Overview
PDPL Implementing Regulation Article 5 explains the conditions under which a Data Subject may access their personal data held by a Controller.
It sets out the limitations that protect the rights of others, describes how access may be provided either upon request or through a direct access channel, and requires the Controller to ensure that access does not disclose personal data belonging to another individual.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 5: Right of access to Personal Data
- Without prejudice to the provisions of Articles (9) and (16) of the Law, the Data Subject has the right to access their Personal Data available with the Controller, subject to the following:
- Exercising the right to access Personal Data should not negatively impact the rights of others, such as intellectual property rights or trade secrets.
- Providing access to Personal Data at a request from the Data Subject, or via a channel provided by the Controller enabling Data Subject to directly access their Personal Data without the need to make a request.
- When enabling the Data Subject to access their Personal Data, the Controller shall ensure that it does not involve disclosing Personal Data that identifies another individual.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 5(1)
Right To Access Personal Data
This provision states that the Data Subject has the right to access their personal data available with the Controller, without prejudice to Articles 9 and 16 of the Law. It establishes access as a core right, subject to two specific conditions detailed in the subparagraphs that follow.
The provision frames access as a right balanced with the need to protect the rights of others and defines how the Controller may provide such access.
Article 5(1)(a)
Respect For Third Party Rights
This provision states that exercising the right to access personal data must not negatively impact the rights of others, such as intellectual property rights or trade secrets.
It ensures that the Data Subject’s access right does not override legal protections held by third parties and maintains safeguards for proprietary or confidential information.
Article 5(1)(b)
Access On Request Or Direct Access
This provision states that access may be granted either at the Data Subject’s request or through a channel provided by the Controller that enables the Data Subject to directly access their personal data without needing to make a request.
It establishes two lawful methods of providing access and recognises that Controllers may implement systems that allow individuals to obtain their personal data independently.
Article 5(2)
Protecting Others’ Personal Data
This provision requires the Controller, when enabling a Data Subject to access their personal data, to ensure that the process does not disclose personal data that identifies another individual. It safeguards the privacy of third parties by preventing unintended disclosure during the access process.
The provision reinforces that access must relate only to the Data Subject’s own personal data.
