PDPL Article 16 says that even if Article 15 allows disclosure of personal data in certain cases (e.g., public interest, consent, legitimate interest), Article 16 prohibits disclosure if it creates specific risks or harms. The controller must evaluate whether the disclosure would violate national security, legal integrity, individual safety, or other protected interests.
Disclosure is forbidden—even if normally allowed—when it would harm national interests, legal processes, safety, or privacy.
The Controller shall not disclose Personal Data in the situations stated in Paragraphs (1, 2, 5) and (6) of Article (15) if the Disclosure:
Saudi PDPL Article 16 (1)
National Security Threat
Represents a threat to security, harms the reputation of the Kingdom, or conflicts with the interests of the Kingdom.
Saudi PDPL Article 16 (2)
Foreign Relations Risk
Affects the Kingdom’s relations with any other state.
Saudi PDPL Article 16 (3)
Criminal Justice Impact
Prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures.
Saudi PDPL Article 16 (4)
Individual Safety Risk
Compromises the safety of an individual.
Saudi PDPL Article 16 (5)
Third-Party Privacy Violation
Results in violating the privacy of an individual other than the Data Subject, as set out in the Regulations.
Saudi PDPL Article 16 (6)
Vulnerable Person Impact
Conflicts with the interests of a person that fully or partially lacks legal capacity.
Saudi PDPL Article 16 (7)
Breach of Professional Confidentiality
Violates legally established professional obligations.
Saudi PDPL Article 16 (8)
Breach of Legal Orders
Involves a violation of an obligation, procedure, or judicial decision.
Saudi PDPL Article 16 (9)
Exposure of Confidential Sources
Exposes the identity of a confidential source of information in a manner detrimental to the public interest.
Interpretation of Saudi PDPL Article 16
Disclosure is barred if it harms national interests or reputation:
Saudi PDPL Article 16 (1) says that, you cannot disclose personal data if it could damage the Kingdom’s security, global reputation, or core interests.
Disclosure is barred if it damages Saudi Arabia’s relations with other countries
Saudi PDPL Article 16 (2) says that, disclosure must be prevented if it negatively impacts diplomatic or foreign relations.
Disclosure is barred if it obstructs justice or fair trial rights
Saudi PDPL Article 16 (3) says that, you must not disclose data if it could interfere with criminal investigations or court fairness.
Disclosure is barred if it endangers someone’s safety
Saudi PDPL Article 16 (4) says that, if disclosure might put someone in danger, even indirectly, it is not permitted.
Disclosure is barred if it violates another person’s privacy
Saudi PDPL Article 16 (5) says that, personal data must not be disclosed if it could expose another individual’s private information, even if they aren’t the data subject.
Disclosure is barred if it affects someone lacking full legal capacity
Saudi PDPL Article 16 (6) says that, you cannot disclose data if it harms the interests of someone who is partially or fully incapable of protecting their rights (e.g., minors).
Disclosure is barred if it violates legal professional obligations
Saudi PDPL Article 16 (7) says that, disclosure is prohibited if it would break legally protected confidentiality, such as doctor–patient or attorney–client relationships.
Disclosure is barred if it conflicts with legal/judicial decisions
Saudi PDPL Article 16 (8) says that, if a law, procedure, or court order restricts disclosure, the controller must comply and not disclose the data.
Disclosure is barred if it reveals protected whistleblowers or informants
Saudi PDPL Article 16 (9) says that, you must not disclose data that would reveal the identity of a confidential source, especially if it harms public interest or safety.
