PDPL Article 15 says that, as a rule, controllers are not allowed to disclose personal data unless one of the legally defined exceptions applies. Disclosure means giving access to the data to someone other than the controller or processor. Article 15 lists six situations where disclosure is legally permitted, such as with consent, public interest, or when the data is anonymized.
Controllers can only disclose personal data in specific, limited situations, like with consent, for public safety, or when data is anonymized.
The Controller may not Disclose Personal Data except in the following situations:
Saudi PDPL Article 15 (1)
Consent-Based Disclosure
Data Subject consents to the Disclosure in accordance with the provisions of the Law.
Saudi PDPL Article 15 (2)
Publicly Available Data
Personal Data has been collected from a publicly available source.
Saudi PDPL Article 15 (3)
Public Entity Request
The entity requesting Disclosure is a Public Entity, and the Collection or Processing of the Personal Data is required for public interest or security purposes, or to implement another law, to fulfill judicial requirements.
Saudi PDPL Article 15 (4)
Public Health Exception
The Disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
Saudi PDPL Article 15 (5)
Anonymized Data Disclosure
The Disclosure will only involve subsequent Processing in a form that makes it impossible to directly or indirectly identify the Data Subject.
Saudi PDPL Article 15 (6)
Legitimate Interest (Non-Sensitive)
The Disclosure is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed.
Saudi PDPL Article 15 (7)
Add Sector-Specific Details
Personal Data Collection is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed. The Regulations shall set out the provisions, controls and procedures related to what is stated in paragraphs (2) to (7) of this Article.
Explanation of Saudi PDPL Article 15
Disclosure is allowed if the data subject consents under the PDPL:
Saudi PDPL Article 15 (1) says that, the data subject must clearly agree to the disclosure of their data, and the consent must meet the requirements of the PDPL.
Disclosure is allowed if the data is from public sources:
Saudi PDPL Article 15 (2) says that, if the personal data came from a publicly available source, the controller can disclose it.
Disclosure is permitted for legal, security, or public interest purposes:
Saudi PDPL Article 15 (3) says that, if a government body requests the data for law enforcement, security, or legal requirements, the controller may disclose it.
Disclosure is allowed to protect health or safety:
Saudi PDPL Article 15 (4) says that, disclosure is permitted when necessary to protect public health or the life/health of a specific person.
Disclosure is allowed if the data can’t identify the person:
Saudi PDPL Article 15 (5) says that, if the data is anonymized so that no one can identify the individual (directly or indirectly), disclosure is allowed.
Disclosure is allowed for controller’s valid interest if no sensitive data is involved
Saudi PDPL Article 15 (6) says that, disclosure is permitted if it serves the controller’s legitimate interest, doesn’t harm the data subject, and no sensitive data is included.
Additional required disclosures may apply depending on the controller’s activity:
Saudi PDPL Article 13 (7) says that, based on the industry or type of activity, the Regulations may require extra disclosures the controller must include during collection.
