KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

PDPL Implementing Regulation Article 1 – Definitions
PDPL Implementing Regulation Article 2 – Personal or Family Use
PDPL Implementing Regulation Article 3 – General Provisions of Data Subject Rights (DSR)
PDPL Implementing Regulation Article 4 – Right to be Informed
PDPL Implementing Regulation Article 5 – Right of Access to Personal Data
PDPL Implementing Regulation Article 6 – Right to Request Access to Personal Data
PDPL Implementing Regulation Article 7 – Right to Request Correction of Personal Data
PDPL Implementing Regulation Article 8 – Right to Request Destruction of Personal Data
PDPL Implementing Regulation Article 9 – Anonymisation
PDPL Implementing Regulation Article 10 – Means of Communication
PDPL Implementing Regulation Article 11 – Consent
PDPL Implementing Regulation Article 12 – Consent withdrawal
PDPL Implementing Regulation Article 13 – Legal Guardian
PDPL Implementing Regulation Article 14 – Processing to Serve the Actual Interest of Data Subject
PDPL Implementing Regulation Article 15 – Collecting Data from Third Parties
Load More

PDPL Implementing Regulation Article 20 – Disclosure of Personal Data

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: December 23, 2025
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

PDPL Implementing Regulation Article 20 establishes strict requirements for when and how Personal Data may be disclosed, including disclosures from publicly available sources, disclosures for specific purposes, and disclosures requested by public authorities. The Article requires Controllers to apply purpose limitation, data minimization, documentation, pseudonymisation where possible, and adequate safeguards to protect both Data Subjects and other individuals whose data may be affected.

It also regulates disclosures based on Legitimate Interest and requires Controllers to record all disclosure operations.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 20: Disclosure of Personal Data

  1. Disclosure of data collected from publicly available sources under paragraph (2) of Article 15 of the Law is conditional upon ensuring that such Disclosure to the public has not been carried out in violation of the provisions of the Law and its Regulations.

  2. Except for the circumstances provided in paragraphs (3) and (4) of Article 15 of the Law, the Controller shall consider the following when disclosing Personal Data:

    • Disclosure request is closely related to a specific and clear purpose or subject.

    • Necessary care shall be provided to protect the privacy of the Data Subject or any other individual.

    • Disclosure is limited to the minimum amount of Personal Data necessary to achieve the purpose.

  3. When disclosing Personal Data in response to a request from a public authority for security purposes, or to implement another law, or to satisfy legal requirements, or if the disclosure is necessary to protect public health, public safety, or to protect the life or specific individuals' health, the following measures shall be taken:

    1. Document the request for Disclosure.

    2. Accurately identify the type of Personal Data required to be disclosed.

  4. Except as provided in paragraphs (3) and (4) of Article 15 of the Law, when disclosing Personal Data related to another person who is not the Data Subject, the Controller shall take necessary care and provide sufficient guarantees to ensure the privacy of the other individual is preserved and not violated. This includes considering the following steps:

    1. Balance between the rights of the Data Subject and the rights of any other person in each case separately.

    2. Pseudonymisation of Personal Data that indicates the identity of another individual whenever possible.

  5. When disclosing Personal Data to achieve a Legitimate Interest of the Controller, the Controller shall comply with the provisions of Article 16 of this Regulation.

  6. The Controller shall include Disclosure operations in the records of Personal Data Processing activities, document the dates, methods, and purposes of Disclosure.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 20(1)

Public Source Disclosure Rules

This provision requires the Controller to ensure that any disclosure of data collected from publicly available sources is lawful. It makes disclosure conditional on verifying that the data was originally published without violating the Law or its Regulations.

Article 20(2)

General Disclosure Conditions

This provision requires Controllers to apply three principles when disclosing Personal Data. The disclosure must relate to a specific purpose, appropriate care must be taken to protect privacy, and the scope of disclosed Personal Data must be limited to what is necessary to fulfil the purpose.

Article 20(2)(a)

Specific Purpose Link

This provision requires the Controller to ensure that each disclosure request is tied to a specific and clear purpose or subject before releasing Personal Data.

Article 20(2)(b)

Privacy Protection Duty

This provision requires the Controller to take necessary care to protect the privacy of the Data Subject and any other individual when disclosing Personal Data.

Article 20(2)(c)

Minimum Disclosure Principle

This provision requires the Controller to limit the disclosed Personal Data to the minimum amount necessary to achieve the intended purpose.

Article 20(3)

Public Authority Disclosure Measures

This provision sets requirements when Personal Data is disclosed to public authorities for security, legal, or public health purposes. The Controller must follow specific measures before releasing data.

Article 20(3)(a)

Document Disclosure Requests

This provision requires the Controller to document the public authority request before disclosing Personal Data.

Article 20(3)(b)

Identify Required Data

This provision requires the Controller to accurately identify the type of Personal Data that must be disclosed to meet the authority’s request.

Article 20(4)

Protect Disclosure to Third Parties

This provision applies when Personal Data to be disclosed belongs to someone other than the Data Subject. It requires the Controller to take necessary care and provide safeguards to protect that individual’s privacy.

Article 20(4)(a)

Balance Rights Carefully

This provision requires the Controller to balance the rights of the Data Subject and the rights of other individuals on a case-by-case basis before disclosing Personal Data.

Article 20(4)(b)

Use Pseudonymisation

This provision requires the Controller to apply pseudonymisation whenever possible to avoid disclosing information that directly identifies another person.

Article 20(5)

Legitimate Interest Disclosure

This provision requires Controllers to follow the requirements of Article 16 when Personal Data is disclosed for a Legitimate Interest of the Controller.

Article 20(6)

Record Disclosure Operations

This provision requires the Controller to document all disclosure operations. The records must include the dates, methods, and purposes of each disclosure as part of the Personal Data Processing activities.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top