Overview
PDPL Implementing Regulation Article 29 defines the rules for Processing Personal Data for direct marketing purposes, requiring Controllers to obtain valid consent, clearly identify themselves when sending materials, and provide simple, accessible mechanisms for opting out. The Article reinforces transparency, consumer protection, and accountability, ensuring that Data Subjects retain full control over marketing communications.
These requirements operate alongside the Telecommunication and Information Technology Act and other relevant laws, ensuring unified compliance across Saudi regulatory frameworks.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 29: Direct Marketing
- Without prejudice to the Telecommunication and Information Technology Act or any other related laws, before Processing Personal Data for Direct Marketing purposes, the Controller shall abide by to the following:
- Obtain consent from Data Subject in accordance with the provisions of Article (11) of this Regulation.
- Provide a mechanism that enables the Data Subject to opt out of receiving marketing materials when desired, and ensure that the procedures for opting out of receiving such materials are easy, straightforward, and at least as easy as the procedures for giving consent to receive them.
- When sending direct marketing materials to a Data Subject, the identity of the sending entity shall be clearly stated without any anonymisation.
- In case the Data Subject withdraws their consent for Direct Marketing, the Controller shall immediately stop sending related marketing materials without undue delay.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
