Overview
Personal Data Protection Law (PDPL) Article 15 defines the limited situations where a Controller may disclose personal data to another party in accordance with the Personal Data Protection Law (PDPL). Disclosure is generally prohibited unless a permitted condition applies, such as explicit consent, public data sources, governmental requests, public health needs, legal requirements, or legitimate interests that do not involve sensitive data.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 15
The Controller may not Disclose Personal Data except in the following situations:
The Regulations shall set out the provisions, controls and procedures related to what is stated in paragraphs (2) to (6) of this Article.
- Data Subject consents to the Disclosure in accordance with the provisions of the Law.
- Personal Data has been collected from a publicly available source.
- The entity requesting Disclosure is a Public Entity, and the Collection or Processing of the Personal Data is required for public interest or security purposes, or to implement another law, to fulfill judicial requirements.
- The Disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
- The Disclosure will only involve subsequent Processing in a form that makes it impossible to directly or indirectly identify the Data Subject.
- The Disclosure is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 15
This provision establishes the fundamental rule that a Controller is prohibited from disclosing Personal Data. Disclosure is only lawful if it falls under one of the specific, exhaustive exceptions listed in the Article. This creates a “closed list” of lawful bases, meaning any disclosure not meeting one of these conditions is illegal under the PDPL.
Article 15(1)
Disclosure Based On Explicit Consent
This provision allows the Controller to disclose personal data when the Data Subject has given their consent in accordance with the Law. The consent must meet all legal conditions and must clearly authorize the disclosure.
This ensures that the Data Subject retains control over whether their information is shared with another party.
Article 15(2)
Disclosure Of Publicly Available Data
This provision permits the Controller to disclose personal data that has been collected from a publicly available source.
Publicly available source refers to information that is lawfully accessible to the public, such as official records, public registries, or information individuals have intentionally made public.
Even though the personal data is publicly accessible, the disclosure must still comply with the PDPL and must not be excessive or inconsistent with the Law’s requirements. This ensures that the use of publicly available data remains appropriate and controller while supporting legitimate operational needs.
Article 15(3)
Disclosure To A Public Entity For Official Duties
Article 15(4)
Disclosure To Protect Public Health Or Safety
This provision permits disclosure when necessary to protect public health, public safety, or the lives or health of individuals.
The provision ensures that personal data may be shared in situations where disclosure is required to safeguard individuals or the community.
Article 15(5)
Disclosure For Non-Identifiable Subsequent Processing
This provision allows disclosure only if the subsequent processing by the recipient will be done in a form that makes it impossible to directly or indirectly identify the Data Subject (e.g., through anonymization).
This ensures that data can be shared for purposes like research or analytics while protecting the individual’s identity.
Article 15(6)
Disclosure for Legitimate Interests (Non-Sensitive Data Only)
This provision allows disclosure when necessary to achieve the legitimate interests of the Controller, provided the disclosure does not harm the rights or interests of the Data Subject and does not involve Sensitive Data.
It ensures legitimate interests may be supported while protecting individuals from undue risk.
Regulatory Controls For Disclosure
This provision requires the Regulations to define the controls and procedures for disclosures made under paragraphs 2 through 6.
This ensures that disclosures follow detailed requirements established by the Regulations.
