KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 10, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) 13 defines what information a Controller must provide to the Data Subject when collecting personal data directly. These disclosures include the purpose of collection, the legal basis, the entity collecting the data, data recipients, consequences of refusing to provide data, Data Subject rights (DSR), and any additional sector specific requirements.

This Article ensures transparency and enables individuals to understand how their data will be used and what rights they can exercise.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 13

When collecting Personal Data directly from the Data Subject, the Controller shall take appropriate measures to inform the Data Subject of the following upon Collection:

  1. The legal basis for collecting their Personal Data.

  2. The purpose of the Collection, and shall specify the Personal Data whose Collection is mandatory and the Personal Data whose Collection is optional. The Data Subject shall be informed that the Personal Data will not be subsequently processed in a manner inconsistent with the Collection purpose or in cases other than those stated in Article (10) of this Law.

  3. Unless the Collection is for security purposes, the identity of the person collecting the Personal Data and the address of its representative, if necessary.

  4. The entities to which the Personal Data will be disclosed, the capacity of such entities, and whether the Personal Data will be transferred, disclosed or processed outside the Kingdom.

  5. The potential consequences and risks that may result from not collecting the Personal Data.

  6. The rights of the Data Subject pursuant to Article (4) herein.

  7. Such other elements as set out in the Regulations based on the nature of the activity done by the Controller.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 13

Information Required Upon Direct Collection

This provision mandates that when collecting Personal Data directly from the Data Subject, the Controller must provide clear information at the point of collection. This ensures transparency and enables informed decision-making. The required disclosures are:

PDPL Article 13(1)

The Legal Basis for Collection

This provision requires the Controller to inform the Data Subject of the legal basis for collecting personal data before the collection occurs.

 

This ensures that the Data Subject understands the legal justification for the processing.

PDPL Article 13(2)

The Purpose and Nature of Data

This provision requires the Controller to explain the specific purpose for the collection. It must clearly specify which Personal Data is mandatory to provide and which is optional. The Data Subject must be informed that their data will not be used for other incompatible purposes, except as permitted by Article 10 of the Law.

 

This ensures the Data Subject understands why the data is needed and helps the Data Subject understand the relevance of the requested data.

PDPL Article 13(3)

Identity of the Collector Or Representative

This provision requires the Controller to disclose its identity and, if necessary, its representative’s contact details, unless the collection is for security purposes.
 
This allows the Data Subject to know who is responsible for handling their data.

PDPL Article 13(4)

Recipients and Transfers

This provision requires the Controller to inform the Data Subject about other entities that will receive the data, their role, and whether the data will be transferred, disclosed, or processed outside the Kingdom.

 

This ensures individuals are aware of who will have access to their information and if processing occurs outside the Kingdom of Saudi Arabia (KSA).

PDPL Article 13(5)

Consequences of Not Providing Data

This provision requires the Controller to explain the potential consequences or risks for the Data Subject if they choose not to provide the requested Personal Data.

 

This ensures the individual understands the practical impact of refusing to share information, such as an inability to receive a service.

PDPL Article 13(6)

Reminder Of Data Subject Rights (DSR)

This provision requires the Controller to inform the Data Subject of their rights under the Law. These rights include access, correction, deletion, and other rights defined in earlier Articles.

 

The provision ensures that individuals know how they can exercise control over their personal data.

PDPL Article 13(7)

Additional Sector Criteria Defined By Regulations

This provision allows the Regulations to define additional disclosure requirements based on the Controller’s industry or activity.

 

This ensures that disclosures can be tailored to reflect sector specific considerations when necessary.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), do we need to tell users we collected their data if it came from a partner and not directly from them?
Yes, Article 13 requires informing the Data Subject, even when you obtain the data indirectly. In practice, you still need to provide the same clarity you would if you collected it yourself.
If my e commerce platform collects customer data during checkout, what disclosures does Article 13 expect?
You must clearly inform the customer about the collection and processing. The rule of thumb is that the customer should not be left guessing why or how their data is being used.
For HR teams in KSA, does Article 13 require notifying employees before collecting internal data about them?
Yes, employees are still Data Subjects and should be informed when their Personal Data is collected. Transparency applies even within internal company operations.
If we already have a Privacy Policy, do we still need to provide a separate disclosure at the moment of collection?
Often yes, because Article 13 focuses on notifying the Data Subject at or before collection. A Privacy Policy supports this, but it does not replace the need for timely disclosure.
In fintech, does automated data collection inside the app require the same disclosure as manual collection?
Yes, automated and manual collection both fall under Article 13. Users should understand what is being collected, regardless of how the system gathers it.
Does Article 13 require disclosing the full list of third parties we work with?
It requires disclosing relevant information linked to collection and processing, not necessarily naming every party unless needed for clarity. The goal is to give users meaningful awareness of how their data is handled.
Can a SaaS provider rely on the enterprise customer to provide all Article 13 disclosures?
Usually the Controller is responsible for ensuring the Data Subject receives the required information. A SaaS vendor acting as a Processor does not replace the Controller’s duty.
If our call center collects customer information verbally, does Article 13 still apply?
Yes, the disclosure requirement applies to all forms of collection, including verbal. The format may differ, but the clarity requirement remains the same.
Does Article 13 allow delaying disclosure until after we have already started processing the data?
No, the expectation is disclosure at or before the time of collection. Processing first and explaining later does not meet the transparency intention.
If we only collect basic data like name and phone number, do we still need a full Article 13 disclosure?
Yes, the scope of the data does not remove the requirement. Even simple data must be accompanied by clear information about its collection and use.
Common misconception, “If the data is public, we do not need to tell the person we collected it.” Is that correct under Saudi PDPL Article 13?
No, Article 13 applies even when the data came from a public source. Transparency remains required so the person understands the new processing context.
If we update the way we collect data, must we update our disclosure immediately under KSA PDPL?
Yes, the disclosure should reflect current practices. If collection changes, your communication to Data Subjects should stay aligned with Article 13.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top