Regulation on Personal Data Transfer Outside the Kingdom Article 3 explains how the Saudi Data & Artificial Intelligence Authority (SDAIA) determines which countries or international organizations have an “appropriate level of personal data protection” that allows data transfers without needing extra safeguards. It outlines evaluation criteria, review timelines, suspension rights, and how the rules apply beyond just national jurisdictions.
Regulation on Personal Data Transfer Outside the Kingdom Article 3 (1)
Adequacy List
The competent authority shall publish on its official website a list of countries or international organizations that provide an appropriate level of protection for personal data not less than that prescribed by the Law and Regulations. The competent authority shall review this list every four years, or as necessary, based on the following criteria:
A. The existence of regulations that ensure the protection of personal data and the rights of data subjects, including the right to seek compensation for damages caused by violations of these rights. These regulations must meet at least the level of protection prescribed by Law and Regulations.
B. The existence of a supervisory body responsible for enforcing the provisions related to the protection of personal data.
C. The supervisory authority is prepared to cooperate with the competent authority in the Kingdom on matters related to the protection of personal data.
D. The regulatory requirements related to the disclosure of personal data
under the relevant statutory provisions applicable in the State or international organization must not conflict with the provisions for the disclosure of personal data set forth in the Law and Regulations, nor with any other statutory provisions in force in the Kingdom.
E. Obligations arising from international treaties or agreements binding on a State or an international organization, as well as those related to its membership in regional or multilateral organizations, which may require the transfer of personal data.
F. Provisions related to subsequent transfers of personal data, as stipulated in Article (5) of the Regulation.
Regulation on Personal Data Transfer Outside the Kingdom Article 3 (2)
Delisting or Engagement
The competent authority may amend the list of countries or international organizations that ensure an appropriate level of protection for personal data transferred outside the Kingdom not less than that prescribed by the Law and Regulations in accordance with the statutory procedures. If a review indicates that any of these countries or organizations no longer guarantees an appropriate level of protection, the competent authority may work with the relevant authorities in the State or the international organization to address the reasons for its exclusion from the list.
Regulation on Personal Data Transfer Outside the Kingdom Article 3 (3)
Suspension Authority
The competent authority may suspend the transfer or disclosure of personal
data to any of the countries or organizations listed in paragraph (1) of this Article,
in accordance with the statutory procedures.
Regulation on Personal Data Transfer Outside the Kingdom Article 3 (4)
Extended Scope
The standards applied to countries and international organizations for evaluating the level of protection of personal data outside the Kingdom shall also apply to cities, special economic zones, and global trade centers.
Explanation of Regulation on Personal Data Transfer Outside the Kingdom Article 3
Published by SDAIA:
Regulation on Personal Data Transfer Outside the Kingdom Article 3 (1) says SDAIA will list countries or organizations that ensure personal data protection at least equal to PDPL. This list will be published and reviewed every 4 years or as needed.
Legal & enforcement standards:
Regulation on Personal Data Transfer Outside the Kingdom Article 3 (1) (A-F) considers six factors: presence of personal data protection laws, enforcement bodies, cooperation readiness, legal compatibility, treaty obligations, and rules for onward transfers.
Addressing non-compliance:
Regulation on Personal Data Transfer Outside the Kingdom Article 3 (2) says SDAIA may delist a country if protections degrade, but it may also work with authorities there to fix the issue first.
Temporary action:
Regulation on Personal Data Transfer Outside the Kingdom Article 3 (3) says SDAIA has the power to suspend transfers even to an “adequate” country or organization under due process.
Zones & Trade Centers:
Regulation on Personal Data Transfer Outside the Kingdom Article 3 (4) says these evaluation standards also apply to smaller jurisdictions like free zones, cities, and trade hubs—not just countries.
