KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 10, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 15 defines the limited situations where a Controller may disclose personal data to another party in accordance with the Personal Data Protection Law (PDPL). Disclosure is generally prohibited unless a permitted condition applies, such as explicit consent, public data sources, governmental requests, public health needs, legal requirements, or legitimate interests that do not involve sensitive data.

The Article also requires the Regulations to set out the controls and procedures governing disclosures made under these permitted conditions.
 

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 15

The Controller may not Disclose Personal Data except in the following situations:

  1. Data Subject consents to the Disclosure in accordance with the provisions of the Law.

  2. Personal Data has been collected from a publicly available source.

  3. The entity requesting Disclosure is a Public Entity, and the Collection or Processing of the Personal Data is required for public interest or security purposes, or to implement another law, to fulfill judicial requirements.

  4. The Disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.

  5. The Disclosure will only involve subsequent Processing in a form that makes it impossible to directly or indirectly identify the Data Subject.

  6. The Disclosure is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed.

The Regulations shall set out the provisions, controls and procedures related to what is stated in paragraphs (2) to (6) of this Article.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 15

This provision establishes the fundamental rule that a Controller is prohibited from disclosing Personal Data. Disclosure is only lawful if it falls under one of the specific, exhaustive exceptions listed in the Article. This creates a “closed list” of lawful bases, meaning any disclosure not meeting one of these conditions is illegal under the PDPL.

PDPL Article 15(1)

Disclosure Based On Explicit Consent

This provision allows the Controller to disclose personal data when the Data Subject has given their consent in accordance with the Law. The consent must meet all legal conditions and must clearly authorize the disclosure.

 

This ensures that the Data Subject retains control over whether their information is shared with another party.

PDPL Article 15(2)

Disclosure Of Publicly Available Data

This provision permits the Controller to disclose personal data that has been collected from a publicly available source.

 

Publicly available source refers to information that is lawfully accessible to the public, such as official records, public registries, or information individuals have intentionally made public.

 

Even though the personal data is publicly accessible, the disclosure must still comply with the PDPL and must not be excessive or inconsistent with the Law’s requirements. This ensures that the use of publicly available data remains appropriate and controller while supporting legitimate operational needs.

PDPL Article 15(3)

Disclosure To A Public Entity For Official Duties

This provision allows disclosure when requested by a Public Entity required for public interest, security purposes, to implement another law, or to fulfill judicial requirements.
 
This ensures that public entities can obtain necessary data to perform their legally mandated functions.

PDPL Article 15(4)

Disclosure To Protect Public Health Or Safety

This provision permits disclosure when necessary to protect public health, public safety, or the lives or health of individuals.

 

The provision ensures that personal data may be shared in situations where disclosure is required to safeguard individuals or the community.

PDPL Article 15(5)

Disclosure For Non-Identifiable Subsequent Processing

This provision allows disclosure only if the subsequent processing by the recipient will be done in a form that makes it impossible to directly or indirectly identify the Data Subject (e.g., through anonymization).

 

This ensures that data can be shared for purposes like research or analytics while protecting the individual’s identity.

PDPL Article 15(6)

Disclosure for Legitimate Interests (Non-Sensitive Data Only)

This provision allows disclosure when necessary to achieve the legitimate interests of the Controller, provided the disclosure does not harm the rights or interests of the Data Subject and does not involve Sensitive Data.

 

It ensures legitimate interests may be supported while protecting individuals from undue risk.

Regulatory Controls For Disclosure

This provision requires the Regulations to define the controls and procedures for disclosures made under paragraphs 2 through 6.

 

This ensures that disclosures follow detailed requirements established by the Regulations.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), can we disclose personal data to any third party if the user once agreed in the past?
Not automatically, Article 15 requires the disclosure to align with the purpose of collection or a clear legal basis. Past consent does not allow unlimited future disclosure unrelated to the original purpose.
What’s the difference between “processing by a Processor” and “disclosure” in Article 15?
Processing by a Processor is not considered “disclosure” when the Processor acts for the Controller’s benefit and on the Controller’s behalf. Disclosure refers to giving access to someone outside that relationship.
In e commerce, can we share customer data with a marketing agency under the “permitted disclosure” rules?
Only if the disclosure fits an Article 15 ground, such as consent or a purpose directly connected to the original collection. A marketing agency outside the Controller–Processor chain usually requires careful justification.
Yes, Article 15 permits disclosure when required by another law. The rule of thumb is to confirm the legal obligation before relying on it.
If the Data Subject requests a service from a third party, can we disclose their data to enable that service?
Yes, Article 15 allows disclosure when the Data Subject requests it to obtain a service. The disclosure must be limited to what is needed for that request.
Does Article 15 allow sharing employee data with internal departments without calling it “disclosure”?
Internal sharing within the same Controller is generally not considered disclosure to a third party. Article 15 focuses on disclosure to parties outside the Controller or Processor relationship.
In fintech, can we disclose personal data to partners for fraud prevention under Article 15?
Only if the disclosure fits an allowed purpose, such as a legal requirement or a purpose consistent with the original collection. Fraud prevention may qualify depending on how the data was originally collected and the Regulations.
For healthcare providers in KSA, can patient data be disclosed to a lab or pharmacy?
Yes, if the disclosure aligns with the purpose for which the data was collected, such as treatment. The test is whether the disclosure is directly connected to the service requested by the patient.
Who decides whether a disclosure meets Article 15 conditions, the Controller or the vendor receiving the data?
The Controller decides, since it is responsible for ensuring the disclosure complies with Saudi PDPL. The receiving party cannot determine the legal basis on the Controller’s behalf.
Can a SaaS vendor classified as a Processor further disclose the data without the Controller’s decision?
No, a Processor may not disclose data unless instructed by the Controller under PDPL. Article 15 limits disclosure decisions to the Controller.
Common misconception, “Disclosure is allowed as long as the user is informed.” Is this correct under Saudi PDPL Article 15?
No, information alone does not make disclosure lawful. The disclosure must fall under a permitted Article 15 condition, not just be mentioned in a notice.
If we anonymize data before sharing, is it still considered disclosure under Article 15?
If the data is anonymized such that the person cannot be identified directly or indirectly, PDPL disclosure rules typically do not apply. If re-identification is possible, treat it as a regulated disclosure.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top