KSA PDPL » PDPL Implementing Regulation Article 2 – Personal or Family Use

PDPL Implementing Regulation Article 2 – Personal or Family Use

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 11, 2025
Updated: January 11, 2026

Overview

Saudi PDPL Implementing Regulation Article 2 explains when an individual’s processing of personal data is excluded from the Personal Data Protection Law (PDPL). It defines personal or family use as processing within the individual’s family or limited social circle for social or family activities.

It also specifies activities that fall outside this exemption, including publishing personal data beyond that circle or using personal data for professional, commercial, or non profit purposes.

SDAIA's Official PDPL Implementing Regulation Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 2: Personal or family use

The provisions of the Law and its Regulations shall not apply to an individual Processing Personal Data for purposes not exceeding personal or family use.

Personal or family use, as referred to in Article 2 of the Law, means that an individual Processing Personal Data within their family or limited social circle as part of any social or family activity.

The following shall not be considered personal or family use:

An individual publishing Personal Data to the public or disclosing it to any person outside the scope specified in paragraph (2) of this article.

Using Personal Data for professional, commercial, or non-profit purposes.

Plain-Language PDPL Implementing Regulation Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Implementing Regulation Article 2(1)

Scope Of Exemption

This provision states that the Law and its Regulations do not apply when an individual processes personal data for purposes that do not exceed personal or family use. This establishes the boundary between regulated and unregulated processing by limiting the exemption to private activities carried out by an individual.

The focus is on processing that remains within a personal context without extending into broader or public purposes.

PDPL Implementing Regulation Article 2(2)

Personal or Family Exemption

This provision defines personal or family use as processing that occurs within the individual’s family or limited social circle as part of any social or family activity. It clarifies that the exemption applies only when processing remains within these defined relationships.

The provision links the exemption both to the nature of the activity and to the limited group of individuals involved.

PDPL Implementing Regulation Article 2(3)

Activities Not Exempt

This provision explains that certain activities are not considered personal or family use and therefore do not fall under the exemption. By identifying specific exclusions, the provision limits the scope of unregulated processing and makes clear when an individual’s actions fall within the reach of the Law and its Regulations.

PDPL Implementing Regulation Article 2(3)(a)

Public Disclosure Removes Exemption

This provision states that an individual publishing personal data to the public or disclosing it to anyone outside the family or limited social circle described in paragraph 2 is not considered to be acting within personal or family use. Once personal data is shared beyond that circle, the exemption no longer applies.

The provision reinforces that the exemption is strictly confined to private sharing within a defined group.

PDPL Implementing Regulation Article 2(3)(b)

Commercial Use Is Regulated

This provision states that using personal data for professional, commercial, or non profit purposes is not regarded as personal or family use. It distinguishes private activities from activities connected to work, business, or organized efforts.

When personal data supports any of these purposes, the processing falls under the Law regardless of who performs it.

Frequently Asked Questions (FAQs)

Does the PDPL Implementing Regulation exempt all personal or family activities from Saudi PDPL compliance?

Yes, Article 2 clarifies that purely personal or family use is outside PDPL scope. The exemption applies only when the activity is not connected to a commercial, professional, or organizational purpose.

If I store my friends’ contact details on my phone, does PDPL apply?

No, this is considered personal use. The PDPL Implementing Regulation does not cover private, non-commercial record-keeping.

Does personal use still remain exempt if I upload family photos to a private cloud account?

Yes, as long as the activity is personal and not linked to a business or public function. The exemption focuses on intent and purpose.

What if I run a small home business and store customer information at home—does personal use apply?

No, commercial activity is not considered personal or family use. Once the purpose becomes business-related, full Saudi PDPL obligations apply.

It can be, depending on the context. If the account is used casually and not for commercial or organizational purposes, the PDPL exemption may apply.

Does the personal or family exemption apply to home CCTV systems?

It depends on how the CCTV is used. If used only to protect a private residence, it typically falls under personal use, but broader monitoring may move it into PDPL scope.

Does Article 2 of the PDPL Implementing Regulation exempt domestic workers handling family information?

Yes, activities done within a household for private family purposes are generally exempt. The exemption does not extend to professional service providers or companies.

It depends on how the app uses the data. Your activity may be personal, but the service provider is still subject to the Saudi PDPL as a controller or processor.

Does the personal-use exemption apply to school projects or student research involving classmates?

If the purpose is strictly academic and not tied to a commercial or institutional processing responsibility, it often counts as personal use. Institutions, however, remain subject to PDPL.

What is a common misconception about Article 2’s personal or family-use exemption?

Many assume that “private activity” always means PDPL does not apply, but the exemption disappears the moment the activity serves a business or organizational purpose.

Does the exemption apply to informal WhatsApp groups?

the group is private and used for personal or family communication, it is generally exempt. If it organizes commercial, public, or professional activities, PDPL obligations may apply.

Who decides whether an activity is truly “personal use”?

Controllers typically assess purpose, scope, and context. Article 2 provides the criteria, but organizations must evaluate their own activities in line with the PDPL Implementing Regulation.