Overview
General Rules for Secondary Use of Data – Fifth: Mechanism for Establishing Controls for Secondary Use of Data explains how entities must establish and apply controls when processing data for secondary use in Saudi Arabia. It outlines the procedural requirements, approval mechanisms, licensing rules, and minimum data principles that Applicants and Data Sharing Entities must follow before any secondary-use data sharing can proceed.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Fifth: Mechanism for Establishing Controls for Secondary Use of Data
This mechanism shall consider all procedures stipulated in the Policy for defining data sharing controls, including compliance with data classification levels and restrictions related to the confidentiality of government data. In addition, the Parties involved in data sharing for secondary use of data requests shall comply with the following:
- Prior to initiating any data sharing process for the purposes of secondary use of data, the Applicant shall comply with the following rules and requirements:
- The purpose of data sharing shall be legitimate and adhere to the principles established in these Rules, ensuring alignment with objectives aimed at serving the public interest or promoting research, development, and innovation, while explicitly excluding profit-oriented purposes.
- The content of the requested data shall be strictly confined to the minimum necessary for fulfilling the purpose of the data sharing request.
- The submission of a data sharing request shall, as a general principle, be directed to the Data Source Entity. In cases where the request is submitted to an entity other than the Data Source Entity or its delegated authority, the Applicant shall provide sufficient evidence demonstrating the approval of the Data Source Entity.
- If the data sharing request is made between government entities, such requests shall be subject to the procedures outlined in the Data Sharing Policy.
- If the data sharing request is submitted by a private entity to a government entity, the applicant shall obtain a use license from the Data Sharing Entity in accordance with a mechanism established by the Office. The applicant shall be obligated to utilize the data strictly in accordance with the terms and conditions set forth in the license.
- In cases where the Applicant is an individual affiliated with a research or academic institution, the request shall be submitted through the Applicant’s affiliated institution or the entity sponsoring the research for which data sharing is required. Written evidence of approval from the Applicant’s academic authority must be furnished prior to submitting the data sharing request for the purposes of secondary use of data.
- The Applicant shall ensure that the content of the request is clearly detailed at the time of submission using the Data Sharing Request Form prepared pursuant to the Policy, to avoid any incomplete or missing information that may result in the rejection of the request.
- If the data sharing request relates to a research questionnaire, the applicant shall attach the questionnaire to the Data Sharing Request Form.
- The Data Sharing Entity reserves the right to incorporate provisions concerning intellectual property rights and commercial confidentiality within the Usage License, when necessary.
- The Data Sharing Entity shall assess the submitted request in accordance with the requirements set forth in Paragraph (1) of this Article.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Alignment with Existing Controls and Classification Requirements
The mechanism builds on the procedures already defined in the Data Sharing Policy. It reinforces compliance with data classification rules and obligations related to the confidentiality of government data.
Applicant Requirements Before Request Submission
Before any secondary-use data sharing can begin, the Applicant must meet three conditions. The purpose must be legitimate and aligned with public interest or research, development, and innovation, while excluding profit-driven uses. Requested data must be limited to the minimum necessary. The request must normally be made to the original Data Source Entity, and if not, formal proof of that entity’s approval is required.
Government-to-Government Data Sharing
When two government entities are involved, the request must follow procedures already set out in the Data Sharing Policy.
Requests from Private Entities
Private entities requesting data from government bodies must obtain a usage license from the Data Sharing Entity. Once issued, the data may only be used within the boundaries of the license terms.
Academic and Research Requests
If the Applicant is a researcher or academic, the request must be submitted by the affiliated institution. The academic authority must provide written approval before submission.
Complete and Clear Request Content Requirements
Requests must be fully detailed using the standard Data Sharing Request Form. Missing or incomplete information may result in rejection.
Requests That Include Questionnaires
When a research questionnaire is part of the project, it must be submitted as an attachment to the Request Form.
Intellectual Property and Confidentiality Safeguards
The Data Sharing Entity may include intellectual property and commercial confidentiality requirements in the usage license if needed.
Assessment by the Data Sharing Entity
The Data Sharing Entity is responsible for evaluating the request against the Applicant obligations listed in Paragraph (1).
