The toughest PDPL questions rarely arrive as theory. They arrive as a phone call. 

“We had to move fast, so we skipped consent and used legitimate interest. That’s fine… right?” 

Sometimes it is. Often it isn’t. Under the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) and its Implementing Regulation, you’ve got three different “interest” labels you can rely on when you’re not using consent or a legal obligation: vital interest, actual interest, and legitimate interest.

They sound close. They’re not. If you treat them as interchangeable, you either: 

• Grab more data than you can justify

• Talk yourself into risk that will look terrible in front of SDAIA or an internal audit committee. 

This piece is about how to use each basis on purpose, with examples you can actually map to your RoPA and legitimate interest assessments. 

Where the Three Interests Sit in the PDPL 

At a high level, PDPL says you usually need consent to process personal data, then carves out specific alternatives. One of those alternatives is when processing is necessary for the controller’s legitimate interest, so long as it doesn’t override the data subject’s rights and interests and doesn’t involve sensitive data.¹ Another set of conditions is spelled out in the Implementing Regulation, which defines three kinds of “interest” you can rely on: vital, actual, and legitimate.

Article 1 of the Implementing Regulations of the Personal Data Protection Law defines: 

Vital Interest: Any interest necessary to preserve the life of a Data Subject. 

Actual Interest: refers to any moral or material interest of the Data Subject that is directly linked to the purpose of Processing Personal Data, and the Processing is necessary to achieve that interest. 

Legitimate Interest: refers to any necessary interest of the Controller that requires the Processing of Personal Data for a specific purpose, provided it does not adversely affect the rights and interests of the data subject. 

In plain language: 

• Vital interest – preserving someone’s life. 

• Actual interest – serving the data subject’s own material or moral benefit in a way that’s tightly linked to the purpose of processing. 

• Legitimate interest – serving a necessary interest of the controller that requires processing for a specific purpose, without unfairly harming the data subject’s rights or expectations. 

Hold that structure in your head. Life. Their benefit. Your operations. 

Vital Interest: The Break-Glass Option 

Vital interest is the emergency brake. You use it when waiting for consent would meaningfully increase the chance that someone dies or suffers serious physical harm. 

What the law is really aiming at 

The Implementing Regulation defines vital interest as an interest necessary to preserve the life of a data subject or another individual.² You’re not dealing with vague “health and safety” projects here. You’re dealing with concrete, time‑sensitive risk to life. 

So ask yourself one harsh question:
“If we pause to ask for consent and they say no or don’t respond, do we materially increase the chance that someone dies or suffers serious physical harm?”
If the honest answer is no, don’t use vital interest. 

Solid uses 

Medical emergency on site
A worker collapses at a warehouse. The safety team shares known medical conditions and emergency contact details with paramedics while the worker is unconscious. No one is waiting around for a checkbox. 

Evacuation during a flood
A coastal hotel uses guest lists, room numbers, and contact details to coordinate evacuation during severe flooding. People need to get out now, not after you refresh your cookie banner. 

Uses that feel urgent but aren’t 

Health insurance underwriting
Pricing risk for a health policy is important for your business, but it’s not preserving the insured’s life. You’re not in vital interest territory; you’re closer to contract performance plus legitimate interest. 

Generic “safety initiatives”
A group‑wide “wellbeing dashboard” that tracks steps, calories, or non‑emergency health indicators will almost never meet a true vital interest threshold. If you can plan it over a quarter, it’s not an emergency. 

Quick rule of thumb 

If you have time to send a clear consent notice and genuinely respect a “no”, you’re almost certainly not in vital interest. 

Actual Interest: When You’re Enabling Their Goal 

Actual interest is the quiet workhorse in most PDPL programmes, and it’s badly underused. 

The regulation frames actual interest as a moral or material benefit of the data subject that’s directly linked to the purpose of processing, and where that processing is necessary to achieve that benefit.² In practical terms: they want a specific outcome, they triggered the interaction, and you can’t deliver it without processing their data. 

How to spot actual interest in practice 

Run this test: 

Did the data subject start this process, and would they be annoyed or harmed if we didn’t process their data for this exact purpose? 

If the answer is yes, you’re probably in actual‑interest territory. 

Clear examples 

Customer buys online and wants the goods
A customer enters their address and phone number to receive a delivery. You use that data to ship the products and handle delivery updates. They came to you to receive those goods. The processing is necessary for their own outcome. 

Employee requests a salary advance
An employee asks for an emergency salary advance. HR uses bank details and employment records to check eligibility and send the payment. The beneficiary is the employee; without processing, they don’t get what they asked for. 

Patient books an appointment
A patient calls the clinic, explains their issue, and shares contact details so the clinic can schedule and confirm the visit. Processing their information enables access to care they actively requested. 

Where people go wrong 

Controllers constantly mis‑label their interests as actual interests of the data subject just because the subject interacted with them once. 

