KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 10 – Exceptions to Direct Collection Rule

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 5, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 10 defines the specific cases where personal data may be collected indirectly rather than directly from the Data Subject and the cases where Personal Data may be processed for purposes other than the original purpose of collection.

These exceptions apply when the information comes from public or legally accessible sources, when the Controller is a public entity performing official tasks, when complying with direct collection would harm the Data Subject or affect their vital interests, when necessary to protect public health, when the data cannot identify the individual, or when the Controller relies on legitimate interest without processing sensitive data.

The Regulations will define the detailed conditions and procedures for these exceptions.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 10

The Controller may only collect Personal Data directly from the Data Subject and may only process Personal Data for the purposes for which they have been collected. However, the Controller may collect Personal Data from a source other that the Data Subject and may process Personal Data for purposes other than the ones for which they have been collected in the following situations:

  1. The Data Subject gives their consent in accordance with the provisions of this Law.

  2. Personal Data is publicly available or was collected from a publicly available source.

  3. The Controller is a Public Entity, and the Collection or Processing of the Personal Data is required for public interest or security purposes, or to implement another law, or to fulfill judicial requirements.

  4. Complying with this may harm the Data Subject or affect their vital interests

  5. Personal Data Collection or Processing is necessary to protect public health, public safety, or to protect the life or health of specific individuals.

  6. Personal Data is not to be recorded or stored in a form that makes it possible to directly or indirectly identify the Data Subject.

  7. Personal Data Collection is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed.

The Regulations shall set out the provisions, controls and procedures related to what is stated in paragraphs (2) to (7) of this Article.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 10(1)

Collection From Another Source With Consent

This provision allows the Controller to collect personal data from a source other than the individual when the Data Subject has provided consent for such collection.

 

The provision makes clear that the individual must authorize indirect collection, ensuring that the data is obtained in a manner consistent with their wishes.

PDPL Article 10(2)

Collection From Publicly Available Sources

This provision permits indirect collection when the personal data originates from publicly available sources or was collected from a publicly available source. It also applies when the data is provided to a source based on a legal basis. This ensures that indirect collection is allowed when the information is already accessible to the public. 

PDPL Article 10(3)

Public Entity Collection For Official Duties

This provision allows public entities to collect personal data indirectly (or process it for a new purpose) when necessary to perform their duties for public interest or security purposes, to implement another law, or to fulfill judicial requirements.
 
It recognizes that direct collection may not always be feasible in public sector operations and ensures that public entities can fulfill these specific legal responsibilities by collecting data indirectly or by processing existing data for these new, mandated purposes.

PDPL Article 10(4)

Preventing Harm to the Data Subject

This provision allows a Controller to collect personal data from a source other than the Data Subject, or to process it for a purpose other than the original one, if complying with the direct collection or original purpose rule may harm the Data Subject or negatively affect their vital interests (e.g., their life or health).

PDPL Article 10(5)

Protecting Public Health, Safety, or Life

This provision allows indirect collection or new-purpose processing when it is necessary to protect public health, public safety, or to protect the life or health of specific individuals.

 

This enables necessary action in situations involving emergencies or threats to collective welfare.

PDPL Article 10(6)

Processing Non-Identifiable Data

This provision allows a Controller to collect personal data from a source other than the Data Subject, or to process it for a purpose other than the original one, only if the data is not recorded or stored in a form that makes it possible to directly or indirectly identify the Data Subject.

PDPL Article 10(7)

Legitimate Interests Exception for Indirect Collection or New Purpose

This provision allows indirect collection or processing for a new purpose based on the Controller’s legitimate interest, provided it does not override the rights of the Data Subject and does not involve sensitive data. The specific conditions and controls for relying on this exception, including how to demonstrate necessity and conduct a balancing test, will be detailed in the Implementing Regulation.

Implementation Details to be Defined in Regulations

The final sentence of Article 10 states that the Implementing Regulations will define the specific provisions, controls, and procedures for applying the exceptions in points (2) through (7) above. This means the operational details for most of these exceptions are not in the Law itself but will be provided by the Implementing Regulation.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), can we collect personal data from a third party instead of the person?
Yes, but only in specific situations allowed by Article 10. Rule of thumb, direct collection is the default, indirect collection needs a clear Article 10 basis.
If we buy a lead list in Saudi Arabia, does that count as “publicly available data” under Saudi PDPL Article 10?
Not automatically. The practical test is whether the data is genuinely publicly available, or collected from a publicly available source, not merely sold by a vendor.
Can we scrape business profiles from public websites and use them for outreach in KSA without asking first?
Sometimes, but only if the data is publicly available and you still stay within the Article 10 conditions and related regulatory controls. A safe rule is to treat public availability as a narrow exception, not a free pass for any downstream use.
We collected data for account setup, can we later use it for a new purpose under Saudi PDPL without going back to the user?
Only in the limited Article 10 scenarios that allow processing for a different purpose. Rule of thumb, changing purpose needs either consent or a clear Article 10 exception.
In a medical emergency, can a hospital in Saudi Arabia collect or use personal data without direct collection from the patient?
Yes, if it is necessary to protect life or health, or protect public health or public safety, and the case fits Article 10. In practice, the focus is necessity and protection, not operational convenience.
Under Saudi Personal Data Protection Law (KSA PDPL), can we collect personal data indirectly to prevent harm to the person, even if they did not ask us to?
Yes, if following the direct collection rule would harm the Data Subject or affect their vital interests. The rule of thumb is that this exception is for protecting the person, not for business efficiency.
Does Saudi Personal Data Protection Law (KSA PDPL) Article 10 allow government entities in KSA to collect personal data indirectly for official work?
Yes, public entities can rely on Article 10 when collection or processing is required for public interest, security purposes, implementing another law, or judicial requirements. In practice, this is tied to official duties, not general optional activities.
If we anonymize data so no one can be identified, can we use it for a new purpose in Saudi Arabia?
Yes, if the data is not recorded or stored in a way that can directly or indirectly identify the Data Subject. Rule of thumb, if re-identification is possible, treat it as still in scope for the direct collection rule.
What is the difference between “publicly available source” and “data shared with us by a partner” in KSA PDPL terms?
Publicly available means accessible to the public, a partner share is not automatically public. If it is partner-provided, you typically need consent or another Article 10 exception beyond public availability.
Can we rely on “legitimate interest” to collect data indirectly in Saudi Personal Data Protection Law (KSA PDPL), for example for fraud prevention?
Potentially, but only if it does not prejudice the Data Subject’s rights and interests, and it does not involve Sensitive Data. A practical rule is to treat legitimate interest as a limited path, and check the Implementing Regulation controls for how it should be applied.
Who decides whether an Article 10 exception applies, the Saudi customer or the SaaS vendor?
The Controller typically decides, because it determines purposes and the basis for collection or reuse. A Processor can support execution, but it is not the party that should choose the exception.
Common misconception, “If consent is hard, we can just use Article 10.” Is that correct under Saudi Personal Data Protection Law (KSA PDPL)?
No, Article 10 is a closed set of exceptions, not a convenience clause. Rule of thumb, if you cannot clearly map your scenario to an Article 10 case, you should not treat indirect collection or new-purpose use as permitted.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top