PDPL Article 9 explains that the right to access personal data granted under Article 4 (2) is not absolute. The controller can limit or deny access under specific circumstances mentioned in the law and regulations.
Saudi PDPL Article 9 (1)
Limited Access Permitted by Controller
The Controller may set time frames for exercising the right to access Personal Data stated in Paragraph (2) of Article (4) herein as stipulated in the Regulations. The Controller may limit the exercise of this right in the following cases:
- a) If this is necessary to protect the Data Subject or other parties from any harm, according to the provisions set forth the Regulations.
- b) If the Controller is a Public Entity and the restriction is required for security purposes, required by another law, or required to fulfill judicial requirements.
Saudi PDPL Article 9 (2)
Mandatory Denial of Access
The Controller shall prevent the Data Subject from accessing Personal Data in any of the situations stated in Paragraphs (1, 2, 3, 4, 5) and (6) of Article (16) herein.
Explanation of Saudi PDPL Article 9
Controllers may limit access to prevent harm or protect security:
Saudi PDPL Article 9 (1) says, the controller may:
- Set reasonable timeframes for data access, as defined in the Implementation Regulation.
- Restrict access in these cases:
- a) If access would cause harm to the data subject or others.
- b) If the controller is a public entity and access would affect national security, legal obligations, or judicial requirements.
Access must be denied in legally restricted cases under Article 16:
Saudi PDPL Article 9 (2) says, the controller must deny access if any of the conditions in Article 16 (1–6) apply.
These conditions (from Article 16) typically relate to protecting public interest, legal investigations, or overriding rights.
