Overview
Regulation on Personal Data Transfer Outside the Kingdom Article 6 sets out the conditions under which previously granted exemptions for cross-border Personal Data transfers are revoked.
This Article empowers the Competent Authority (SDAIA) to withdraw exemptions where appropriate safeguards are not implemented or are deemed inadequate, and it imposes an immediate obligation on Controllers to halt transfers and notify recipients when revocation conditions arise.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 6: Revocation of Exemption
- None of the exemptions granted in accordance with the cases stipulated in Article (4) of the Regulation shall apply if any of the following situations arise:
- The controller has failed to implement the appropriate safeguards.
- If the competent authority determines that the appropriate safeguards are inadequate for any specific case.
- If any of the conditions stipulated in subparagraphs (a) and (b) of paragraph (1) of this Article are met, the controller shall halt the transfer or disclosure and notify the entities to whom the personal data was transferred or disclosed.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
