Overview
Regulation on Personal Data Transfer Outside the Kingdom Article 3 sets out the formal procedures and evaluation standards used by the Competent Authority (SDAIA) to determine whether countries or international organizations provide an appropriate level of Personal Data protection.
This Article establishes the adequacy assessment framework, review cycles, amendment powers, and suspension mechanisms that govern cross border data transfers under the Saudi Personal Data Protection Law (PDPL), ensuring that transferred data receives protection not less than that guaranteed within the Kingdom.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 3: Procedures and Standards for Evaluating the Level of Personal Data Protection Outside the Kingdom
- The competent authority shall publish on its official website a list of countries or international organizations that provide an appropriate level of protection for personal data not less than that prescribed by the Law and Regulations. The competent authority shall review this list every four years, or as necessary, based on the following criteria:
- The existence of regulations that ensure the protection of personal data and the rights of data subjects, including the right to seek compensation for damages caused by violations of these rights. These regulations must meet at least the level of protection prescribed by Law and Regulations.
- The existence of a supervisory body responsible for enforcing the provisions related to the protection of personal data.
- The supervisory authority is prepared to cooperate with the competent authority in the Kingdom on matters related to the protection of personal data.
- The regulatory requirements related to the disclosure of personal data under the relevant statutory provisions applicable in the State or international organization must not conflict with the provisions for the disclosure of personal data set forth in the Law and Regulations, nor with any other statutory provisions in force in the Kingdom.
- Obligations arising from international treaties or agreements binding on a State or an international organization, as well as those related to its membership in regional or multilateral organizations, which may require the transfer of personal data.
- Provisions related to subsequent transfers of personal data, asstipulated in Article (5) of the Regulation.
- The competent authority may amend the list of countries or international organizations that ensure an appropriate level of protection for personal data transferred outside the Kingdom not less than that prescribed by the Law and Regulations in accordance with the statutory procedures. If a review indicates that any of these countries or organizations no longer guarantees an appropriate level of protection, the competent authority may work with the relevant authorities in the State or the international organization to address the reasons for its exclusion from the list.
- The competent authority may suspend the transfer or disclosure of personal data to any of the countries or organizations listed in paragraph (1) of this Article, in accordance with the statutory procedures.
- The standards applied to countries and international organizations for evaluating the level of protection of personal data outside the Kingdom shall also apply to cities, special economic zones, and global trade centers.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 3(1)
Adequacy List Publication and Review
This provision obliges the Competent Authority to publish and maintain an official list of countries and international organizations that provide an appropriate level of Personal Data protection. The adequacy level must not be lower than the protection required under the Law and its Regulations. The list must be reviewed at least every four years, or earlier if circumstances require.
Article 3(1)(A)
Legal and Regulatory Protection Framework
This provision requires that the evaluated country or organization have enforceable regulations protecting Personal Data and Data Subject rights (DSR), including mechanisms for compensation in case of violations. The protection framework must meet or exceed the minimum standards established under Saudi law.
Article 3(1)(B)
Supervisory Authority and Enforcement Capability
This provision requires the existence of a supervisory authority responsible for enforcing Personal Data protection rules. It also requires that such authority be willing and able to cooperate with the Competent Authority in the Kingdom on cross border data protection matters.
