Regulation on Personal Data Transfer Outside the Kingdom Article 4 outlines specific scenarios where controllers are allowed to transfer or disclose personal data outside Saudi Arabia without first satisfying the two standard conditions—an appropriate protection level and minimum necessity. However, even in these cases, alternative safeguards must still be in place to protect data subjects’ rights and uphold PDPL principles.
Regulation on Personal Data Transfer Outside the Kingdom Article 4 (1)
Safeguard Requirement
In accordance with the cases of exemption specified in paragraph (2) of this Article, the controller shall implement the following appropriate safeguards:
A. Standard contractual clauses.
B. Binding common rules.
C. Certificate of accreditation.
Regulation on Personal Data Transfer Outside the Kingdom Article 4 (2)
Exempted Scenarios
The controller is exempt from the two conditions required for transferring or disclosing personal data to a party outside the Kingdom, as stipulated in paragraphs (b) and (c) of paragraph (2) of Article (29) of the Law, or either of them. However, the transfer or disclosure of personal data to a party outside the Kingdom shall still be subject to appropriate safeguards in the following cases:
A. If the transfer or disclosure of personal data is to be made between public bodies to implement an agreement to which the Kingdom is a party or to serve its interests, the controllers must include standard provisions for the protection of personal data in the relevant agreements or memoranda of understanding.
B. If the transfer or disclosure is non-recurring or for a limited period and involves a limited number of data subjects, the controller must comply with the standard contractual clauses. Alternatively, if the transfer or disclosure is made to a body that has received an approval certificate from an entity licensed by the competent authority and the data is not sensitive.
C. If the transfer or disclosure of personal data is necessary to perform central operations and the controller is part of a group of multinational entities, the controller and its affiliates must comply with binding common rules or standard contractual clauses that ensure adherence to the requirements stipulated by the Law and Regulations. Alternatively, the entity to which the personal data will be transferred or disclosed must obtain a certificate of approval issued by a body licensed by the competent authority.
D. If the transfer or disclosure is made to provide a service or benefit directly to the data subject in a manner that does not violate their expectations or conflict with their interests, and if the transfer or disclosure is to a party that has received an approval certificate from a body licensed by the competent authority, provided that the data must not be sensitive.
E. If the transfer or disclosure of personal data is necessary for conducting scientific research and studies, it must be limited to the minimum amount of data required. The controller must either comply with standard contractual clauses or ensure that the transfer or disclosure is made to a body that has received an approval certificate from an entity licensed by the competent authority, provided that the data must not be sensitive.
Regulation on Personal Data Transfer Outside the Kingdom Article 4 (3)
Rights Protection
Appropriate safeguards must ensure that controllers comply with the provisions set out in the Law and its Regulations, as well as protect the rights of personal data subjects, including the right to file a complaint with the competent authority and to seek compensation for any damage caused by violations of these rights.
Regulation on Personal Data Transfer Outside the Kingdom Article 4 (4)
Review & Updates
The competent authority may review the adequacy of the appropriate safeguards specified for each exemption case outlined in paragraph (2) of this Article, and may amend them every two years or as necessary.
Interpretation of Regulation on Personal Data Transfer Outside the Kingdom Article 4
Alternatives to Adequacy & Minimality:
Regulation on Personal Data Transfer Outside the Kingdom Article 4 (1) says that even if adequacy or minimality isn’t met, controllers must use safeguards like Standard Contractual Clauses (SCCs), Binding Common Rules (BCRs), or certified entities.
Five cases allowed with safeguards:
Regulation on Personal Data Transfer Outside the Kingdom Article 4 (2) says lists five specific cases where exemptions apply, such as transfers between public bodies, one-off transfers, internal ops within MNCs, individual services, or scientific research.
Must still protect data subject rights:
Regulation on Personal Data Transfer Outside the Kingdom Article 4 (3) says even when exempt, the safeguards used must uphold rights like complaint filing and damage compensation.
SDAIA may revise safeguards:
Regulation on Personal Data Transfer Outside the Kingdom Article 4 (4) says the competent authority may update or adjust exemption-related safeguards every two years or as needed.
