KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 1 – Definitions

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 10, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 1 provides the foundational definitions that apply across Saudi Arabia’s Personal Data Protection Law. These definitions determine the legal meaning of key terms, including Personal Data, Processing, Controller, Processor, Sensitive Data, Collection, Transfer, Disclosure, and related concepts. Article 1 ensures that all obligations, rights, penalties, and compliance requirements under the PDPL are interpreted consistently across sectors, technologies, and organizations.

These definitions serve as the legal anchor for the entire PDPL compliance ecosystem. Organizations must rely on these definitions when preparing privacy policies, RoPA, DPIAs, TIAs, vendor assessments, legal basis evaluations, and enforcement interpretations.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 1

For the purpose of implementing this Law, the following terms shall have the meanings assigned thereto, unless the context requires otherwise:

  1. Law: The Personal Data Protection Law.

  2. Regulations: The Implementing Regulations of the Law.

  3. Competent Authority: The authority to be determined by a resolution of the Council of Ministers.

  4. Personal Data: Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.

  5. Processing: Any operation carried out on Personal Data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.

  6. Collection: The collection of Personal Data by Controller in accordance with the provisions of this Law, either from the Data Subject directly, a representative of the Data Subject, any legal guardian over the Data Subject or any other party.

  7. Destruction: Any action taken on Personal Data that makes it unreadable and irretrievable, or impossible to identify the related Data Subject.

  8. Disclosure: Enabling any person - other than the Controller or the Processor, as the case may be - to access, collect or use personal data by any means and for any purpose.

  9. Transfer: The transfer of Personal Data from one place to another for Processing.

  10. Publishing: Transmitting or making available any Personal Data using any written, audio or visual means.

  11. Sensitive Data: Personal Data revealing racial or ethnic origin, or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or Genetic Data for the purpose of identifying the person, Health Data, and data that indicates that one or both of the individual’s parents are unknown.

  12. Genetic Data: Any Personal Data related to the hereditary or acquired characteristics of a natural person that uniquely identifies the physiological or health characteristics of that person, and derived from biological sample analysis of that person, such as DNA or any other testing that leads to generating Genetic Data.

  13. Health Data: Any Personal Data related to an individual's health condition, whether their physical, mental or psychological conditions, or related to Health Services received by that individual.

  14. Health Services: Services related to the health of an individual, including preventive, curative, rehabilitative and hospitalizing services, as well as the provision of medications.

  15. Credit Data: Any Personal Data related to an individual's request for, or obtaining of, financing from a financing entity, whether for a personal or family purpose, including any data relating to that individual’s ability to obtain and repay debts, and the credit history of that person.

  16. Data Subject: The individual to whom the Personal Data relate.

  17. Public Entity: Any ministry, department, public institution or public authority, any independent public entity in the Kingdom, or any affiliated entity therewith.

  18. Controller: Any Public Entity, natural person or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor.

  19. Processor: Any Public Entity, natural person or private legal person that processes Personal Data for the benefit and on behalf of the Controller.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 1(1)

Law

This term refers to the Personal Data Protection Law (PDPL), the primary legal foundation regulating how Personal Data is collected, used, stored, shared, or otherwise processed within the Kingdom. It establishes the rights of individuals, the obligations of Controllers and Processors, and the enforcement authority’s oversight powers.


All subsequent regulations, implementing rules, and guidelines derive their authority from the PDPL, making it the central reference point for every compliance requirement.

PDPL Article 1(2)

Regulations

Regulations refer to the PDPL Implementing Regulations issued by SDAIA, which provide the detailed instructions needed to put the PDPL into practice. While the Law sets out the core principles and obligations, these Regulations explain how Controllers and Processors must comply on an operational level.

 

They include procedural steps, documentation requirements, lawful exceptions, timelines, and safeguards that ensure the PDPL is applied consistently and correctly across all sectors.

PDPL Article 1(3)

Competent Authority

The Competent Authority is SDAIA or any entity legally delegated to act on its behalf. It is responsible for supervising how organizations comply with the PDPL, including monitoring ongoing practices, issuing guidance, and enforcing corrective actions when violations occur.

 

This authority ensures that Controllers and Processors follow the Law, apply the Regulations properly, and maintain effective safeguards to protect Personal Data across the Kingdom.

