saudi-pdpl.com

Table of Contents

Article 1

Article 2

Article 3

Article 4

Article 5

Article 6

Article 7

Article 8

Article 9

Article 10

Article 11

Article 12

Article 13

Article 14

Article 15

Article 16

Article 17

Article 18

Article 19

Article 20

Article 21

Article 22

Article 23

Article 24

Article 25

Article 26

Article 27

Article 28

Article 29

Article 30

Article 31

Article 32

Article 33

Article 34

Article 35

Article 36

Article 37

Article 38

Article 39

Article 40

Article 41

Article 42

Article 43

Article 10

The Controller may only collect Personal Data directly from the Data Subject and may only process Personal Data for the purposes for which they have been collected. However, the Controller may collect Personal Data from a source other that the Data Subject and may process Personal Data for purposes other than the ones for which they have been collected in the following situations:

  1. The Data Subject gives their consent in accordance with the provisions of this Law.
  2. Personal Data is publicly available or was collected from a publicly available source.
  3. The Controller is a Public Entity, and the Collection or Processing of the Personal Data is required for public interest or security purposes, or to implement another law, or to fulfill judicial requirements.
  4. Complying with this may harm the Data Subject or affect their vital interests
  5. Personal Data Collection or Processing is necessary to protect public health, public safety, or to protect the life or health of specific individuals
  6. Personal Data is not to be recorded or stored in a form that makes it possible to directly or indirectly identify the Data Subject.
  7. Personal Data Collection is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed.

The Regulations shall set out the provisions, controls and procedures related to what is stated in paragraphs (2) to (7) of this Article.

FAQs

The default rule is that your personal data must be collected directly from you. However, the law permits a Controller to collect your data from another source under specific circumstances, such as: 

  • You have given your consent. 
  • The data was collected from a publicly available source. 
  • The Controller is a public entity and requires the data for security, legal, or judicial purposes. 
  • Collecting the data directly from you could cause you harm or affect your vital interests. 
  • The collection is necessary to protect public health or an individual’s life. 

Generally, your personal data may only be processed for the purpose for which it was originally collected. Using it for a new purpose is only allowed under the same set of exceptions that permit collecting it from a source other than you. This includes obtaining your consent, if the processing is required for public safety, or if it is necessary for the Controller’s legitimate interests, among other reasons.

While consent is the primary basis for processing, several exceptions allow for processing without it. These include: 

  • Public Interest and Safety: Processing is permitted if it is necessary to protect public health or safety, or the life of an individual. Similarly, a public entity can process data for security or legal requirements. 
  • Legitimate Interests: A Controller may process your data to achieve their legitimate interests. However, this is subject to two important conditions: the processing must not infringe on your rights and interests, and it cannot be used for processing Sensitive Data. 
  • Publicly Available Data: If your personal data is already publicly available, it can be processed without separate consent. 
  • Anonymization: Processing is allowed if the data is handled in a way that it can no longer be used to identify you directly or indirectly. 
Scroll to Top