Implementing Regulation of PDPL Article 2 explains that the PDPL does not apply to individuals who process personal data solely for private, family, or social purposes. If you handle personal data within your household or small social circle—for example, sending invitations to a family wedding or organizing a friends-only event—you are not subject to the obligations of the PDPL.
However, this exemption has strict limits. If an individual publishes personal data to the public, or uses it for any commercial, professional, or nonprofit purpose, the exemption no longer applies. In those cases, the individual may be considered a Controller under the Law and must comply with all PDPL obligations.
Implementing Regulation of PDPL Article 2 (1)
Exemption from PDPL
The provisions of the Law and its Regulations shall not apply to an individual Processing Personal Data for purposes not exceeding personal or family use.
Implementing Regulation of PDPL Article 2 (2)
Defined Social Circle
Personal or family use, as referred to in Article 2 of the Law, means that an individual Processing Personal Data within their family or limited social circle as part of any social or family activity.
The following shall not be considered personal or family use:
Implementing Regulation of PDPL Article 2 (3) (a)
Public Disclosure Invalidates
An individual publishing Personal Data to the public or disclosing it to any person outside the scope specified in paragraph (2) of this article.
Implementing Regulation of PDPL Article 2 (3) (b)
Commercial Use Prohibited
Using Personal Data for professional, commercial, or non-profit purposes.
Explanation of Implementing Regulation of PDPL Article 2
Personal/family use is not regulated:
Saudi PDPL Article 2 (1) says, individuals handling personal data only within private or family settings aren’t bound by the PDPL.
Clarifies what counts as personal/family use:
Saudi PDPL Article 2 (2) additionally says, this includes activities involving one’s family or limited friends circle.
Sharing data publicly removes exemption
Saudi PDPL Article 2 (3) (a) says, if you share someone’s data publicly, PDPL protections apply—even if your intent was personal.
Commercial use is not “personal”
Saudi PDPL Article 2 (2) (b) clarifies that, using data for business, freelancing, or nonprofit work makes PDPL applicable.
