Overview
PDPL Implementing Regulation Article 15 explains the conditions that apply when a Controller processes Personal Data collected from sources other than the Data Subject.
It sets criteria for necessity, proportionality, and protection of the Data Subject’s Rights (DSR). It also clarifies the requirements for relying on publicly available data and references the anonymisation obligations that apply when processing under Article 10.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 15: Collecting Data from Third Parties
- Except for what is stated in Paragraph (3) of Article (10) of the Law, when Processing Personal Data collected from sources other than the Data Subject directly, the Controller shall consider the following:
- Processing shall be necessary and proportionate to the specified purpose.
- Processing shall not affect the rights and interests of the Data Subject.
- When Processing Personal Data in accordance with paragraph (2) of Article (10) of the Law, the Controller shall ensure that such data Collection from a publicly available source is lawful.
- When Processing Personal Data in accordance with paragraph (6) of Article (10) of the Law, the Controller shall consider the provisions of Article (9) of this Regulation regarding Anonymisation.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 15(1)
Conditions For Third Party Data
This provision establishes the conditions that apply when a Controller processes Personal Data collected from sources other than the Data Subject. It requires the Controller to ensure that the processing is necessary and proportionate to the intended purpose.
It also requires the Controller to make sure that processing does not negatively affect the rights or interests of the Data Subject.
Article 15(1)(a)
Necessity And Proportionality
Article 15(1)(b)
Protection Of Data Subject Rights (DSR)
This provision requires the Controller to ensure that processing Personal Data sourced from third parties does not harm the rights and interests of the Data Subject. It maintains the requirement that safeguards remain in place even when data is not collected directly from the individual.
Article 15(2)
Lawful Public Source Collection
This provision requires the Controller to verify that collecting Personal Data from a publicly available source is lawful when processing under paragraph (2) of Article 10 of the Law. It ensures that the source and method of collection comply with the legal requirements associated with publicly available data.
Article 15(3)
Anonymisation Requirements Apply
This provision requires the Controller to consider the anonymisation obligations set out in Article 9 of the Regulation when processing under paragraph (6) of Article 10 of the Law. It ensures that the applicable anonymisation requirements are applied consistently during such processing.