Not actual interest: casual browsing → targeted ads
Someone lands on your website, reads an article, and leaves. You then profile them to build targeted advertising audiences. They didn’t arrive hoping to be profiled; that’s your revenue model talking, not their goal. 

Not actual interest: emergency contact → newsletter
You collect an emergency contact from an employee and quietly add that email address to marketing campaigns. The original purpose was crisis communication. The new purpose is your brand visibility. Those are not the same thing. 

If the person would reasonably say, “I never asked you to do that with my data,” you’ve probably left the actual‑interest lane. 

Legitimate Interest: Your Needs, With Guardrails 

Legitimate interest is where most of the hard risk calls live. PDPL allows processing where it’s necessary for the controller’s legitimate interest, provided this doesn’t prejudice the rights and interests of the data subject and doesn’t involve sensitive data.¹ The Implementing Regulation and guidance from advisers add more color: the purpose can’t breach Saudi law, it must fall within the data subject’s reasonable expectations, and you must balance your interests against theirs.

In other words, you can use legitimate interest only when the processing is genuinely necessary for your operations and fair to the individual. It’s not a magic “business needs” wildcard. 

The two questions you must be able to answer 

1. Necessity – “Can we realistically achieve this purpose with less data, less intrusive processing, or a different legal basis?” If yes, your case is weak. 
2. Fairness – “Would a typical data subject be surprised or upset if they found out we were doing this, in this way, with this level of detail?” If yes, your case is weaker still. 

If you can’t defend both answers in writing, your legitimate interest assessment will feel flimsy the moment a regulator, court, or internal auditor reads it. 

Where legitimate interest usually works 

Fraud and abuse monitoring
A bank analyses transaction and log‑in patterns to detect suspicious behavior. Customers expect some monitoring to protect their accounts. You minimize the data, lock down access, and document the safeguards. That’s a classic legitimate interest use. 

Network and system security
An organization logs access attempts, IP addresses, and device identifiers to prevent and investigate cyber incidents. Users connecting to corporate systems reasonably assume those systems will be protected and monitored. 

Improving logistics and operations with minimal personal data
A delivery company aggregates route and timing statistics to improve its delivery performance, without focusing on individual drivers unless an anomaly appears. The goal is operational efficiency, and the privacy impact is low. 

Where legitimate interest collapses 

Selling data to brokers because it’s “profitable”
Turning your customers into a product for third‑party data brokers is very difficult to reconcile with their expectations under PDPL, especially when they never saw a clear notice or opt‑out. 

Monitoring employees’ personal social media at scale
Systematically scraping employees’ public posts for “reputation management” looks like surveillance, not proportionate risk control. It chills expression and will be hard to justify as a balanced interest under PDPL. 

Face recognition just to “personalize” shopping
Using biometric templates to greet or track shoppers where they don’t expect it is intrusive. When your benefit is marginal marketing uplift and their cost is ongoing biometric surveillance, the balance tilts against you. 

A Simple Hierarchy: Life → Their Goal → Your Goal 

When you’re choosing a lawful basis for PDPL, run this order in your head: 

1. Is someone’s life (or serious physical safety) in real, time‑sensitive danger? 
   1. If yes, you’re looking at vital interest. Process now; document once the emergency stabilizes.
   2. If no, move on.
2. Is the processing necessary to achieve a concrete outcome they asked for? 
   1. If yes, and the processing is tightly linked to that outcome, you’re likely in actual interest territory.  
   2. If the processing is mainly serving your own goals, keep going.
3. Is the processing necessary for your operations and reasonably expected? 
   1. If yes, and you can show that data subjects’ rights and interests aren’t overridden, legitimate interest may work—backed by a written balancing test.
   2. If no, you either need another lawful basis (like consent or a legal obligation) or you shouldn’t be doing it at all. 

If you answer “sort of” to any of these, assume the regulator will hear “no” and build your governance accordingly. 

Worked Examples Across All Three Interests 

You rarely label just one basis across an entire organization. The same entity will lean on each of the three interests in different parts of its operations. 

Hospital 

• Treating an unconscious trauma patient – Vital interest
  Doctors access and share records during surgery to prevent loss of life when the patient can’t consent. 

• Scheduling elective surgery – Actual interest
  The patient wants the procedure and initiates the booking. Processing their information is necessary to deliver that care. 

• Analyzing anonymized outcomes – Legitimate interest
  The hospital studies aggregated, anonymized outcome data to improve clinical pathways. Individuals aren’t identifiable in published findings. 

E‑commerce platform 

• Contacting customers about a dangerous product recall – Vital interest
  You use contact details and purchase records to warn affected customers where a product creates a serious risk of harm. 

• Processing address and payment details for an order – Actual interest
  The customer wants the goods. You need that information to deliver the order and handle payment. 

• Monitoring for payment fraud – Legitimate interest
  The platform runs fraud‑detection models on transaction data to protect itself and its customers against abuse. 

Employer 

• Sharing allergy information with on‑site medics – Vital interest
  In emergencies, the on‑site doctor needs to know about severe allergies or conditions to avoid life‑threatening reactions. 

