Overview
Regulation on Personal Data Transfer Outside the Kingdom Article 4 defines the specific cases in which Controllers may be exempt from the general requirement to comply with certain cross border transfer conditions under PDPL Article 29 when transferring or disclosing data outside the Kingdom.
This Article establishes the mandatory safeguards that must still apply in exemption scenarios, identifies permissible transfer mechanisms, and grants the Competent Authority (SDAIA) ongoing oversight powers to review and amend these safeguards to ensure continued protection of Data Subject rights (DSR).
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 4: Cases in Which Controllers Are Exempt from the Requirements to Comply with the Appropriate Level of Protection and the Minimum Transfer of Personal Data
- In accordance with the cases of exemption specified in paragraph (2) of this Article, the controller shall implement the following appropriate safeguards:
- Standard contractual clauses.
- Binding common rules.
- Certificate of accreditation.
- The controller is exempt from the two conditions required for transferring or disclosing personal data to a party outside the Kingdom, as stipulated in paragraphs (b) and (c) of paragraph (2) of Article (29) of the Law, or either of them. However, the transfer or disclosure of personal data to a party outside the Kingdom shall still be subject to appropriate safeguards in the following cases:
- If the transfer or disclosure of personal data is to be made between public bodies to implement an agreement to which the Kingdom is a party or to serve its interests, the controllers must include standard provisions for the protection of personal data in the relevant agreements or memoranda of understanding.
- If the transfer or disclosure is non-recurring or for a limited period and involves a limited number of data subjects, the controller must comply with the standard contractual clauses. Alternatively, if the transfer or disclosure is made to a body that has received an approval certificate from an entity licensed by the competent authority and the data is not sensitive.
- If the transfer or disclosure of personal data is necessary to perform central operations and the controller is part of a group of multinational entities, the controller and its affiliates must comply with binding common rules or standard contractual clauses that ensure adherence to the requirements stipulated by the Law and Regulations. Alternatively, the entity to which the personal data will be transferred or disclosed must obtain a certificate of approval issued by a body licensed by the competent authority.
- If the transfer or disclosure is made to provide a service or benefit directly to the data subject in a manner that does not violate their expectations or conflict with their interests, and if the transfer or disclosure is to a party that has received an approval certificate from a body licensed by the competent authority, provided that the data must not be sensitive.
- If the transfer or disclosure of personal data is necessary for conducting scientific research and studies, it must be limited to the minimum amount of data required. The controller must either comply with standard contractual clauses or ensure that the transfer or disclosure is made to a body that has received an approval certificate from an entity licensed by the competent authority, provided that the data must not be sensitive.
- Appropriate safeguards must ensure that controllers comply with the provisions set out in the Law and its Regulations, as well as protect the rights of personal data subjects, including the right to file a complaint with the competent authority and to seek compensation for any damage caused by violations of these rights.
- The competent authority may review the adequacy of the appropriate safeguards specified for each exemption case outlined in paragraph (2) of this Article, and may amend them every two years or as necessary.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Cases in Which Controllers Are Exempt from the Requirements to Comply with the Appropriate Level of Protection and the Minimum Transfer of Personal Data
Article 4(1)
Mandatory Safeguards in Exempted Transfers
This provision establishes that even where exemption applies, Controllers must still implement one of the prescribed safeguards, namely Standard Contractual Clauses (SCCs), Binding Common Rules (BCRs), or an approved accreditation certificate.
Article 4(2)
Scope of Exemption from Transfer Conditions
Article 4(2)(a)
Transfers Between Public Bodies
Article 4(2)(b)
Limited and Non Recurring Transfers
Article 4(2)(c)
Multinational Group Central Operations
Article 4(2)(d)
Transfers for Direct Data Subject Benefit
Article 4(2)(e)
Scientific Research Transfers
Article 4(3)
Protection of Data Subject Rights (DSR)
This provision reinforces that safeguards must preserve Data Subject rights (DSR), including the right to lodge complaints and seek compensation for harm arising from unlawful transfers.
Article 4(4)
Regulatory Review and Amendment
This provision grants the Competent Authority (SDAIA) authority to periodically reassess and amend safeguard requirements for exemption cases at least every two years or as needed.
