Web Content Viewer

Knowledge center

Main Categories
Policies and Regulations Procedural Manuals and Guidelines Rules and Guidelines Personal Data Protection Law FAQs

Personal Data Disclosure Cases Guideline

Introduction

In fulfillment of its mandate to raise awareness among entities subject to the provisions of the Personal Data Protection Law the “Law” and its Implementing Regulations, and to enable those entities to understand their obligations under Articles (15) and (16) of the Law and Article (20) of the Implementing Regulations, the Saudi Data & AI Authority (SDAIA) has issued this Guideline to assist entities in determining the cases and restrictions of personal data disclosure.
This Guideline also provides clarifications regarding the restrictions on personal data disclosure. The terms and phrases used in this Guideline shall be construed in accordance with the definitions provided in the Law and its Implementing Regulations. This Guideline shall not be considered a binding legal document, nor shall it substitute consulting the Law and its Implementing Regulations, which shall constitute the regulatory reference for all matters related to the application of the Law’s provisions.

Objectives

This Guideline aims to:

  1. Assist entities in implementing the provisions of the Law.
  2. Encourage entities to adopt best practices for personal data disclosure.
  3. Provide clarifications to assist Controllers in implementing the personal data disclosure provisions of the Law and its Implementing Regulations.
  4. Protect the privacy of Data Subjects.

Personal Data Disclosure Cases

The Controller shall not disclose personal data, except for the following cases:

First: Consent of the Personal Data Subject

If the personal data subject provides consent for the disclosure of their personal data in accordance with the Law’s provisions.

Second: Personal Data Collected from a Publicly Available Source

If the personal data was collected from a publicly available source, provided that such public availability was not in violation of the Law and its Implementing Regulations. The Controller shall ensure that a request for disclosure is directly related to a specific and clearly defined purpose or subject matter. Due diligence shall be exercised to protect the privacy of the data subject or any other individual. Disclosure shall be limited to the minimum personal data necessary to achieve its purpose. Moreover, the Controller disclosing personal data related to an individual other than the data subject shall be obligated to exercise due diligence and implement adequate safeguards to protect the privacy of that other individual. Such measures shall include balancing the rights of the data subject with those of the other individual on a case-by-case basis and, where possible, anonymizing personal data that directly identifies the other individual.

Third: Disclosure is Requested by a Public Entity to Serve a Public Interest, for Security Purposes, to Implement Another Law, or to Fulfill Judicial Requirements

If the data disclosure request is made by a public entity, and the disclosure is required to serve a public interest, for security purposes, to implement another law, or to fulfill judicial requirements. The Controller shall document the disclosure request and precisely specify the type of personal data to be disclosed. When a public entity requests personal data disclosure to serve a public interest, it shall ensure that:

  • Such disclosure is strictly necessary for a clearly defined public interest.
  • The public interest is related to its statutory powers and duties.
  • Appropriate measures are taken to mitigate any potential harm, including the implementation of necessary administrative and technical controls to ensure compliance of its personnel with the provisions of Article (41) of the Law.
  • These processes are recorded in the personal data processing activities records.
  • Only the minimum amount of personal data necessary to fulfill the purpose is collected and processed.

Fourth: Disclosure is Necessary to Safeguard Public Health, Public Safety, or the Life or Health of Specific Individuals

If personal data disclosure is necessary to protect public health, public safety, or the life or health of specific individuals. The Controller shall document the disclosure request and precisely specify the type of personal data to be disclosed.

Fifth: Disclosure is Limited to Subsequent Personal Data Processing that Does Not Result in the Identification of the Personal Data Subject or Any Other Individual in Particular

If the disclosure is limited to subsequent data processing that does not lead to identifying the data subject or any other individual in particular. The Controller shall ensure that a request for disclosure is directly related to a specific and clearly defined purpose or subject matter. Due diligence shall be exercised to protect the privacy of the data subject or any other individual. Disclosure shall be limited to the minimum personal data necessary to achieve its purpose. Moreover, the Controller disclosing personal data related to an individual other than the data subject shall be obligated to exercise due diligence and implement adequate safeguards to protect the privacy of that other individual. Such measures shall include balancing the rights of the data subject with those of the other individual on a case-by-case basis and, where possible, anonymizing personal data that directly identifies the other individual.