PDPL Article 1(4)

Personal Data

Personal Data refers to any information that can directly or indirectly identify a natural person. This includes obvious identifiers like names, national IDs, phone numbers, and addresses, as well as less direct indicators such as device identifiers, location data, images, behavioral patterns, or any data point that, alone or combined with others, reveals an individual’s identity.

 

The definition is intentionally broad to ensure comprehensive protection of all information that could reasonably be used to identify someone.

PDPL Article 1(5)

Processing

Processing refers to any action performed on Personal Data, whether through automated systems or manual activities. It includes the full lifecycle of data handling, such as collecting information, recording it, organizing or storing it, updating or modifying it, using it for a specific purpose, sharing or transferring it to others, disclosing it in any form, or ultimately destroying it.

 

Under the PDPL, if an organization interacts with Personal Data in any way, that activity is considered Processing. This broad definition ensures that all forms of data handling fall within the PDPL’s regulatory scope and must meet its compliance requirements.

PDPL Article 1(6)

Collection

Collection refers to obtaining Personal Data from any source, whether directly from the Data Subject or indirectly through other channels. This can include digital forms, mobile applications, websites, customer service interactions, CCTV systems, transactional systems, or third-party providers.

 

The definition is intentionally broad so that any method of gathering Personal Data, regardless of the technology or context, is regulated under the PDPL. This ensures transparency, accountability, and lawful justification for every instance in which data is acquired.

PDPL Article 1(7)

Destruction

Destruction refers to permanently eliminating Personal Data so that it cannot be restored, reconstructed, or retrieved by any technical means. This can involve securely deleting files, destroying physical records, or applying irreversible anonymization techniques that remove all identifiers and prevent any possibility of reidentification.

 

Under the PDPL, destruction is a controlled process that ensures Personal Data does not remain accessible once it is no longer needed, reducing security risks and supporting compliance with retention and minimization requirements.

PDPL Article 1(8)

Disclosure

Disclosure refers to making Personal Data available to any party outside the Controller–Processor relationship, meaning any person who is not the original Controller or the Processor. It can occur whether the access is temporary or permanent, and regardless of whether any payment is involved.

 

This includes intentionally sharing information, responding to external requests, granting system access, or exposing data through any controlled exchange that enables a new party to access it.

 

Under the PDPL, Disclosure is a regulated activity, with the law specifying the situations in which Disclosure is permitted and the cases in which it is prohibited, ensuring that Personal Data is not shared in ways that harm the Data Subject or conflict with national or public interests.

PDPL Article 1(9)

Transfer

Transfer refers to moving Personal Data from one place to another so it can be Processed, and the PDPL interprets this concept very broadly. A transfer occurs whether the movement is physical or digital, internal or external, within the Kingdom or across borders. What matters is that the relocation enables further Processing activities such as hosting, storage, analysis, sharing, or operational use.

 

This definition is foundational to PDPL obligations because any transfer, even within the same organization, activates security, governance, and accountability requirements. Moving data between departments, shifting records from one system to another, uploading information to cloud environments, or sending data to a vendor all qualify as transfers under the Law. By defining transfers in this expansive way, the PDPL ensures that data remains protected throughout its entire lifecycle, especially when it changes location or environment.

PDPL Article 1(10)

Publishing

Publishing occurs when Personal Data is made available to the public in any form or through any channel. This includes posting information on websites or social media, distributing marketing materials, releasing public reports, or using any medium that allows unrestricted access by individuals or entities. Once Personal Data is published, it loses the protection of being “private” and becomes exposed to broad and potentially uncontrolled use.

 

Under the PDPL, publishing is considered a high-risk activity because it significantly increases the potential for misuse, unauthorized access, and harm to the Data Subject. Organizations must therefore ensure they have a legal basis, clear purpose, and explicit safeguards before publicly releasing any Personal Data.

PDPL Article 1(11)

Sensitive Data

Sensitive Data refers to categories of Personal Data that, by their nature, pose a higher risk to the Data Subject if misused, exposed, or processed without strict safeguards. Under the PDPL, this includes information relating to an individual’s racial or ethnic origin, religious, intellectual, or political beliefs, security-related criminal convictions and offenses, biometric or Genetic Data used for identification, Health Data, and data indicating that one or both of a person’s parents are unknown.


Because misuse of Sensitive Data can lead to discrimination, reputational harm, or threats to personal safety, the PDPL places additional restrictions on its processing in various parts of the Law, including limitations on processing for legitimate interest and additional controls for Health Data. Organizations handling Sensitive Data must apply appropriate safeguards consistent with PDPL requirements.

