Regulation on Personal Data Transfer Outside the Kingdom Article 6 says that even when a controller qualifies for an exemption that allows international personal data transfers without meeting all standard requirements, that exemption is not permanent. It can be revoked if safeguards are not implemented or are deemed inadequate by SDAIA. In such cases, the controller must immediately stop the transfer or disclosure and notify any foreign recipients of the data.
If you misuse or fail to uphold safeguards, you lose the exemption. Transfers must stop immediately.
Regulation on Personal Data Transfer Outside the Kingdom Article 6
Exemption Can Be Lost
None of the exemptions granted in accordance with the cases stipulated in Article (4) of the Regulation shall apply if any of the following situations arise:
A. The controller has failed to implement the appropriate safeguards.
B. If the competent authority determines that the appropriate safeguards are
inadequate for any specific case.
Mandatory Action
If any of the conditions stipulated in subparagraphs (a) and (b) of paragraph
(1) of this Article are met, the controller shall halt the transfer or disclosure and
notify the entities to whom the personal data was transferred or disclosed.
Explanation of Regulation on Personal Data Transfer Outside the Kingdom Article 6
Conditions for revocation:
Regulation on Personal Data Transfer Outside the Kingdom Article 6 says if a controller fails to implement required safeguards or SDAIA finds them insufficient, exemptions granted under Article 4 no longer apply.
Halt transfers & notify recipients:
Regulation on Personal Data Transfer Outside the Kingdom Article 6 says that once an exemption is revoked, the controller must stop all data transfers and notify any recipients of the data to prevent further processing.
