Global Data and Cyber Handbook

Saudi Arabia

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 31 December 2024

Yes.

The following are potential legal bases for processing personal data:

         the data subject has provided consent to the processing for the identified purposes

         the personal data is necessary to perform a contract with the data subject

         the personal data is necessary to comply with a legal obligation

         the personal data is necessary to protect the vital interests of a natural person

         the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)

Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 31 December 2024

Yes

The following are potential legal bases for processing sensitive personal data:

         the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")

         processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

         processing relates to personal data which are manifestly made public by the data subject

         processing is necessary for reasons of public interest in the area of public health

         other

  • processing is required for public interest or security purposes, or to implement another law, or to fulfill judicial requirements where carried out by a public entity

Unlike under the GDPR, under the PDPL there are no enhanced legal bases that must be satisfied for processing sensitive personal data.

 

Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 31 December 2024

Yes. The PDPL does not contain a formal definition of a minor or any express reference to children’s data, but the Implementing Regulations contain provisions relating to the exercise of rights and granting of consent by legal guardians on behalf of any person lacking legal capacity (which would include a minor).

Prior to the publication of the PDPL, the NDMO had issued a policy on the processing the data of children and persons lacking mental capacity.

In what circumstances do these special requirements apply?

Last review date: 31 December 2024

Generally.

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 31 December 2024

         consent must be given or authorized by the holder of parental responsibility over the child

         other

A legal guardian is obliged to act in the best interests of the data subject and may exercise their rights and or consent to processing of personal data on their behalf. Controllers must take “appropriate measures” to verify the validity of the guardianship, and ensure that (a) consent given by the legal guardian does not harm the interests of the data subject and (b) the data subject is permitted to exercise their rights under the PDPL when they reach legal capacity.

{{ $store.state.loadingScreen.message }} ...