An Overview of Regulation on Personal Data Transfer Outside the Kingdom

I. Introduction

Stringent rules govern the transfer of personal data across the Kingdom of Saudi Arabia to protect individual privacy and maintain data security. With the progression of digital globalization, organizations operating in Saudi Arabia routinely engage in cross-border data transfers, necessitating compliance with evolving data protection regulations.

Saudi Arabia’s Personal Data Protection Law (PDPL) governs cross-border data transfers, requiring applicable organizations to swiftly comply with multiple obligations, such as obtaining explicit consent, ensuring adequate levels of data protection in recipient countries, and implementing necessary security measures. The Saudi Data and Artificial Intelligence Authority (SDAIA) is the Kingdom’s regulatory authority overseeing cross-border data transfer under PDPL.

On September 1, 2024, the SDAIA released an updated version of the Regulation on Personal Data Transfer Outside the Kingdom, providing further details on Article 29 of the Saudi Personal Data Protection Law. This update offers a comprehensive overview of the requirements for cross-border personal data transfers, intending to strengthen the legal framework regulating data privacy and security for transfers outside the Kingdom.

II. Key Definitions

a. Appropriate Safeguards

SDAIA requires controllers to ensure compliance with PDPL and its Implementing Regulations when transferring or disclosing personal data to entities outside the Kingdom. Appropriate safeguards apply in cases where exemptions are granted from the conditions for providing an appropriate or minimum level of personal data protection to ensure an appropriate level of protection when transferring personal data outside the Kingdom that meets at least the standards prescribed by the Law and Regulations.

b. Standard Contractual Clauses (SCCs)

Mandatory provisions governing the transfer of personal data outside the Kingdom that ensure an appropriate level of protection for such data. These provisions are in accordance with a standard form issued by SDAIA.

c. Binding Common Rules (BCRs)

Regulations set out by the controller, relevant to each controller and processing entity within a multinational group, ensure adequate protection of personal data transferred outside the Kingdom, maintaining a standard no less than that mandated by the Law and Regulations.

d. Operational Processes

An assortment of procedures relevant to the operational processes essential for the controller's activities, including human resources operations, billing, accounting, and further workflow-related procedures.

III. Purposes for Transferring or Disclosing Personal Data to Entities Outside the Kingdom

Article 29 of the PDPL outlines acceptable purposes for transferring or disclosing personal data to entities outside Saudi Arabia. These include:

• Performance of agreements to which the Kingdom is a party to
• Serves the Kingdom’s interest
• Performance of agreements to which the data subject is a party to
• Any other purposes highlighted in the Personal Data Transfer Regulations

The Regulation on Personal Data Transfer in Article 2 describes further 3 circumstances for transfer outside. Among them are:

• Central Processing Operations: Transfers necessary for central data processing to allow the data controller to conduct its activities.
• Providing Services or Benefits: Transfers must provide a service or benefit to the data subject.
• Scientific Research and Studies: Transfers made for conducting scientific research or studies.

It is important to note that Article 29 of the PDPL states that to conduct these transfers, the transfer or disclosure must not compromise national security or the Kingdom's vital interests.

This condition does not apply in cases of extreme necessity to protect the life or vital interests of the data subject or to prevent, diagnose, or treat disease.

IV. Guidelines for Assessing Personal Data Protection Levels Outside the Kingdom

On its official website, the SDAIA will publish the list of countries or international organizations that provide an adequate level of personal data protection on par with the requirements outlined in the PDPL and Implementing Regulations.

This list will be reviewed every four years or more often as required per specific standards to ensure ongoing compliance and appropriateness.

a. Regulatory Requirements for Data Protection and Subject Rights

Countries or organizations must have regulations that protect personal data and honor data subjects’ rights, including the ability to seek compensation for damages resulting from violations. The level of protection these regulations provide must, at the bare minimum, meet the standards set by Saudi PDPL and its Implementing Regulations.

b. Supervisory Authority with Cooperative Framework for Data Protection

The foreign country or organization must have a supervisory authority responsible for implementing data privacy legislation. Additionally, to ensure cooperative enforcement and cross-border compliance, this authority must be able and willing to cooperate with SDAIA on personal data protection issues.

c. Alignment of Foreign Regulatory Requirements with Saudi Data Disclosure Laws

The disclosure provisions specified in Saudi PDPL and its Implementing Regulations must not conflict with the regulatory requirements for disclosing personal data in a foreign country or international organization or with any other laws currently in effect in Saudi Arabia.

d. Obligations from International Treaties and Agreements on Data Transfers

Treaty or agreement-bound states and international organizations, as well as those participating in regional or multilateral organizations, have duties that may necessitate the transmission of personal data. When transferring data across borders, these responsibilities must be considered and in line with Saudi data protection legislation.

