KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

Saudi PDPL Article 1 – Definitions
Saudi PDPL Article 2 – Scope of Personal Data Processing
Saudi PDPL Article 3 – Additional Rights Protection
Saudi PDPL Article 4 – Data Subject Rights (DSR)
Saudi PDPL Article 5 – Consent Requirements for Processing
Saudi PDPL Article 6 – Consent Exceptions for Processing
Saudi PDPL Article 7 – No Forced Consent
Saudi PDPL Article 8 – Controller Obligations for Processors
Saudi PDPL Article 9 – Limits on Data Subject Access Rights
Saudi PDPL Article 10 – Exceptions to Direct Collection Rule
Saudi PDPL Article 11 – Purpose and Collection Limits
Saudi PDPL Article 12 – Privacy Policy Requirements
Saudi PDPL Article 13 – Personal Data Collection Disclosure Requirements
Saudi PDPL Article 14 – Personal Data Accuracy Obligation
Saudi PDPL Article 15 – Permitted Personal Data Disclosure Conditions
Load More

Saudi PDPL Article 16 – Prohibited Personal Data Disclosures Despite Exceptions

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: January 10, 2026
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

Saudi Personal Data Protection Law (KSA PDPL) Article 16 identifies the situations where a Controller is strictly prohibited from disclosing Personal Data, even when an exception under Article 15 could otherwise apply. These prohibitions act as overriding safeguards that protect national security, foreign relations, criminal procedure integrity, individual safety, privacy rights, the interests of individuals with full or partial legal capacity, professional confidentiality, judicial integrity, and confidential informants.

This Article reinforces the PDPL’s commitment to preventing harm and upholding the highest legal and ethical standards in data processing.

SDAIA's Official PDPL Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 16

The Controller shall not disclose Personal Data in the situations stated in Paragraphs (1, 2, 5) and (6) of Article (15) if the Disclosure:

  1. Represents a threat to security, harms the reputation of the Kingdom, or conflicts with the interests of the Kingdom.

  2. Affects the Kingdom’s relations with any other state.

  3. Prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures.

  4. Compromises the safety of an individual.

  5. Results in violating the privacy of an individual other than the Data Subject, as set out in the Regulations.

  6. Conflicts with the interests of a person that fully or partially lacks legal capacity.

  7. Violates legally established professional obligations.

  8. Involves a violation of an obligation, procedure, or judicial decision.

  9. Exposes the identity of a confidential source of information in a manner detrimental to the public interest.

Copy Article

Plain-Language PDPL Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

PDPL Article 16

Article 16 establishes absolute prohibitions that override the permitted disclosure conditions in Article 15. Even if a disclosure would be allowed under Article 15, it is strictly forbidden if it falls under any of the following nine scenarios.

PDPL Article 16(1)

Restrictions Related to National Security and Public Interest

This provision prohibits disclosure if it would represent a threat to the Kingdom’s security, harm its reputation, or conflict with its national interests, acts such that could undermine state security, damage the Kingdom’s public image or credibility, or work against its fundamental national objectives.

 

This establishes the protection of the Kingdom’s sovereign and strategic interests as the highest priority, overriding any other basis for data disclosure.

PDPL Article 16(2)

Restrictions Related to Foreign Relations

This provision prohibits disclosure if it could strain diplomatic ties, compromise international negotiations, or otherwise negatively impact the Kingdom’s relationships with other nations.
 
This safeguards the Kingdom’s foreign policy and diplomatic engagements from being undermined by data disclosures.

PDPL Article 16(3)

Restrictions Related to Criminal Justice Protection

This provision prohibits disclosure when it would prevent the detection of a crime, interfere with the rights of an accused person to a fair trial, or undermine the integrity of existing criminal procedures. Controllers must refuse disclosure if sharing Personal Data would compromise investigations, evidence handling, or the fairness of judicial proceedings.

 

This rule ensures that Personal Data is not disclosed in a way that harms criminal justice processes.

PDPL Article 16(4)

Restrictions Related to Individual Safety

This provision prohibits disclosure if it could lead to physical harm, intimidation, threats, or any form of endangerment to an individual.
 
This prohibition ensures that Personal Data cannot be shared in ways that compromise safety, regardless of any other legal basis for disclosure.

PDPL Article 16(5)

Violation of a Third Party’s Privacy

This provision prohibits disclosure if it would reveal personal information about someone other than the primary Data Subject, thereby infringing upon that other individual’s privacy rights. The Implementing Regulations specify the necessary measures to prevent this, such as requiring Controllers to balance the rights involved and apply pseudonymisation to the third party’s data where possible.

