KSA PDPL » Saudi PDPL Article 11 – Purpose and Collection Limits

Saudi PDPL Article 11 – Purpose and Collection Limits

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: June 28, 2025
Updated: January 10, 2026

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 11 establishes the rules governing why personal data may be collected and how much may be collected. It requires that data be collected only for clear, lawful, and specific purposes, through fair methods, and in a way that does not mislead or harm the Data Subject.

The Article also limits collection to the minimum amount of data needed and requires Controllers to stop collecting and destroy personal data once it is no longer necessary.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 11

The purpose for which Personal Data is collected shall be directly related to the Controller’s purposes, and shall not contravene any legal provisions.

The methods and means of Personal Data Collection shall not conflict with any legal provisions, shall be appropriate for the circumstances of the Data Subject, shall be direct, clear and secure, and shall not involve any deception, misleading or extortion.

The content of the Personal Data shall be appropriate and limited to the minimum amount necessary to achieve the purpose of the Collection. Content that may lead to specifically identifying Data Subject once the purpose of Collection is achieved shall be avoided. The Regulations shall set out the necessary controls in this regard.

If the Personal Data collected is no longer necessary for the purpose for which it has been collected, the Controller shall, without undue delay, cease their Collection and destroy previously collected Personal Data.

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 11(1)

Purpose Must Be Specific And Lawful

This provision requires Controllers to collect personal data only for purposes that are directly related to their activities. The purpose must be explicitly defined and must comply with the Law.

The provision ensures that vague or unrelated purposes cannot justify collecting personal data. It establishes a clear link between the Controller’s activities and the data being collected.

PDPL Article 11(2)

Collection Methods Must Be Lawful And Fair

This provision mandates that the process of collecting personal data must be lawful, transparent, and secure. The methods used must comply with all relevant laws, be suitable for the Data Subject’s situation, and be conducted in a direct, clear, and secure manner.

Critically, collection must not involve deception, misleading practices, or extortion. This ensures the Data Subject’s autonomy and trust are protected from the outset.

PDPL Article 11(3)

Data Minimization and Post-Purpose Identification

This provision enforces the principle of data minimization. It requires Controllers to collect only the minimum amount of personal data strictly necessary to achieve the stated purpose. Furthermore, it advises that, where feasible, Controllers should design their processing to avoid collecting or retaining data in a form that specifically identifies the individual once the purpose is achieved.

This supports the use of techniques like anonymisation to reduce privacy risks after data has served its initial purpose. The Regulations will specify the necessary controls for this.

PDPL Article 11(4)

Duty to Stop Collection and Destroy Data

This provision mandates that when Personal Data is no longer needed for its original collection purpose, the Controller must take two immediate actions: first, stop the associated collection activity itself, and second, destroy the data already gathered. Both actions must be taken without undue delay.

This ensures data is not retained indefinitely and that collection processes are halted when their purpose ends.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), can a business collect any personal data it wants as long as the user clicks agree?

No, Article 11 limits collection to what is necessary to achieve the stated purpose. Consent does not override the requirement to keep collection purposeful and limited.

In e commerce, can we collect extra data “just in case” we might need it later?

No, collecting data for undefined or future possibilities is not aligned with Article 11. The purpose must be specific, and collection must be limited to what is actually needed.

Does “purpose limitation” mean we cannot use the same data for a new feature in our app without asking again?

Usually yes, a new feature is a new purpose unless it is directly connected to the original one. In practice, if the purpose meaningfully changes, you should reassess the basis for using the data.

How do we know if data is “necessary” for the purpose under KSA PDPL?

The rule of thumb is to ask whether the service can operate without that specific data. If the data is not required to deliver the purpose you stated to the user, collecting it is typically not allowed.

For HR in Saudi Arabia, can employers collect personal data about employees’ family members for administrative convenience?

Only if it is necessary for a specific employment related purpose. If the purpose can be achieved without collecting those details, Article 11 suggests the collection should not occur.

In fintech, can we collect more ID documents than needed to meet KYC rules?

No, Article 11 requires limiting collection to what is necessary for the lawful purpose. If one document satisfies the purpose, requiring additional ones would typically not align with the PDPL limit.

Does purpose limitation mean that analytics and marketing must always be separate from core service data?

Often yes, because analytics or marketing usually serve different purposes than delivering the core service. Treating them as separate purposes helps ensure compliance with Article 11.

Can a Controller expand its purpose statement later to justify data it already collected?

No, purpose statements are meant to guide and restrict collection at the time of processing. Expanding the purpose after collecting data undermines Article 11 and is not considered compliant.

If a vendor processes data on our behalf, who ensures purpose limitation is respected, us or the vendor?

The Controller is responsible for defining and enforcing purpose limits. Processors must follow only the documented purposes, but it is the Controller who ensures those limits are correct and lawful.

In healthcare, can hospitals collect information that is not medically relevant to treatment?

Only if it is required for the specific purpose being performed. If the information does not relate to treatment or another defined purpose, Article 11 suggests it should not be collected.

Common misconception, “As long as we do not disclose the data, collecting more is fine.” Is that accurate under Saudi PDPL?

No, disclosure rules are separate from collection rules. Article 11 limits collection regardless of whether the data will be shared, published, or kept internally.

If data is public online, can we collect it without worrying about purpose limits?

No, Article 11 still applies even to publicly accessible personal data. Public availability does not remove the obligation to collect only what is needed for a specific lawful purpose.