Overview
PDPL Implementing Regulation Article 11 sets out the requirements for obtaining valid consent from a Data Subject. It defines how consent must be given, the clarity required in processing purposes, the obligation to document consent, and the need for separate consent for each processing purpose.
It also lists specific scenarios where explicit consent is required, including sensitive data, credit data, and automated decision making.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 11: Consent
- The Controller shall obtain the Data Subject's consent for Processing their Data in any appropriate form or means, including written or verbal consent or by using electronic methods, subject to the following conditions:
- Consent shall be given freely and not obtained through misleading methods, and obtaining consent shall comply with the provisions of Article (7) of the Law.
- Processing purposes shall be clear, specific, and shall be explained and clarified to the Data Subject before or at the time of requesting consent.
- Consent shall be given by a person who has full legal capacity.
- Consent shall be documented in a way that allows verification in the future, such as keeping records that include the Consent of the Data Subjects regarding the Processing operations, along with the time and the method of Consent.
- Independent consent shall be obtained for each Processing purpose.
- The Data Subject's consent shall be explicit in the following cases:
- When the Processing involves Sensitive Data.
- When the Processing involves Credit Data.
- When decisions are made solely based on automated Processing of Personal Data.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 11(1)
General Consent Requirements
This provision states that the Controller must obtain the Data Subject’s consent for processing their data using any appropriate form or means, including written consent, verbal consent, or electronic methods. It also states that the conditions listed in subparagraphs (a) to (e) must be met.
The provision establishes that consent must be obtained in a manner that allows the Controller to meet the detailed requirements that follow.
Article 11(1)(a)
Consent Must Be Voluntary and Informed
Article 11(1)(b)
Purpose Must Be Disclosed Before Consent
This provision requires that processing purposes be clear and specific, and that these purposes be explained and clarified to the Data Subject before or at the time of requesting consent. It ensures that the Data Subject receives the necessary information to understand why their data is being processed.
Article 11(1)(c)
Consent Must Come From Legally Capable Individuals
This provision states that consent must be given by a person who has full legal capacity. It ensures that the individual providing consent is legally capable of making such decisions.
Article 11(1)(d)
Proof of Consent Must Be Maintained
This provision requires that consent be documented in a way that allows verification in the future. It provides examples, such as keeping records that include the Data Subject’s consent regarding the processing operations, along with the time and method of consent.
The provision reinforces the need for traceability and record keeping.
Article 11(1)(e)
Separate Consent For Each Processing Purpose
Article 11(2)
Cases Requiring Explicit Consent
This provision states that the Data Subject’s consent must be explicit in the situations listed in subparagraphs (a) to (c). It creates specific conditions under which explicit consent is mandatory.
