The Controller may only share your data under specific conditions: 

• With your consent: This is the primary basis unless you explicitly agree,  they can’t disclose it.  

• Public data: If the data is already publicly accessible, it can be shared without additional consent. 

• Public-interest requests: If a government or judicial authority legally requests it for reasons like national security, law enforcement, or public safety, the Controller must comply. 

• Protecting public health or safety: Disclosure is allowed when necessary to safeguard lives or address serious health threats. 

• Legitimate interests: The Controller may share data when necessary for its legitimate business purposes provided the data is not sensitive, your rights aren’t harmed, and they’ve carefully justified the need.

Before disclosing any personal data, the Controller must: 

• Verify the legal basis: Confirm that consent exists,  the data is public, or that the request is officially required for legal, public-interest, or safety reasons. 

• Evaluate impact on your rights: Ensure that the disclosure won’t harm your privacy or other fundamental rights. 

• Anonymize if possible: If disclosure is for legitimate interests, and the data can be anonymized to prevent identification, that step should be taken.  

• Keep a record: Document the reason, legal justification, date, and recipient of the disclosure to maintain transparency and prove compliance. 

If you suspect improper disclosure: 

• Ask the Controller for explanation: You’re entitled to ask why they shared your data, under what legal basis, and whether your rights were considered.  

• File a complaint with SDAIA: If their explanation isn’t satisfactory or you believe the sharing violated the law, you can lodge a formal complaint with the data protection authority. 

• Seek legal compensation: If the improper disclosure caused you harm—whether emotional or financial—you can pursue legal action and claim compensation under the PDPL.