 

This prevents the rights of one individual from being violated as a consequence of disclosing another individual’s data, with specific technical and procedural safeguards mandated by the Regulations.

PDPL Article 16(6)

Restrictions Related to Individuals Lacking Legal Capacity

This provision prohibits disclosure when it would adversely affect the interests of persons who partially or fully lack legal capacity, including minors or individuals with cognitive impairments. Controllers have a heightened obligation to safeguard the rights and welfare of such individuals.

 

The rule ensures that vulnerable persons are not placed at risk through the disclosure of their Personal Data.

PDPL Article 16(7)

Restrictions Related to Professional Confidentiality

This provision prevents disclosure when doing so would breach a confidentiality obligation arising from the Controller’s official duties. This protection extends to professional secrecy, including legal, medical, financial, or other regulated professions where confidentiality is an essential component of service delivery.

 

Controllers must withhold disclosure whenever such obligations are implicated.

PDPL Article 16(8)

Restrictions Related to Judicial and Procedural Compliance

This provision prohibits disclosure if that would itself violate a specific law, contravene an established administrative process, or disobey a direct order from a court or competent authority.

 

This ensures that data disclosure does not violating other binding legal, judicial or regulatory requirements.

PDPL Article 16(9)

Restrictions Related to Protected Informants and Confidential Sources

This provision prevents disclosure when it would reveal the identity of confidential informants, whistleblowers, or any individuals who provide information under protective circumstances. The rule safeguards individuals who assist in investigations or public-interest reporting by ensuring that their identity remains secure.

 

It applies even when other disclosure conditions under Article 15 are satisfied.

Frequently Asked Questions (FAQs)

Under the Saudi Personal Data Protection Law (KSA PDPL), can a business disclose personal data if it fits an exception but might still harm the person?
No, Article 16 makes clear that even if an exception applies, disclosure is prohibited when it could harm the Data Subject. The rule of thumb is: exceptions never override protection from harm.
If a user has given consent in the past, can we still be blocked from disclosing their data under Article 16?
Yes, consent does not remove the Article 16 prohibition. If the disclosure could harm the Data Subject, it must not occur even with consent.
In HR, can employee data be shared with an external consultant if the sharing technically fits an Article 15 exception?
Only if the disclosure would not harm the employee. Article 16 overrides other exceptions when harm is likely.
Does Article 16 apply to all forms of disclosure, including verbal or accidental?
Yes, the prohibition applies regardless of format. If the disclosure creates a risk of harm, it cannot be permitted.
In e commerce, can we share customer data with a logistics partner even if there is a small risk of harm?
You can only share it if the disclosure does not cause harm and fits a valid permitted ground. If the risk of harm is real, Article 16 blocks the disclosure.
Does Article 16 mean a Saudi business must perform a “harm check” before every disclosure?
In practice, yes, a business must consider whether the disclosure could harm the Data Subject. Article 16 makes harm prevention a strict requirement.
For a SaaS provider acting as a Processor, who decides whether a disclosure is prohibited under Article 16?
The Controller decides, because only the Controller determines whether a disclosure meets PDPL conditions. A Processor should not disclose without the Controller’s instruction.
In healthcare, does Article 16 stop hospitals from sharing patient data with external labs?
Not if the sharing is necessary for treatment and does not harm the patient. Article 16 only blocks disclosures where harm is a likely outcome.
Does Article 16 apply to disclosures required by another Saudi law?
Yes, but the prohibition relates to harm. If the law requires disclosure, the Controller must ensure the disclosure itself does not create prohibited harm.
Common misconception, “If an exception applies, we are always safe to disclose.” Is that true under KSA PDPL Article 16?
No, Article 16 specifically blocks disclosures even when exceptions apply if harm is involved. Harm prevention overrides all permitted disclosure bases.
If we anonymize personal data before sharing it, does Article 16 still restrict disclosure?
If the data is truly anonymized and cannot be linked back to the individual, Article 16 generally does not apply. If re identification is possible, treat it as a disclosure that must pass the harm test.
Does Article 16 affect internal data sharing within the same organization?
Article 16 applies to disclosure, which generally involves sharing outside the Controller or Processor structure. If the internal sharing still amounts to disclosure and risks harming the Data Subject, the prohibition would apply.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top