PDPL Article 1(12)

Genetic Data

Genetic Data refers to information derived from an individual’s DNA or biological samples that reveals inherited traits, biological characteristics, or unique genetic markers. This type of data can identify a person with a high degree of certainty and can also reveal sensitive insights about health predispositions, ancestry, and family relationships.

 

Because Genetic Data is both uniquely identifiable and deeply personal, the PDPL treats it as a highly protected category of Sensitive Data. Organizations handling Genetic Data must apply strict safeguards, limit access, ensure clear purpose justification, and maintain robust security measures to prevent misuse, discrimination, or unauthorized disclosure.

PDPL Article 1(13)

Health Data

Health Data refers to any information that relates to an individual’s physical or mental health, medical history, diagnoses, treatments, medications, disabilities, or overall health status. This category of data is highly sensitive because it can reveal deeply personal details about a person’s wellbeing and vulnerabilities.

 

Under the PDPL, Health Data requires enhanced protection due to the significant harm that could occur if it is misused or exposed, including discrimination, stigma, or denial of services. Organizations processing Health Data must apply strict security controls, limit access to authorized personnel, and ensure that any processing is clearly justified, purpose-specific, and aligned with strong privacy safeguards.

PDPL Article 1(14)

Health Services

Health Services refer to the full range of medical and health-related activities provided to individuals, including clinical care, diagnostic procedures, preventive programs, therapeutic treatments, rehabilitation services, and telemedicine interactions. This definition also covers the administrative and operational processes that support healthcare delivery, such as maintaining medical records, scheduling, billing, and care coordination.

 

By defining Health Services broadly, the PDPL ensures that all data generated within the healthcare ecosystem, including digital platforms, remote consultations, and traditional medical care, is subject to appropriate privacy protections. Since these services naturally involve the handling of Sensitive and Health Data, organizations providing Health Services must implement strong safeguards, ensure lawful processing, and maintain high standards of confidentiality to protect patient rights and trust.

PDPL Article 1(15)

Credit Data

Credit Data refers to information that reflects an individual’s financial reputation and borrowing behavior, including loan histories, repayment patterns, credit scores, outstanding liabilities, defaults, and any data used to evaluate creditworthiness or financial risk. This type of data is considered highly sensitive because inaccuracies or unauthorized exposure can significantly affect a person’s access to financial services, employment opportunities, housing, and insurance.

 

Under the PDPL, Credit Data requires strict protection measures, accurate processing, and clear purpose limitation, particularly because it plays a major role in automated decision-making and risk assessments. Organizations handling Credit Data must ensure its confidentiality, integrity, and accuracy, and must prevent misuse or discriminatory profiling that could harm the Data Subject.

PDPL Article 1(16)

Data Subject

The Data Subject is the natural person to whom the Personal Data belongs. All protections, rights, and entitlements under the PDPL revolve around this individual, including the right to access their data, request corrections, demand deletion, withdraw consent, and understand how their information is being used. The PDPL is fundamentally designed to safeguard the interests of the Data Subject by giving them meaningful control over their Personal Data.

 

Organizations must therefore structure their processing activities, governance practices, and privacy controls around the principle that Personal Data is always tied to a real individual whose rights must be respected and upheld at every stage of the data lifecycle.

PDPL Article 1(17)

Public Entity

A Public Entity refers to any governmental authority, agency, institution, or organization that performs public functions under legally established authority. These entities operate on behalf of the state and often process Personal Data to deliver public services, enforce regulations, manage national programs, or carry out administrative responsibilities.

 

Because Public Entities handle large volumes of Personal Data, often involving Sensitive, Health, Financial, or security-related information, they are held to strict PDPL requirements to ensure transparency, security, and lawful processing. Their role makes them central to national data governance, and their compliance practices set the standard for broader public-sector data protection.

PDPL Article 1(18)

Controller

The Controller is the entity that decides the purposes for which Personal Data is processed and the methods by which that processing takes place. Because it defines the “why” and “how” of data use, the Controller carries the highest level of responsibility under the PDPL. This includes ensuring lawful processing, establishing governance and oversight mechanisms, implementing appropriate technical and organizational safeguards, and enabling Data Subjects to exercise their rights.

 

Controllers must assess risks, manage vendors, document processing activities, and maintain full accountability for the protection of Personal Data throughout its lifecycle. Regardless of who performs the processing, the Controller remains answerable for compliance and is expected to demonstrate adherence to the PDPL at any time.

