Overview
Elaboration and Developing Privacy Policy Guideline — Sixth: Personal Data Sharing explains how Controllers must inform Data Subjects about the disclosure of Personal Data to other entities.
It focuses on transparency regarding whether data is shared, the identity and description of recipient entities, and the purpose and frequency of such disclosures.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Sixth: Personal Data Sharing
- The Controller shall clarify whether Personal Data or a specific group thereof shall be disclosed to other entities (whether inside or outside the Kingdom) and shall provide the Data Subject with information about the entity(s) to which Personal Data is disclosed, along with a description of such entities.
- If there is a need to disclose Personal Data or a specific group thereof, the main purpose of disclosing such data shall be clearly and accurately specified, along with whether it will be disclosed occasionally (one time) or regularly (several times).
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
1. Disclosure to Other Entities
This provision requires the Controller to clarify whether Personal Data, or a specific group of Personal Data, will be disclosed to other entities. This includes disclosures to entities located inside or outside the Kingdom.
The Controller must also provide the Data Subject with information about the entity or entities receiving the Personal Data, together with a description of those entities.
