Overview
PDPL Implementing Regulation Article 13 defines how legal guardians act on behalf of Data Subjects who fully or partially lack legal capacity. It sets out the guardian’s authority to exercise rights and provide consent, the requirement to verify guardianship validity, and the safeguards that apply when a guardian gives consent.
It ensures that processing remains in the best interests of the Data Subject while maintaining compliance with the Personal Data Protection Law (PDPL).
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 13: Legal Guardian
- Considering applicable legal requirements, the legal guardian of the Data Subject that fully or partially lacks legal capacity shall act in the best interests of the Data Subject and for this purpose, they have the following options:
- Exercise the rights granted to the Data Subject under the Law and this Regulation.
- Consent to the Processing of the Data Subject's Personal Data in accordance with the provisions of the Law and this Regulation.
- In addition to what is stipulated in paragraph (1) of Article 11 of this Regulations, in case of Processing Personal Data of a Data Subject that fully or partially lacks legal capacity, obtaining the consent of the legal guardian is conditional upon taking appropriate measures to verify validity of guardianship over the Data Subject.
- When obtaining the consent from the legal guardian of a Data Subject that fully or partially lacks legal capacity, the Controller shall comply with the following provisions:
- It shall not cause any harm to the interests of the Data Subject.
- It shall enable the Data Subject to exercise their rights as provided in the Law and this Regulation when they reach legal capacity.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 13(1)
Best Interests And Guardian Authority
This provision states that the legal guardian of a Data Subject who fully or partially lacks legal capacity must act in the Data Subject’s best interests. It specifies that the guardian has two options listed in subparagraphs (a) and (b).
The provision establishes the foundational role of the guardian in exercising rights and making decisions under the Law and the Regulation.
Article 13(1)(a)
Guardian May Exercise Data Subject Rights (DSR)
Article 13(1)(b)
Guardian May Provide Consent For Processing
Article 13(2)
Verification of Valid Guardianship
Article 13(3)
Safeguards When Accepting Guardian Consent
This provision states that when obtaining consent from the legal guardian of a Data Subject who lacks full or partial legal capacity, the Controller must comply with the provisions listed in subparagraphs (a) and (b).
It introduces requirements to ensure that guardian consent aligns with the Data Subject’s interests and future rights.
