Overview
Personal Data Disclosure Cases Guideline – Personal Data Disclosure Cases sets out the general prohibition on personal data disclosure and enumerates the specific cases in which disclosure is permitted under the Saudi Personal Data Protection Law and its Implementing Regulations.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
The Controller shall not disclose personal data, except for the following cases:
- First: Consent of the Personal Data Subject
- Second: Personal Data Collected from a Publicly Available Source
- Third: Disclosure is Requested by a Public Entity to Serve a Public Interest, for Security Purposes, to Implement Another Law, or to Fulfill Judicial Requirements
- Fourth: Disclosure is Necessary to Safeguard Public Health, Public Safety, or the Life or Health of Specific Individuals
- Fifth: Disclosure is Limited to Subsequent Personal Data Processing that Does Not Result in the Identification of the Personal Data Subject or Any Other Individual in Particular
- Sixth: Disclosure is Necessary to Achieve the Controller’s Legitimate Interests
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
General Rule on Personal Data Disclosure
First: Consent of the Personal Data Subject
This case permits disclosure where the Personal Data Subject has provided consent for such disclosure.
Second: Personal Data Collected from a Publicly Available Source
This case applies when the Personal Data was collected from a source that is publicly available.
Third: Disclosure is Requested by a Public Entity to Serve a Public Interest, for Security Purposes, to Implement Another Law, or to Fulfill Judicial Requirements
This case allows disclosure when requested by a public entity for public interest purposes, security purposes, implementation of another law, or fulfillment of judicial requirements.
Fourth: Disclosure is Necessary to Safeguard Public Health, Public Safety, or the Life or Health of Specific Individuals
This case applies when disclosure is required to protect public health, public safety, or the life or health of specific individuals.
Fifth: Disclosure is Limited to Subsequent Personal Data Processing that Does Not Result in the Identification of the Personal Data Subject or Any Other Individual in Particular
This case permits disclosure when it is limited to subsequent processing that does not result in identifying the Personal Data Subject or any other individual.
Sixth: Disclosure is Necessary to Achieve the Controller’s Legitimate Interests
This case applies when disclosure is necessary to achieve the Controller’s legitimate interests.
