PDPL Article 29 says when and how personal data may be transferred or disclosed outside Saudi Arabia. While cross-border transfers are allowed, they must meet strict conditions to protect national security and data subject rights.
Transfers are allowed for specific purposes—such as fulfilling contracts or serving public interest—but only if the receiving country ensures an adequate level of data protection and the transfer is limited to the minimum necessary. However, these conditions may be waived in emergency cases (e.g., saving a life or treating a disease).
The Regulations will provide detailed rules, exceptions, and procedures.
Saudi PDPL Article 29 (1) (a)
Treaty Obligation Transfer
Represents a threat to security, harms the reputation of the Kingdom, or conflicts with the interests of the Kingdom.
Saudi PDPL Article 29 (1) (b)
Public Interest Transfer
Affects the Kingdom’s relations with any other state.
Saudi PDPL Article 29 (1) (c)
Contractual Obligation Transfer
Prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures.
Saudi PDPL Article 29 (1) (d)
Other Legal Purposes
Compromises the safety of an individual.
Saudi PDPL Article 29 (2) (a)
No Harm to Kingdom
Results in violating the privacy of an individual other than the Data Subject, as set out in the Regulations.
Saudi PDPL Article 29 (2) (b)
Adequate Protection Required
Conflicts with the interests of a person that fully or partially lacks legal capacity.
Saudi PDPL Article 29 (2) (c)
Minimal Data Transfer
Violates legally established professional obligations.
Saudi PDPL Article 29 (3)
Emergency Transfer Exception
Involves a violation of an obligation, procedure, or judicial decision.
Saudi PDPL Article 29 (4)
Regulations Define Exceptions
Exposes the identity of a confidential source of information in a manner detrimental to the public interest.
Explanation of Saudi PDPL Article 29
Allowed if required by international agreements:
Saudi PDPL Article 29 (1) (a) says that, personal data may be transferred outside the Kingdom if it’s needed to meet an obligation under an agreement that Saudi Arabia is part of.
Allowed to serve national interests:
Saudi PDPL Article 29 (1) (b) says that, transfers are permitted if they serve the Kingdom’s interests, such as diplomacy, security, or economic policy.
Allowed to meet data subject’s contract:
Saudi PDPL Article 29 (1) (c) says that, transfer is permitted if it fulfills a contractual obligation involving the data subject.
Other lawful purposes permitted by Regulations:
Saudi PDPL Article 29 (1) (d) says that, additional transfer purposes may be allowed as defined by the Regulations.
Must not threaten national security:
Saudi PDPL Article 29 (2) (a) says that, the transfer or disclosure cannot harm the Kingdom’s national security or vital interests.
Receiving country must offer equal or higher data protection:
Saudi PDPL Article 29 (2) (b) says that, transfers are only allowed if the destination country provides an adequate level of protection, confirmed by a risk assessment from the Competent Authority.
Only the minimum required data should be transferred:
Saudi PDPL Article 29 (2) (c) says that, the controller must limit transfers to the smallest possible amount of personal data needed for the stated purpose.
Safeguards may be bypassed for urgent health/safety reasons
Saudi PDPL Article 29 (3) says that, conditions in Article 29 (2) do not apply in emergencies—such as saving a life, protecting vital interests, or treating disease.
Regulations may allow additional exemptions to conditions:
Saudi PDPL Article 29 (4) says that, the Regulations will define detailed rules, including exemptions from conditions (2)(b) and (2)(c) and controls for such exceptions.