• Processing salary payment data – Actual interest
  Employees expect to be paid on time; payroll needs their bank details and tax information to make that happen. 

• Analyzing productivity metrics using aggregated reports – Legitimate interest
  Management reviews aggregated, depersonalized statistics to understand workload and resourcing, without turning every email into a performance‑scoring input. 

Red Flags You Picked the Wrong Basis 

Here’s where, in practice, things go off the rails. 

Vital interest red flags 

You invoked vital interest but: 

• There was no real, immediate threat to life or serious harm, 

• You had time to obtain consent or use another lawful basis, or 

• The only risk in play was financial or reputational. 

If that’s the situation, you weren’t in vital‑interest territory. You were probably dealing with contract performance, actual interest, or legitimate interest. 

Actual interest red flags 

You relied on actual interest but: 

• The data subject didn’t initiate the outcome, 

• The main beneficiary is your organization, not the individual, or 

• They would reasonably be surprised to discover how you’re using their data. 

That usually means you’re actually in legitimate interest and should have done a balancing test—or you should have gone back to consent. 

Legitimate interest red flags 

You ticked legitimate interest on the form because it felt convenient, even though: 

• The processing feels intrusive (biometrics, detailed tracking, large‑scale profiling), 

• Individuals would push back if they saw a clear explanation, or 

• The activity is “nice to have” rather than truly necessary. 

In those cases, claiming legitimate interest is risky. Either you: 

• Obtain explicit, well‑structured consent, 

• Find a proper legal obligation, or 

• Accept that the processing shouldn’t happen. 

Making Privacy Notices Actually Useful 

Most PDPL privacy notices still say some version of “We process your data for our legitimate interests” and leave it there. It reads like a shrug. 

A better approach is to connect the lawful basis to a concrete activity and outcome: 

• “We process your order details (name, address, payment information) under actual interest because you want us to deliver your purchase and handle payment.”

• “We process basic access logs under legitimate interest to detect and investigate security incidents. This includes IP addresses, timestamps, and URLs accessed, and we store them for a limited period.”

• “If you suffer a serious medical incident on our premises, we may share relevant information with emergency responders under vital interest to protect your life and safety.”

Now a regulator, customer, or employee can see that you’ve actually thought through the basis instead of hiding behind labels. 

What This All Means When SDAIA Comes Knocking 

PDPL doesn’t lock you into consent for everything. It gives you structured room to move if you can explain your decisions. 

So when you pick a basis, imagine you’re in front of SDAIA or your board’s audit committee and someone asks a simple question: 

“Show us, in writing, why you chose this basis instead of the alternatives, and how you checked that data subjects’ rights weren’t overridden.” 

If you can hand over a short, clear explanation—tied back to vital interest, actual interest, or legitimate interest as the law and regulation use those terms—you’re in a good place. If you’d rather not be in that meeting at all, that’s your signal to rethink the processing before it ever starts. 

Need Expert Help With PDPL in Saudi Arabia? 

PDPL edge cases rarely fit into neat checklists. If you’re building or refreshing a Saudi Arabia Personal Data Protection Law (PDPL) compliance programme and you’re not sure how to document vital, actual or legitimate interest, GRC360 can help. The GRC360 team supports controllers and processors across sectors with PDPL gap assessments, risk‑based RoPAs, data‑sharing reviews and SDAIA‑ready documentation. For complex scenarios or high‑stakes audits, contact GRC360 to design a PDPL approach that you can explain—and defend—in plain language.

ACKNOWLEDGMENT 

Prepared with reference to publicly available English translations of the Kingdom of Saudi Arabia’s Personal Data Protection Law and its Implementing Regulation, plus secondary commentary from law firms and privacy practitioners active in the region. This article is informational and not legal advice. 

SOURCES 

Regulations 

1. Personal Data Protection Law, Kingdom of Saudi Arabia, Royal Decree No. M/19 of 9/2/1443H (as amended by Royal Decree No. M/148 of 5/9/1444H), including Article 5 on lawful bases for processing. English reference version published by the Saudi Data and Artificial Intelligence Authority (SDAIA). 
2. The Implementing Regulation of the Personal Data Protection Law (Public Consultation Version), National Data Management Office / SDAIA, Article 1 (definitions of vital interest, actual interest, and legitimate interest) and Article 3 (legal bases for processing). 

Reports and Commentary 

1. DLA Piper, “Data protection laws in Saudi Arabia,” Data Protection Laws of the World, last modified 6 January 2025. 
2. Herbert Smith Freehills Kramer, “Saudi Arabia’s Personal Data Protection Law – What you need to know,” 28 November 2023. 
3. Akin Gump, “Kingdom of Saudi Arabia’s New Personal Data Protection Law and Implementing Regulations – Key Obligations, Responsibilities and Rights,” client alert. 
4. Various guidance articles on consent management and legitimate interest assessments under PDPL from regional privacy consultancies and law firms, used here for cross‑checking of interpretations against the statutory text.