PDPL Article 10 says that, while the PDPL generally requires controllers to collect personal data directly from the data subject and use it only for the original purpose, Article 10 lists 7 exceptions where indirect collection or new purposes for processing are allowed:
Controllers must collect data directly and use it only for the original purpose, unless one of seven legal exceptions applies, such as consent, public interest, or public health.
The Controller may only collect Personal Data directly from the Data Subject and may only process Personal Data for the purposes for which they have been collected. However, the Controller may collect Personal Data from a source other that the Data Subject and may process Personal Data for purposes other than the ones for which they have been collected in the following situations:
Saudi PDPL Article 10 (1)
Consent Given Lawfully Exception
The Data Subject gives their consent in accordance with the provisions of this Law.
Saudi PDPL Article 10 (2)
Publicly Available Data Exception
Personal Data is publicly available or was collected from a publicly available source.
Saudi PDPL Article 10 (3)
Public Entity Exception
The Controller is a Public Entity, and the Collection or Processing of the Personal Data is required for public interest or security purposes, or to implement another law, or to fulfill judicial requirements.
Saudi PDPL Article 10 (4)
Preventing Harm Exception
Complying with this may harm the Data Subject or affect their vital interests.
Saudi PDPL Article 10 (5)
Public Health Protection Exception
Personal Data Collection or Processing is necessary to protect public health, public safety, or to protect the life or health of specific individuals.
Saudi PDPL Article 10 (6)
Non-Identifiable Data Use Exception
Personal Data is not to be recorded or stored in a form that makes it possible to directly or indirectly identify the Data Subject.
Saudi PDPL Article 10 (7)
Legitimate Interest (Non-Sensitive) Exception
Personal Data Collection is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed. The Regulations shall set out the provisions, controls and procedures related to what is stated in paragraphs (2) to (7) of this Article.
Explanation of Saudi PDPL Article 10
The Data Subject has provided consent as required under the PDPL:
Saudi PDPL Article 10 (1) says that, the data subject has given their consent for the collection or processing, as required under the PDPL.
Data is collected from a public or legally accessible source:
Saudi PDPL Article 10 (2) says that, the personal data is already public or was collected from a public source, such as an official register or published website.
Public authorities may collect or process data for legal, security, or public needs:
Saudi PDPL Article 10 (3) says that, if the controller is a government body, it may collect or process the data when necessary for:
- Public interest
- Security needs
- Fulfilling another law
- Meeting judicial requirements
Consent isn’t needed if obtaining it may harm the Data Subject:
Saudi PDPL Article 10 (4) says that, the controller may process the data without consent if requiring consent would harm the data subject or negatively impact their vital interests (e.g., in an emergency).
Processing is allowed to protect life, health, or public safety:
Saudi PDPL Article 10 (5) says that, processing is allowed if it’s necessary to protect public health or safety, or to save someone’s life or health.
Data may be used if not linked to an identifiable person:
Saudi PDPL Article 10 (6) says that, if the personal data will not be stored or recorded in a way that can identify the individual, direct collection is not required.
Processing is allowed for valid business needs if no sensitive data is involved:
Saudi PDPL Article 10 (7) says that, processing is permitted when it’s needed to serve the controller’s legitimate interests, as long as:
- It doesn’t harm the data subject’s rights or interests
- Sensitive data is not involved
- The processing meets the controls set out in the Regulations
