PDPL Article 11 ensures that personal data is only collected for specific, lawful, and justified purposes. It requires controllers to use fair and secure methods, collect only what is necessary, and stop and delete data that’s no longer needed.
Saudi PDPL Article 11 (1)
Purpose Must Align
The purpose for which Personal Data is collected shall be directly related to the Controller’s purposes, and shall not contravene any legal provisions.
Saudi PDPL Article 11 (2)
Fair and Clear Collection
The methods and means of Personal Data Collection shall not conflict with any legal provisions, shall be appropriate for the circumstances of the Data Subject, shall be direct, clear and secure, and shall not involve any deception, misleading or extortion.
Saudi PDPL Article 11 (3)
Minimum Necessary Data
The content of the Personal Data shall be appropriate and limited to the minimum amount necessary to achieve the purpose of the Collection. Content that may lead to specifically identifying Data Subject once the purpose of Collection is achieved shall be avoided. The Regulations shall set out the necessary controls in this regard.
Saudi PDPL Article 11 (4)
Stop Collection, Destroy Data, If
If the Personal Data collected is no longer necessary for the purpose for which it has been collected, the Controller shall, without undue delay, cease their Collection and destroy previously collected Personal Data.
Interpretation of Saudi PDPL Article 11
Data must be collected for lawful, controller-specific purposes:
Saudi PDPL Article 11 (1) says that, the reason for collecting personal data must match the controller’s activities and must not break any laws. No vague or irrelevant purposes are allowed.
Collection must be direct, lawful, secure, and free from deception:
Saudi PDPL Article 11 (2) says that, the methods used to collect personal data must be honest, safe, and suitable for the data subject. Deception, manipulation, or coercion is strictly prohibited.
Collect only what’s necessary; avoid unnecessary identifiers:
Saudi PDPL Article 11 (3) says that, controllers should only collect the data they truly need. Extra or irrelevant personal details especially, those that can identify someone when not needed, must be avoided.
Cease collecting and delete personal data once no longer needed:
Saudi PDPL Article 11 (4) says that, if the purpose for collecting the data is finished, the controller must stop collecting more and delete what was already collected without delay.