When data is transferred outside the Kingdom, the SDAIA may, following legal processes, amend the list of countries or international organizations that provide an adequate level of personal data protection.

If a review indicates that a country or organization no longer meets the necessary protection requirements, the SDAIA may collaborate with relevant parties to address the concerns. Moreover, it may suspend disclosing or transferring data to certain organizations. Additionally, cities, global trade centers, and special economic zones are all subject to the same evaluation criteria for personal data protection as nations and international organizations.

V. When Controllers Are Exempt from Data Protection Requirements

Even when exemptions apply, the controller must implement the appropriate safeguards to protect personal data. Among these safeguards are:

1. Standard Contractual Clauses: Legal agreements that ensure data protection during transfers.
2. Binding Common Rules: Internal policies that apply across the organization to safeguard data.
3. Certificate of Accreditation: Certification that verifies compliance with data protection standards.

When relying on appropriate safeguards, controllers are exempt from ensuring that an adequate level of personal data protection exists outside the Kingdom, which must be at least equal to the protection guaranteed by the PDPL and Implementing Regulations.

Regardless of the exemptions stated above, the transfer of data outside the Kingdom shall still be subject to appropriate safeguards in the following cases:

Standard Provisions for Protecting Personal Data

Data controllers must implement standard provisions for protecting personal data in any relevant agreements or memoranda of understanding where personal data is transferred or disclosed between public entities. This ensures that personal data is protected in compliance with appropriate legal requirements throughout such exchanges.

Non-Recurring or Limited Data Transfers

The data controller must comply with SCCs in cases of one-time or non-recurring data transfers involving only a small number of data subjects. These provisions also apply if the transfer is made to an approved body certified by a licensed entity and does not include sensitive data.

Data Transfers for Multinational Entities

A data controller and its affiliates must comply with BCR and SCC provisions that meet legal and regulatory requirements when the controller, as part of a multinational group, transfers or discloses personal data for central operations. Alternatively, the recipient entity must hold an approval certificate from a body licensed by SDAIA.

Conditions for Data Transfer or Disclosure when providing a service or benefit

The transfer or disclosure of data is permissible if it:

1. Provides a service or benefit directly to the data subject.
2. Does not violate the data subject's expectations or conflict with their interests.
3. Is made to a party with an approval certificate from SDAIA.
4. Does not involve sensitive data.

Conditions for Data Transfer or Disclosure when Needed for Scientific Research

Personal data shall be transferred or disclosed insofar as required for scientific research and must be limited to the minimum amount necessary. The data controller must ensure the transfer made to an approved body had been licensed by SDAIA, or comply with SCC provisions. Furthermore, no sensitive data must be involved.

Data controllers must ensure that data subjects' rights are protected, compliance with PDPL and its Implementing Regulations is maintained, and data subjects can conveniently submit complaints and seek damages for violations. Moreover, the SDAIA may review the adequacy of the appropriate safeguards listed for each exemption instance every two years or as often as needed.

VI. Risk Assessment for Cross-Border Data Transfers

Data controllers must conduct a risk assessment before transferring or disclosing personal data to a party outside the Kingdom and when sensitive data is continuously or widely transferred or disclosed to entities outside the Kingdom.

When transferring or disclosing personal data to a party outside the Kingdom, a risk assessment should address several key elements. Among them are:

• the purpose and legal basis for the transfer;
• a description of the nature of the transfer, including the data processing activities and geographical scope;
• the safeguards in place to ensure adequate data protection in line with legal requirements;
• measures ensuring only the minimum necessary data is transferred;
• the potential material or moral effects of the transfer and their likelihood; and
• controls to prevent or mitigate risks to data subjects.

VII. How Securiti Can Help

Securiti emerges as a pivotal catalyst for organizations seeking to navigate and comply with Saudi Arabia’s Regulation on Personal Data Transfer Outside the Kingdom. Securiti’s robust modules fortify organizations against potential cyber threats and ensure alignment with Saudi Arabia’s stringent data privacy laws.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.