Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 29 establishes the comprehensive legal framework for transferring or disclosing Personal Data outside the Kingdom of Saudi Arabia.
It permits such transfers only for specific purposes such as, to fulfill the Kingdom’s international obligations, to serve its national interests, to perform an obligation of the Data Subject, or for other purposes defined in the Regulations. Any permitted transfer must also satisfy three mandatory conditions: it must not harm national security or vital interests, the destination must provide an adequate level of data protection as assessed by the Competent Authority, and only the minimum necessary data may be transferred.
The Article provides an exception for cases of extreme necessity involving the preservation of the Data Subject’s life or vital interests or for preventing, examining, or treating disease, and delegates the detailed implementation rules and exemptions to the Regulations.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 29
- Subject to the provisions of Paragraph (2) of this Article, a Controller may Transfer Personal Data outside the Kingdom or disclose it to a party outside the Kingdom, in order to achieve any of the following purposes:
- If this is relating to performing an obligation under an agreement, to which the Kingdom is a party.
- If it is to serve the interests of the Kingdom.
- If this is to the performance of an obligation to which the Data Subject is a party
- If this is to fulfill other purposes as set out in the Regulations.
- The conditions that must be met when there is a Transfer or Disclosure of Personal Data, according to what is stated in Paragraph (1) of this Article, are as follows:
- The Transfer or Disclosure shall not cause any prejudice to national security or the vital interests of the Kingdom.
- There is an adequate level of protection for Personal Data outside the Kingdom. Such level of protection shall be at least equivalent to the level of protection guaranteed by the Law and Regulations, according to the results of an assessment conducted by the Competent Authority in coordination with whomever it deems appropriate from the other relevant authorities.
- The Transfer or Disclosure shall be limited to the minimum amount of Personal Data needed.
- Paragraph (2) of this Article shall not apply to cases of extreme necessity to preserve the life or vital interests of the Data Subject or to prevent, examine or treat disease.
- The Regulations shall set out the provisions, criteria and procedures related to the implementing this Article, including applicable exceptions for Controllers regarding conditions referred to in Subparagraphs (b) and (c) of Paragraph (2) of this Article, as well as controls and procedures for such exemptions.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 29(1)
Transfer Authorization Framework
Article 29(1)(A)
Fulfilling a Kingdom’s International Obligation
This provision permits the transfer or disclosure of Personal Data outside the Kingdom when such transfer is necessary to perform an obligation arising under an international agreement or treaty to which the Kingdom of Saudi Arabia is a party.
The transfer must be directly linked to fulfilling the Kingdom’s binding international commitments and limited to what is required to meet those obligations.
Article 29(1)(B)
Serving the Interests of the Kingdom
This provision permits the transfer or disclosure of Personal Data outside the Kingdom when it is necessary to serve the interests of the Kingdom.
This includes transfers that support national, strategic, sovereign, or governmental objectives, provided that the transfer is justified by the Kingdom’s interests and complies with the conditions set out in this Article.
Article 29(1)(C)
Performing a Data Subject’s Obligation
This provision permits the transfer or disclosure of Personal Data outside the Kingdom when it is necessary for the performance of an obligation to which the Data Subject is a party.
This enables Data Subjects to participate in international contractual arrangements, services, or transactions that require Personal Data to be processed or transferred outside the Kingdom.
Article 29(1)(D)
Other Purposes Set Out in the Regulations
This provision permits the transfer or disclosure of Personal Data outside the Kingdom for other purposes that are expressly set out in the Implementing Regulations.
This allows the regulatory framework to address specific cross border transfer scenarios through formally defined regulatory provisions.
Article 29(2)
Mandatory Conditions for Transfer or Disclosure
This paragraph establishes three mandatory conditions that must all be satisfied for any transfer or disclosure of Personal Data conducted under Paragraph (1) of this Article.
A transfer or disclosure is not permitted unless each of these conditions is met.
Article 29(2)(A)
Protection of National Security and Vital Interests
This condition requires that the transfer or disclosure of Personal Data must not cause any prejudice to the national security or vital interests of the Kingdom.
This safeguard ensures that cross border data transfers do not compromise the Kingdom’s sovereignty or essential national interests.
Article 29(2)(B)
Adequate Level of Personal Data Protection
This condition requires that Personal Data transferred or disclosed outside the Kingdom be subject to an adequate level of protection.
The level of protection must be at least equivalent to that guaranteed under the Personal Data Protection Law and its Implementing Regulations, as determined through an assessment conducted by the Competent Authority in coordination with relevant authorities.
Article 29(2)(C)
Limitation to the Minimum Necessary Data
This condition requires that any transfer or disclosure of Personal Data be limited to the minimum amount of data necessary to achieve the specified purpose under Paragraph (1).
This applies the data minimisation principle to cross border transfers and disclosures.
Article 29(3)
Exception for Cases of Extreme Necessity
This paragraph provides an exception to the conditions set out in Paragraph (2) of this Article.
The conditions do not apply where the transfer or disclosure of Personal Data is necessary to preserve the life or vital interests of the Data Subject, or to prevent, examine, or treat disease.
This exception allows urgent international data transfers in genuine emergency situations.
Article 29(4)
Role of the Implementing Regulations
This paragraph authorises the Implementing Regulations to set out the detailed provisions, criteria, and procedures for implementing this Article.
It also enables the Regulations to define specific exemptions for Controllers in relation to certain conditions, as well as the applicable controls and procedures governing such exemptions.
