These definitions help organizations interpret their obligations consistently under the Saudi Personal Data Protection Law (KSA PDPL).

Does Article 1 redefine terms already found in the Saudi PDPL?

It builds on the PDPL’s terminology by clarifying how certain terms should be understood in regulatory practice. It does not replace the PDPL’s main definitions but complements them.

If my company is unsure whether our activity counts as “processing,” should we rely on Article 1?

Yes, Article 1 helps clarify the scope of processing activities. It is the starting point for interpreting what actions fall under PDPL obligations.

Is there a difference between how “controller” is defined in the PDPL and in the Implementing Regulation?

The Implementing Regulation aligns with the PDPL but adds practical clarity. The core concept remains the same, focusing on who determines the purpose and means of processing.

Does Article 1 help determine whether my vendor is a processor or a controller?

Yes, the definitions guide you in assessing roles based on responsibility for decisions. In practice, controllers decide the “why,” and processors follow instructions.

Can a single organization be both a controller and a processor under these definitions?

Yes, depending on the activity. Article 1 definitions help organizations understand that roles are context-specific, not static.

Does Article 1 define what counts as “Personal Data” for PDPL compliance?

Yes, it supports the PDPL’s definition by clarifying the types of information covered. This helps businesses decide what data must be handled under PDPL rules.

How does Article 1 treat automated versus manual data processing?

The definitions cover both, meaning PDPL obligations apply regardless of how data is processed. The distinction does not remove compliance responsibility.

Does Article 1 address what is considered “Sensitive Personal Data”?

It aligns with the PDPL’s definition and frames how sensitive categories should be interpreted. This distinction matters because stricter rules apply to sensitive data.

Is location data considered Personal Data based on the Article 1 definitions?

If it can identify an individual, yes. The definitions focus on identifiability rather than the type of data.

Does Article 1 clarify what constitutes “Public Authority” or “Competent Authority”?

Yes, it provides clarity so organizations understand when certain PDPL rules involve government bodies. This helps avoid misinterpretation in reporting or coordination.

What is a common misconception about Article 1 of the Implementing Regulation?

Many assume it is optional guidance, but it is a binding interpretation framework. Every obligation in the Implementing Regulation relies on these definitions.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Table of Contents

← PDPL Compliance Ecosystem