Overview
PDPL Implementing Regulation Article 2 explains when an individual’s processing of personal data is excluded from the Personal Data Protection Law (PDPL). It defines personal or family use as processing within the individual’s family or limited social circle for social or family activities.
It also specifies activities that fall outside this exemption, including publishing personal data beyond that circle or using personal data for professional, commercial, or non profit purposes.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 2: Personal or family use
- The provisions of the Law and its Regulations shall not apply to an individual Processing Personal Data for purposes not exceeding personal or family use.
- Personal or family use, as referred to in Article 2 of the Law, means that an individual Processing Personal Data within their family or limited social circle as part of any social or family activity.
- The following shall not be considered personal or family use:
- An individual publishing Personal Data to the public or disclosing it to any person outside the scope specified in paragraph (2) of this article.
- Using Personal Data for professional, commercial, or non-profit purposes.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 2(1)
Scope Of Exemption
This provision states that the Law and its Regulations do not apply when an individual processes personal data for purposes that do not exceed personal or family use. This establishes the boundary between regulated and unregulated processing by limiting the exemption to private activities carried out by an individual.
The focus is on processing that remains within a personal context without extending into broader or public purposes.
Article 2(2)
Personal or Family Exemption
This provision defines personal or family use as processing that occurs within the individual’s family or limited social circle as part of any social or family activity. It clarifies that the exemption applies only when processing remains within these defined relationships.
The provision links the exemption both to the nature of the activity and to the limited group of individuals involved.
Article 2(3)
Activities Not Exempt
Article 2(3)(a)
Public Disclosure Removes Exemption
This provision states that an individual publishing personal data to the public or disclosing it to anyone outside the family or limited social circle described in paragraph 2 is not considered to be acting within personal or family use. Once personal data is shared beyond that circle, the exemption no longer applies.
The provision reinforces that the exemption is strictly confined to private sharing within a defined group.
Article 2(3)(b)
Commercial Use Is Regulated
This provision states that using personal data for professional, commercial, or non profit purposes is not regarded as personal or family use. It distinguishes private activities from activities connected to work, business, or organized efforts.
When personal data supports any of these purposes, the processing falls under the Law regardless of who performs it.