Sixth: Disclosure is Necessary to Achieve the Controller’s Legitimate Interests

If the disclosure is necessary to achieve the Controller's legitimate interests, without prejudice to the rights and interests of the data subject, and provided that the disclosed data is not sensitive. The Controller shall ensure that a request for disclosure is directly related to a specific and clearly defined purpose or subject matter. Due diligence shall be exercised to protect the privacy of the data subject or any other individual. Disclosure shall be limited to the minimum personal data necessary to achieve its purpose. Moreover, the Controller disclosing personal data related to an individual other than the data subject shall be obligated to exercise due diligence and implement adequate safeguards to protect the privacy of that other individual. Such measures shall include balancing the rights of the data subject with those of the other individual on a case-by-case basis and, where possible, anonymizing personal data that directly identifies the other individual.
In addition to the above, when a Controller discloses personal data to achieve a legitimate interest, the following conditions must be met:

A)The purpose must not contravene any laws or regulations in the Kingdom.
B)The rights and interests of the data subject must be balanced against the legitimate interests of the Controller, such that the Controller’s interests do not unduly prejudice the rights and interests of the data subject.
C)The processing must not involve sensitive data.
D)The processing must be within the reasonable expectations of the data subject.
E.g.: detecting fraudulent activities and safeguarding the network and information security are considered legitimate interests.
Prior to processing personal data, including disclosure for a legitimate interest, the Controller must conduct and document an assessment of the proposed processing and its impact on the rights and interests of data subjects. The assessment shall specifically comprise the following:

A)The proposed processing activities, their purpose, the types of data involved, and the categories of data subjects.
B)An evaluation of the purpose to ensure its legitimacy and compliance with all applicable laws in the Kingdom.
C)A determination of whether the personal data processing is strictly necessary to achieve the Controller's legitimate purpose.
D)An assessment of whether the proposed processing presents any harm to the data subjects' interests or ability to exercise their statutory rights.
E)An assessment of whether any measures are required to mitigate potential risks or harms, in accordance with Paragraph (2) of Article 25 of the Implementing Regulations.

If the assessment demonstrates that the proposed processing would, in any way, violate any laws or regulations, infringe upon the rights and interests of data subjects, or cause harm to them or any other party, the Controller shall modify the proposed processing and conduct a new assessment, or consider relying on another legal basis.

Restrictions on the Disclosure of Personal Data

The Controller shall not disclose personal data Whenever the disclosure meets any of the following criteria:

  1. If the disclosure poses a threat to security, tarnishes the Kingdom's reputation, or conflicts with the Kingdom’s interests.
  2. If the disclosure affects the Kingdom’s relations with another country.
  3. If the disclosure prevents the detection of a crime, prejudices a defendant's rights to a fair trial, or affects criminal proceedings.
  4. If the disclosure endangers the safety of an individual(s).
  5. If the disclosure would be a violation of the privacy of an individual other than the data subject, as stipulated by the regulations.
  6. If the disclosure conflicts with the interest of an incompetent person.
  7. If the disclosure breaches professional obligations established by the Law.
  8. If the disclosure involves a breach of an obligation, a procedure, or a judgment.
  9. If the disclosure reveals the identity of a confidential source of information that it is in the public interest not to disclose it.

These restrictions do not apply to disclosure activities in the following cases:

If the data disclosure request is made by a public entity, and the disclosure is required to serve a public interest, for security purposes, to implement another law, or to fulfill judicial requirements.
If personal data disclosure is necessary to protect public health, public safety, or the life or health of specific individuals.

General Guidelines

  1. The Controller shall include personal data disclosure activities in the personal data processing activities records, as well as document their dates, methods, and purposes.
  2. The Controller shall comply with the requirements for transferring personal data outside the Kingdom when disclosing personal data in accordance with the requirements and circumstances stipulated in the Law and Regulations.
Back