Overview
Personal Data Disclosure Cases: Second: Personal Data Collected from a Publicly Available Source addresses the disclosure of Personal Data that has been collected from a publicly available source. Disclosure is permitted only where such public availability does not violate the Law or its Implementing Regulations, and where the disclosure is limited, purposeful, and subject to due diligence safeguards.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Second: Personal Data Collected from a Publicly Available Source
If the personal data was collected from a publicly available source, provided that such public availability was not in violation of the Law and its Implementing Regulations.
The Controller shall ensure that a request for disclosure is directly related to a specific and clearly defined purpose or subject matter. Due diligence shall be exercised to protect the privacy of the data subject or any other individual. Disclosure shall be limited to the minimum personal data necessary to achieve its purpose.
Moreover, the Controller disclosing personal data related to an individual other than the data subject shall be obligated to exercise due diligence and implement adequate safeguards to protect the privacy of that other individual.
Such measures shall include balancing the rights of the data subject with those of the other individual on a case-by-case basis and, where possible, anonymizing personal data that directly identifies the other individual.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Public Source Disclosure Conditions
This case permits disclosure where Personal Data has been collected from a publicly available source, provided that the public availability itself does not contravene the Law or its Implementing Regulations. Disclosure must be linked to a specific and clearly defined purpose or subject matter.
Due Diligence and Data Minimization
The Controller is required to exercise due diligence when disclosing such Personal Data, including limiting disclosure to the minimum Personal Data necessary to achieve the intended purpose and protecting the privacy of the Data Subject and any other individual concerned.
Protection of Other Individuals
Where disclosed Personal Data relates to an individual other than the Data Subject, the Controller must implement adequate safeguards to protect that individual’s privacy. These safeguards include balancing rights on a case-by-case basis and anonymizing Personal Data that directly identifies the other individual where possible.