PDPL Article 1(19)

Processor

A Processor is an entity that processes Personal Data on behalf of a Controller and only according to the Controller’s documented instructions. While the Processor does not decide the purpose or legal basis for processing, it plays a critical operational role and must comply with strict PDPL requirements, including confidentiality, security controls, incident reporting obligations, and restrictions on subcontracting.

 

Processors are expected to implement robust safeguards, follow the Controller’s policies, and ensure that any Personal Data they handle is protected against unauthorized access, misuse, or disclosure. Even though the Controller holds primary accountability, the Processor remains directly responsible for meeting its own statutory duties under the PDPL.

Frequently Asked Questions (FAQs)

In Saudi Personal Data Protection Law (KSA PDPL), does a work email like name@company.com count as Personal Data?
Usually yes, if it can identify a person directly or indirectly. In practice, a work email often links back to an identifiable individual, so it is treated as Personal Data under Saudi Personal Data Protection Law (KSA PDPL).
Treat it as Personal Data if it can identify someone on its own, or when combined with other data you hold. A practical rule is: if you can single out a user or tie the identifier to an account, it is within Saudi Personal Data Protection Law’s, (KSA PDPL) definition.
Is viewing a customer record, or searching inside a CRM, considered “Processing” under Saudi Personal Data Protection Law (KSA PDPL)?
Yes, as a rule of thumb, any interaction with Personal Data is Processing. Saudi Personal Data Protection Law (KSA PDPL) frames Processing broadly, covering manual and automated actions across the full data lifecycle.
In a SaaS setup, who is the Controller and who is the Processor in Saudi Personal Data Protection Law (KSA PDPL) terms?
The Controller is typically the party that decides why and how the Personal Data is processed. The Processor is typically the vendor that processes Personal Data for the Controller’s benefit and on the Controller’s behalf.
If my vendor uses a sub-vendor to host our data, is the host automatically a Controller?
Not automatically, it depends on who decides the purpose and manner of processing. If the host is acting to process data for the benefit and on behalf of your organization (or your main vendor), it is typically treated as part of the Processor side in practice.
Is “Collection” only when a user fills a form, or does it include getting data from another source?
Collection is not limited to direct form fills. Under Saudi Personal Data Protection Law (KSA PDPL), Collection includes obtaining Personal Data from the Data Subject, their representative or guardian, or another party.
What is the difference between “Disclosure” and “Transfer” in Saudi Personal Data Protection Law (KSA PDPL), in a real business scenario?
A simple rule is: disclosure is giving access to someone outside the Controller or Processor relationship, transfer is moving Personal Data from one place to another for processing. For example, granting an external third party access is typically disclosure, moving data to a different system or location so it can be processed is typically a transfer.
Does sending an employee list to an external auditor count as “Disclosure” under Saudi Personal Data Protection Law (KSA PDPL)?
Typically yes, because it enables someone other than the Controller or Processor to access or use the Personal Data. The key test is whether the recipient sits outside the Controller–Processor relationship for that processing.
In e-commerce marketing, is posting a customer photo on social media “Publishing” under KSA PDPL?
Yes, if you make Personal Data publicly available through written, audio, or visual means, it is publishing. As a rule of thumb, if the public can access it without being inside your organization’s controlled access, treat it as publishing.
In healthcare, what kinds of data are “Sensitive Data” under Saudi Personal Data Protection Law (KSA PDPL)?
Health Data is treated as Sensitive Data, and Saudi Personal Data Protection Law (KSA PDPL) also treats biometric or genetic data used for identification as Sensitive Data. A practical approach is to assume medical records and identifying biometrics belong in the Sensitive Data bucket.
In fintech, is credit bureau information or loan eligibility data considered “Credit Data” under Saudi Personal Data Protection Law (KSA PDPL)?
Generally yes, if it relates to a person’s request for, or obtaining of, financing and their ability to obtain and repay debts. In practice, data used to assess creditworthiness or credit history is typically treated as Credit Data in Saudi Personal Data Protection Law (KSA PDPL) terms.
What do Controllers usually get wrong about “Destruction” under Saudi Personal Data Protection Law (KSA PDPL)?
The rule of thumb is that destruction means the data is made unreadable and irretrievable, or it becomes impossible to identify the person. A common misconception is thinking “deleted from the app” or “archived” automatically equals destruction, it often does not in practice.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top