Out-Law News 1 min. read

Saudi Arabia issues implementing rules on exporting personal data


Businesses relying on exporting data from Saudi Arabia will need to review their transfer arrangements, as the Kingdom has issued new regulations on cross-border personal data transfers.

The new rules (11-page PDF/1.6MB) provide implementation details on how personal data can be exported globally from the Kingdom under the amended Personal Data Protection Law. The updated legislation, which has lifted some of the previous restrictions on exporting personal data, came into force on 14 September 2023, but businesses were given one year from that date to comply with the new regime, with the grace period for compliance ending on 14 September 2024.

Data privacy law expert Zil Rehman of Pinsent Masons said, as a first step, business will need to select one of the ‘prescribed purposes’ for transferring data to a party outside the Kingdom under the law and the regulations.

“The most business-friendly purposes are performing necessary operations for central processing to enable the controller to conduct its activities, and to provide a service or benefit to the data subjects,” said Rehman.

Similar to the General Data Protection Regulation (GDPR) in the UK and EU, personal data can only be transferred to countries that provide an adequate level of data protection. The Saudi data protection regulator, Saudi Data and AI Authority (SDAIA), will issue so-called ‘adequacy decisions’ regarding countries and international organisations it considers as providing adequate protection to personal data. However, the list of designated adequate jurisdictions is yet to be released by the regulator.

Even if the destination country does not provide an adequate level of protection, the regime allows businesses to transfer data based on implementing appropriate safeguards. The regulations set out the appropriate safeguarding measures that consist of standard contractual clauses, binding common rules and certificates of accreditation.

SDAIA has published guidance around standard contractual clauses and binding common rules regarding exporting data from the Kingdom.

“Businesses should consult guidance issued by SDAIA on these topics to ensure the correct safeguarding arrangements are put in place. It is worth noting that the guidance issued on standard contractual clauses and binding common rules is similar to that under the GDPR, but it is not entirely the same. Existing data transfer agreements for transfers outside the Kingdom based on GDPR guidance would need to identify and bridge the gaps,” Rehman said.

The regulation also sets out instances where a risk assessment must be conducted prior to transferring data outside the Kingdom, and the elements to be included in the assessment.

For example, risk assessment will be required where transfers are being undertaken based on appropriate safeguards, and where there is continuous or large-scale transfer of sensitive data outside the Kingdom.

As under the GDPR, the protections associated with transfers outside the Kingdom of Saudi Arabia would apply to subsequent transfers.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.