KSA PDPL » PDPL Implementing Regulation Article 6 – Right to Request Access to Personal Data

PDPL Implementing Regulation Article 6 – Right to Request Access to Personal Data

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 11, 2025
Updated: January 12, 2026

Overview

Saudi PDPL Implementing Regulation Article 6 sets out the conditions under which a Data Subject may request a copy of their personal data in a readable and clear format.

It confirms that providing a copy must not harm the rights of others, requires the copy to be supplied in a commonly used electronic format with an option for a printed version when feasible, and ensures that granting access does not disclose personal data belonging to another individual.

SDAIA's Official PDPL Implementing Regulation Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 6: Right to Request Access to Personal Data

Subject to the provisions of Article (16) of the Law, the Data Subject has the right to request a copy of their Personal Data in a readable and clear format, subject to the following:

Exercising the right to access Personal Data should not negatively impact the rights of others, such as intellectual property rights or trade secrets.

The Personal Data is provided to the Data Subject in a commonly used electronic format and the Data Subject may request a printed hard copy if feasible.

When granting a Data Subject access to their Personal Data, the Controller shall ensure that it does not involve disclosing Personal Data that identifies another individual.

Plain-Language PDPL Implementing Regulation Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Implementing Regulation Article 6(1)

Protecting Third Party Rights

This provision states that exercising the right to request a copy of personal data must not negatively impact the rights of others, including intellectual property rights or trade secrets.

It ensures that providing a copy to the Data Subject does not compromise protected information connected to third parties.

PDPL Implementing Regulation Article 6(2)

Format And Copy Options

This provision requires that personal data be provided to the Data Subject in a commonly used electronic format. It also states that the Data Subject may request a printed hard copy if feasible.

It identifies both electronic and physical formats as possible ways to deliver the requested data, with feasibility determining the availability of a printed version.

PDPL Implementing Regulation Article 6(3)

Preventing Third Party Disclosure

This provision requires the Controller to ensure that granting a Data Subject access to their personal data does not result in disclosing personal data that identifies another individual.

It protects the privacy of third parties during the process of providing a copy of personal data.

Frequently Asked Questions (FAQs)

Does Article 6 of the PDPL Implementing Regulation give individuals a separate right from the general right of access in Article 5?

Yes, Article 6 details the procedural steps for requesting access. It complements Article 5 by explaining how the request should be made and handled under the Saudi Personal Data Protection Law (KSA PDPL).

Can a Data Subject make an access request verbally, or does it need to be written?

Article 6 does not mandate a format. In practice, controllers often prefer written requests for clarity, but they should still accept valid verbal requests.

If a request is unclear, can the controller ask the individual to specify what they want?

Yes, Article 6 supports seeking clarification. This ensures the controller provides the correct data without unnecessary delays.

Does Article 6 allow a controller to reject an access request if the person cannot verify their identity?

Yes, identity verification is essential before releasing Personal Data. Article 6 reinforces this requirement.

Can someone request access to their data more than once?

Article 6 does not limit the number of requests. However, controllers may manage repeat requests reasonably, as long as rights are respected.

Does Article 6 mean companies must offer an online request form?

No, the article does not prescribe specific channels. Controllers may offer forms, but Data Subjects can still exercise their rights through other channels.

Not automatically. Article 6 expects the controller to verify who the actual Data Subject is and whether they have legal authority to access the data.

Does Article 6 require the controller to provide data in a specific file format?

No, the article is flexible. The main requirement is that the information is accessible and understandable.

Can a controller delay the request because the data is stored with a processor?

No, the controller remains responsible. Article 6 stresses that internal arrangements do not limit the Data Subject’s rights.

Does Article 6 cover access to inferred or derived data?

It applies to Personal Data relating to the individual, which can include derived data if it identifies them. The controller must assess what qualifies.

What is a common misconception about Article 6?

Many assume a request must follow a formal corporate template. Article 6 makes clear that the right exists regardless of whether a formal form is used.

Does Article 6 apply to both private and public sector controllers?

Yes, the right to request access applies across all sectors under the PDPL Implementing Regulation.