KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

PDPL Implementing Regulation Article 1 – Definitions
PDPL Implementing Regulation Article 2 – Personal or Family Use
PDPL Implementing Regulation Article 3 – General Provisions of Data Subject Rights (DSR)
PDPL Implementing Regulation Article 4 – Right to be Informed
PDPL Implementing Regulation Article 5 – Right of Access to Personal Data
PDPL Implementing Regulation Article 6 – Right to Request Access to Personal Data
PDPL Implementing Regulation Article 7 – Right to Request Correction of Personal Data
PDPL Implementing Regulation Article 8 – Right to Request Destruction of Personal Data
PDPL Implementing Regulation Article 9 – Anonymisation
PDPL Implementing Regulation Article 10 – Means of Communication
PDPL Implementing Regulation Article 11 – Consent
PDPL Implementing Regulation Article 12 – Consent withdrawal
PDPL Implementing Regulation Article 13 – Legal Guardian
PDPL Implementing Regulation Article 14 – Processing to Serve the Actual Interest of Data Subject
PDPL Implementing Regulation Article 15 – Collecting Data from Third Parties
Load More

PDPL Implementing Regulation Article 5 – Right of Access to Personal Data

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 12, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi PDPL Implementing Regulation Article 5 explains the conditions under which a Data Subject may access their personal data held by a Controller.

It sets out the limitations that protect the rights of others, describes how access may be provided either upon request or through a direct access channel, and requires the Controller to ensure that access does not disclose personal data belonging to another individual.

SDAIA's Official PDPL Implementing Regulation Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 5: Right of access to Personal Data

  1. Without prejudice to the provisions of Articles (9) and (16) of the Law, the Data Subject has the right to access their Personal Data available with the Controller, subject to the following:

    1. Exercising the right to access Personal Data should not negatively impact the rights of others, such as intellectual property rights or trade secrets.

    2. Providing access to Personal Data at a request from the Data Subject, or via a channel provided by the Controller enabling Data Subject to directly access their Personal Data without the need to make a request.

  2. When enabling the Data Subject to access their Personal Data, the Controller shall ensure that it does not involve disclosing Personal Data that identifies another individual.

Copy Article

Plain-Language PDPL Implementing Regulation Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Implementing Regulation Article 5(1)

Right To Access Personal Data

This provision states that the Data Subject has the right to access their personal data available with the Controller, without prejudice to Articles 9 and 16 of the Law. It establishes access as a core right, subject to two specific conditions detailed in the subparagraphs that follow.

The provision frames access as a right balanced with the need to protect the rights of others and defines how the Controller may provide such access.

PDPL Implementing Regulation Article 5(1)(a)

Respect For Third Party Rights

This provision states that exercising the right to access personal data must not negatively impact the rights of others, such as intellectual property rights or trade secrets.

It ensures that the Data Subject’s access right does not override legal protections held by third parties and maintains safeguards for proprietary or confidential information.

PDPL Implementing Regulation Article 5(1)(b)

Access On Request Or Direct Access

This provision states that access may be granted either at the Data Subject’s request or through a channel provided by the Controller that enables the Data Subject to directly access their personal data without needing to make a request.

It establishes two lawful methods of providing access and recognises that Controllers may implement systems that allow individuals to obtain their personal data independently.

PDPL Implementing Regulation Article 5(2)

Protecting Others’ Personal Data

This provision requires the Controller, when enabling a Data Subject to access their personal data, to ensure that the process does not disclose personal data that identifies another individual. It safeguards the privacy of third parties by preventing unintended disclosure during the access process.

The provision reinforces that access must relate only to the Data Subject’s own personal data.

Frequently Asked Questions (FAQs)

Does Article 5 of the PDPL Implementing Regulation mean individuals can access all Personal Data a controller holds about them?
Yes, individuals have the right to request access to their Personal Data. Article 5 explains how this right should be applied in practice under the Saudi Personal Data Protection Law (KSA PDPL).
Can someone request access to data stored in backups or archived systems?
Typically yes, if the data is still considered Personal Data and accessible to the controller. Article 5 supports access across relevant systems, not just active databases.
Is a controller allowed to ask for proof of identity before providing access?
Yes, verifying identity is standard practice. Article 5 expects controllers to ensure the requester is the correct individual.
Can a controller refuse an access request if it includes sensitive business information mixed with Personal Data?
They may limit disclosure of non-personal confidential information. Article 5 still requires providing the Personal Data itself wherever possible.
Does Article 5 require controllers to provide copies of documents, or is a summary enough?
The right generally includes obtaining a copy of the Personal Data. Summaries do not replace actual access unless they still meet the individual’s request.
If an employee wants a copy of their HR file, does Article 5 apply?
Yes, employees are Data Subjects under the PDPL Implementing Regulation. HR files typically fall within the right of access.
Can a controller charge a fee for providing access?
Article 5 does not authorize routine fees. Access is typically provided without cost unless another PDPL provision permits otherwise.
Can a parent request access to their child’s Personal Data?
Yes, if they are legally authorized. Article 5 expects controllers to verify legal authority just as they verify identity.
Does Article 5 allow individuals to access data that has been anonymized?
No, anonymized data is not Personal Data. Article 5 applies only to information that identifies the individual.
What if the requested data includes references to other people?
Controllers must balance access rights with privacy of others. Article 5 requires reasonable steps to provide access while protecting third parties.
Is there a specific format for submitting an access request under Article 5?
No, the article does not mandate a form. Controllers typically offer preferred channels, but Data Subjects can still submit valid requests in other formats.
What is a common misconception about Article 5?
Many think controllers can refuse requests if they seem inconvenient or broad. Article 5 requires controllers to process them unless a PDPL limitation clearly applies.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top