Overview
Regulation on Personal Data Transfer Outside the Kingdom Article 7 establishes the obligation for Controllers to conduct a documented risk assessment before transferring or disclosing Personal Data to entities outside the Kingdom in specific high-risk scenarios.
This Article defines when a risk assessment is mandatory and sets out the minimum elements that must be evaluated to ensure that cross-border transfers maintain an appropriate level of Personal Data protection in line with the Law and its Regulations.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 7: Risk Assessment of Transferring or Disclosing Personal Data to a Party Outside the Kingdom
- The controller shall conduct a risk assessment before transferring or disclosing personal data to a party outside the Kingdom in the following cases:
- Transfer or disclosure of personal data to a party outside the Kingdom in accordance with Article (4) of the Regulation.
- Transferring or disclosing sensitive data to entities outside the Kingdom on a continuous or widespread basis.
- Risk assessment of transferring or disclosing personal data to a party outside the Kingdom should include the following elements:
- The purpose and legal basis for transferring or disclosing personal data to a party outside the Kingdom.
- A description of the nature of the transfer or disclosure of personal data to a party outside the Kingdom, including the activities involved in processing the data and their geographical scope.
- The appropriate safeguards and measures implemented for transferring or disclosing personal data to a party outside the Kingdom, and their adequacy in ensuring an appropriate level of protection for personal data not less than that prescribed by the Law and Regulations.
- The measures used to ensure that the transfer or disclosure of personal data to a party outside the Kingdom is limited to the minimum amount of data required to achieve the intended purposes, in cases not exempted by subparagraph (c) of paragraph (2) of Article (29) of the Law.
- The potential material or moral effects of transferring or disclosing personal data to a party outside the Kingdom and the likelihood of their occurrence.
- The measures or controls that will be applied to prevent potential risks to personal data subjects or to mitigate their effects if they occur.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Risk Assessment of Transferring or Disclosing Personal Data to a Party Outside the Kingdom
Article 7(1)(A)(B)
Mandatory Risk Assessment Scenarios
This provision identifies the situations in which the Controller is required to conduct a risk assessment before transferring or disclosing Personal Data outside the Kingdom, including:
(a) transfers made under exemption cases (Article 4)
(b) continuous widespread transfers of sensitive data.
