PDPL Article 5 explains that consent is the default requirement for processing personal data, unless another lawful basis applies (as stated elsewhere in the PDPL).
Data Controllers generally need a individuals (data subject) clear permission to collect or use their personal data, unless the law says otherwise. And individuals can change their mind and withdraw consent anytime.
Saudi PDPL Article 5 (1)
Consent Required for Processing
Except for the cases stated in this Law, neither Personal Data may be processed nor the purpose of Personal Data Processing may be changed without the consent of the Data Subject. The Regulations Shall set out the conditions of the consent, the cases in which the consent must be explicit, and the terms and conditions related to obtaining the consent of the legal guardian if the Data Subject fully or partially lacks legal capacity.
Saudi PDPL Article 5 (2)
Right to Withdraw Consent
In all cases, Data Subject may withdraw the consent mentioned in Paragraph (1) of this Article at any time; the Regulations determines the necessary controls for such case.
Explanation of Saudi PDPL Article 5
Collect Consent Before Processing:
Saudi PDPL Article 5 (1) says that personal data can’t be processed or repurposed without the data subject’s consent, unless a specific exception in the law applies.
PDPL Implementing Regulation will explain:
- When consent must be explicit
- The conditions for valid consent
- How to obtain consent from a legal guardian, if the data subject has partial or no legal capacity (e.g., minors, individuals with certain disabilities)
Withdraw Consent Anytime During Processing:
Saudi PDPL Article 5 (2) says that, the data subject has the right to withdraw their consent at any time.
The Implementing Regulations will set the rules and procedures for how this works.
