Personal Data Disclosure Cases Guideline – Personal Data Disclosure Cases: Sixth: Disclosure is Necessary to Achieve the Controller’s Legitimate Interests

Sixth: Disclosure is Necessary to Achieve the Controller’s Legitimate Interests

If the disclosure is necessary to achieve the Controller's legitimate interests, without prejudice to the rights and interests of the data subject, and provided that the disclosed data is not sensitive. The Controller shall ensure that a request for disclosure is directly related to a specific and clearly defined purpose or subject matter. Due diligence shall be exercised to protect the privacy of the data subject or any other individual. Disclosure shall be limited to the minimum personal data necessary to achieve its purpose. Moreover, the Controller disclosing personal data related to an individual other than the data subject shall be obligated to exercise due diligence and implement adequate safeguards to protect the privacy of that other individual. Such measures shall include balancing the rights of the data subject with those of the other individual on a case-by-case basis and, where possible, anonymizing personal data that directly identifies the other individual. In addition to the above, when a Controller discloses personal data to achieve a legitimate interest, the following conditions must be met:

1. The purpose must not contravene any laws or regulations in the Kingdom.
   
   
2. The rights and interests of the data subject must be balanced against the legitimate interests of the Controller, such that the Controller’s interests do not unduly prejudice the rights and interests of the data subject.
   
   
3. The processing must not involve sensitive data.
   
   
4. The processing must be within the reasonable expectations of the data subject.

E.g.: detecting fraudulent activities and safeguarding the network and information security are considered legitimate interests.

Prior to processing personal data, including disclosure for a legitimate interest, the Controller must conduct and document an assessment of the proposed processing and its impact on the rights and interests of data subjects. The assessment shall specifically comprise the following:

1. The proposed processing activities, their purpose, the types of data involved, and the categories of data subjects.
   
   
2. An evaluation of the purpose to ensure its legitimacy and compliance with all applicable laws in the Kingdom.
   
   
3. A determination of whether the personal data processing is strictly necessary to achieve the Controller's legitimate purpose.
   
   
4. An assessment of whether the proposed processing presents any harm to the data subjects' interests or ability to exercise their statutory rights.
   
   
5. An assessment of whether any measures are required to mitigate potential risks or harms, in accordance with Paragraph (2) of Article 25 of the Implementing Regulations.

If the assessment demonstrates that the proposed processing would, in any way, violate any laws or regulations, infringe upon the rights and interests of data subjects, or cause harm to them or any other party, the Controller shall modify the proposed processing and conduct a new assessment, or consider relying on another legal basis.

Restrictions on the Disclosure of Personal Data

The Controller shall not disclose personal data Whenever the disclosure meets any of the following criteria:

1. If the disclosure poses a threat to security, tarnishes the Kingdom's reputation, or conflicts with the Kingdom’s interests.
   
   
2. If the disclosure affects the Kingdom’s relations with another country.
   
   
3. If the disclosure prevents the detection of a crime, prejudices a defendant's rights to a fair trial, or affects criminal proceedings.
   
   
4. If the disclosure endangers the safety of an individual(s).
   
   
5. If the disclosure would be a violation of the privacy of an individual other than the data subject, as stipulated by the regulations.
   
   
6. If the disclosure conflicts with the interest of an incompetent person.
   
   
7. If the disclosure breaches professional obligations established by the Law.
   
   
8. If the disclosure involves a breach of an obligation, a procedure, or a judgment.
   
   
9. If the disclosure reveals the identity of a confidential source of information that it is in the public interest not to disclose it.

These restrictions do not apply to disclosure activities in the following cases:

1. If the data disclosure request is made by a public entity, and the disclosure is required to serve a public interest, for security purposes, to implement another law, or to fulfill judicial requirements.
   
   
2. If personal data disclosure is necessary to protect public health, public safety, or the life or health of specific individuals.