Overview
Regulation on Personal Data Transfer Outside the Kingdom Article 5 governs the rules applicable to subsequent transfers of Personal Data after it has been transferred or disclosed outside the Kingdom.
It confirms that the Saudi Personal Data Protection Law (PDPL) and its Regulations continue to apply to such subsequent transfers or disclosures, ensuring continuity of protection following the initial cross border activity.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 5: Subsequent Transfer of Personal Data
Without prejudice to the provisions of Articles (8) and (15) of the Law and Article (17) of the Implementing Regulations, the Law and Regulations shall apply to subsequent transfers of personal data that has been transferred or disclosed to a party outside the Kingdom.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Subsequent Transfer of Personal Data
Continued Applicability of the Law
This provision establishes that the Personal Data Protection Law (PDPL) and its Regulations remain fully applicable to any subsequent transfers of Personal Data after the initial transfer outside the Kingdom.
No Limitation to Initial Transfers
Preservation of Data Subject Rights (DSR)
This provision ensures that Data Subject rights (DSR), protections, and safeguards under the Law remain enforceable even after Personal Data is further transferred outside the Kingdom.
Interaction with Other Legal Provisions
This provision explicitly preserves the application of Articles (8) and (15) of the Law and Article (17) of the Implementing Regulations, ensuring consistency across consent, lawful processing, and processor obligations in the context of onward transfers.
