KSA PDPL » PDPL Implementing Regulation Article 18 – Further Processing of Personal Data

PDPL Implementing Regulation Article 18 – Further Processing of Personal Data

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 11, 2025
Updated: December 20, 2025

Overview

PDPL Implementing Regulation Article 18 sets the requirements a Controller must follow when processing Personal Data for a purpose different from the one for which it was originally collected. It explains how purposes must be defined, how documentation must reflect the scope of data needed, and how data minimization principles apply.

It also lists additional obligations when processing for new purposes under Article 10, including identifying the type of data and ensuring that the processing remains appropriate.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 18: Processing data for a purpose other than the one for which it was collected

When the Controller processes Personal Data for a purpose other than the one for which it was initially collected as provided in Article 10 of the Law, it shall do the following:

Clearly and specifically define the Processing purposes.

Document the procedures to fix scope of data to be processed in accordance with specific purposes, including the use of data maps that indicate the need for each processed data and link it to each Processing purpose.

Take necessary measures to ensure that the Personal Data is collected while respecting data minimization principle to achieve the purposes as set in paragraph (b) above.

Except for cases stated in paragraph (3) of Article 10 of the Law, when the Controller processes Personal Data for a purpose other than the one for which it was initially collected as provided in paragraphs (1), (2), (4), (5), and (6) of Article 10 of the Law, the Controller shall comply with the following:

Clearly and accurately define the purpose of the Processing and refer to it in the records of Personal Data Processing activities.

Limit the Collection and Processing of the Personal Data to the minimum amount necessary to achieve the purpose.

Identify the type of Personal Data to be processed and the necessary measures to ensure that such data is processed appropriately.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 18(1)

Requirements For New Processing Purpose

This provision applies when a Controller processes Personal Data for a purpose that differs from the original purpose of collection. It requires the Controller to define the new purpose clearly, document how the scope of data aligns with that purpose, and apply the principle of data minimization when collecting or processing the data needed for the new purpose.

Article 18(1)(a)

Define Processing Purpose

This provision requires the Controller to clearly and specifically define the new processing purposes before using the Personal Data for those purposes. It ensures that processing is intentional and appropriately justified.

Article 18(1)(b)

Document Personal Data Scope

This provision requires the Controller to document procedures that determine the scope of data needed for the new purpose. It includes using data maps to show why each data element is needed and how it relates to the processing purpose.

Article 18(1)(c)

Apply Data Minimization

This provision requires the Controller to take necessary measures to ensure that only the minimum amount of Personal Data is collected or processed for the new purpose. It supports the requirement that data use must align with what is needed for the documented purpose.

Article 18(2)

Additional Rules For New Purpose

This provision sets additional obligations for processing Personal Data for a new purpose under Article 10, except for the case described in Article 10(3). It requires clear definition of the new purpose, minimal collection of data, and correct identification of the types of Personal Data involved.

Article 18(2)(a)

Record Processing Purpose

This provision requires the Controller to define the new purpose accurately and reference it in the Controller’s records of Personal Data Processing activities. It ensures that internal records reflect the updated purpose.

Article 18(2)(b)

Limit Data Use

This provision requires the Controller to limit both the collection and processing of Personal Data to what is strictly necessary for the new purpose. It reinforces the application of the data minimization principle.

Article 18(2)(c)

Identify Personal Data And Measures

This provision requires the Controller to identify the type of Personal Data involved in the new purpose and determine the measures needed to ensure that such data is processed appropriately. It ensures suitability of processing in relation to the nature of the data.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Table of Contents

← PDPL Compliance Ecosystem