PDPL Article 17 requires controllers to notify all third parties who received personal data when that data is corrected, completed, or updated. The purpose is to ensure that inaccurate or outdated data isn’t used elsewhere.
Additionally, the Regulations will define the timeline for making corrections, the accepted types of changes, and procedures for avoiding harm caused by inaccurate data.
Saudi PDPL Article 17 (1)
Notify Data Recipients
If Personal Data is corrected, completed or updated, the Controller shall notify such amendment to all the other entities to which such Personal Data has been transferred and make the amendment available to such entities.
Saudi PDPL Article 17 (2)
Set Correction Procedures
The Regulations shall set out the time frames for correction and updating of Personal Data, types of correction, and the procedures required to avoid the consequences of Processing incorrect, inaccurate or outdated Personal Data.
Explanation of Saudi PDPL Article 16
Disclosure is barred if it harms national interests or reputation:
Saudi PDPL Article 16 (1) says that, you cannot disclose personal data if it could damage the Kingdom’s security, global reputation, or core interests.
Disclosure is barred if it damages Saudi Arabia’s relations with other countries
Saudi PDPL Article 16 (2) says that, disclosure must be prevented if it negatively impacts diplomatic or foreign relations.
Disclosure is barred if it obstructs justice or fair trial rights
Saudi PDPL Article 16 (3) says that, you must not disclose data if it could interfere with criminal investigations or court fairness.
Disclosure is barred if it endangers someone’s safety
Saudi PDPL Article 16 (4) says that, if disclosure might put someone in danger, even indirectly, it is not permitted.
Disclosure is barred if it violates another person’s privacy
Saudi PDPL Article 16 (5) says that, personal data must not be disclosed if it could expose another individual’s private information, even if they aren’t the data subject.
Disclosure is barred if it affects someone lacking full legal capacity
Saudi PDPL Article 16 (6) says that, you cannot disclose data if it harms the interests of someone who is partially or fully incapable of protecting their rights (e.g., minors).
Disclosure is barred if it violates legal professional obligations
Saudi PDPL Article 16 (7) says that, disclosure is prohibited if it would break legally protected confidentiality, such as doctor–patient or attorney–client relationships.
Disclosure is barred if it conflicts with legal/judicial decisions
Saudi PDPL Article 16 (8) says that, if a law, procedure, or court order restricts disclosure, the controller must comply and not disclose the data.
Disclosure is barred if it reveals protected whistleblowers or informants
Saudi PDPL Article 16 (9) says that, you must not disclose data that would reveal the identity of a confidential source, especially if it harms public interest or safety.
