Regulation on Personal Data Transfer Outside the Kingdom Article 7 says that Before transferring or disclosing personal data to any party outside Saudi Arabia, controllers must conduct a structured risk assessment—especially in cases involving exemptions or large-scale sensitive data transfers. This assessment evaluates the necessity, purpose, potential risks, safeguards, and possible harms of the transfer, and ensures accountability.
Regulation on Personal Data Transfer Outside the Kingdom Article 7
When It's Required
The controller shall conduct a risk assessment before transferring or disclosing personal data to a party outside the Kingdom in the following cases:
A. Transfer or disclosure of personal data to a party outside the Kingdom in accordance with Article (4) of the Regulation.
B. Transferring or disclosing sensitive data to entities outside the Kingdom on
a continuous or widespread basis.
What to Include
Risk assessment of transferring or disclosing personal data to a party
outside the Kingdom should include the following elements:
A. The purpose and legal basis for transferring or disclosing personal data to
a party outside the Kingdom.
B. A description of the nature of the transfer or disclosure of personal data to a party outside the Kingdom, including the activities involved in processing the data and their geographical scope.
C. The appropriate safeguards and measures implemented for transferring or disclosing personal data to a party outside the Kingdom, and their adequacy in ensuring an appropriate level of protection for personal data not less than
that prescribed by the Law and Regulations.
D. The measures used to ensure that the transfer or disclosure of personal data
to a party outside the Kingdom is limited to the minimum amount of data required to achieve the intended purposes, in cases not exempted by subparagraph (c) of paragraph (2) of Article (29) of the Law.
E. The potential material or moral effects of transferring or disclosing personal data to a party outside the Kingdom and the likelihood of their occurrence.
F. The measures or controls that will be applied to prevent potential risks to personal data subjects or to mitigate their effects if they occur.
Explanation of Regulation on Personal Data Transfer Outside the Kingdom Article 7
Triggering scenarios:
Regulation on Personal Data Transfer Outside the Kingdom Article 7 says that risk assessments must be conducted before: (a) any transfer made under an exemption per Article 4, or (b) any continuous or large-scale transfer of sensitive data.
Minimum elements required:
Regulation on Personal Data Transfer Outside the Kingdom Article 7 says that the risk assessment must cover purpose, legal basis, nature of processing, safeguards, data minimization, potential harms, and mitigation controls.
