Regulation on Personal Data Transfer Outside the Kingdom
Article 1: Definitions
The terms and phrases used in this Regulation shall have the meanings assigned to them in Article (1) of the Personal Data Protection Law issued pursuant to Royal Decree No. (M/19) dated 9/2/1443 AH and its amendments. The following terms and phrases- wherever used in this Regulation- shall have the meanings assigned to them, unless the context requires otherwise:
- Regulation: The implementing Regulation for Personal Data Transfer outside the Kingdom.
- Appropriate Safeguards: The requirements imposed by the competent authority on controllers, which include adherence to the Law and Regulations when transferring or disclosing personal data to entities outside the Kingdom. This applies in cases where exemptions are granted from the conditions for providing an appropriate or minimum level of personal data protection, to ensure appropriate level of protection when transferring personal data outside the Kingdom that meets at least the standards prescribed by the Law and Regulations.
- Operational Processes: A set of procedures related to the operational processes essential for the controller's activities, including human resources operations, billing, accounting, and other workflow-related procedures.
- Standard Contractual Clauses: Mandatory provisions governing the transfer of personal data outside the Kingdom that ensure appropriate level of protection for such data not less than the standard prescribed by the Law and Regulations. These provisions are in accordance with a standard form issued by the competent authority.
- Binding Common Rules: Rules established by the controller, applicable to each controller and processing party within a group of multinational entities, ensure appropriate protection for personal data transferred outside the Kingdom at a level not less than that prescribed by the Law and Regulations.
Article 2: Other Purposes for Transferring or Disclosing Personal Data to Entities Outside the Kingdom
Other purposes for transferring or disclosing personal data to a party outside the Kingdom shall comply with subparagraph (d) of paragraph (1) of Article (29) of the Law, including:
- Performing necessary operations for central processing to enable the controller to conduct its activities.
- To provide a service or benefit to the subject of the personal data.
- Conducting scientific research and studies.
Article 3: Procedures and Standards for Evaluating the Level of Personal Data Protection Outside the Kingdom
- The competent authority shall publish on its official website a list of countries or international organizations that provide an appropriate level of protection for personal data not less than that prescribed by the Law and Regulations. The competent authority shall review this list every four years, or as necessary, based on the following criteria:
A.The existence of regulations that ensure the protection of personal data and the rights of data subjects, including the right to seek compensation for damages caused by violations of these rights. These regulations must meet at least the level of protection prescribed by Law and Regulations.
B.The existence of a supervisory body responsible for enforcing the provisions related to the protection of personal data.
C.The supervisory authority is prepared to cooperate with the competent authority in the Kingdom on matters related to the protection of personal data.
D.The regulatory requirements related to the disclosure of personal data under the relevant statutory provisions applicable in the State or international organization must not conflict with the provisions for the disclosure of personal data set forth in the Law and Regulations, nor with any other statutory provisions in force in the Kingdom.
E.Obligations arising from international treaties or agreements binding on a State or an international organization, as well as those related to its membership in regional or multilateral organizations, which may require the transfer of personal data.
F.Provisions related to subsequent transfers of personal data, as stipulated in Article (5) of the Regulation. - The competent authority may amend the list of countries or international organizations that ensure an appropriate level of protection for personal data transferred outside the Kingdom not less than that prescribed by the Law and Regulations in accordance with the statutory procedures. If a review indicates that any of these countries or organizations no longer guarantees an appropriate level of protection, the competent authority may work with the relevant authorities in the State or the international organization to address the reasons for its exclusion from the list.
- The competent authority may suspend the transfer or disclosure of personal data to any of the countries or organizations listed in paragraph (1) of this Article, in accordance with the statutory procedures.
- The standards applied to countries and international organizations for evaluating the level of protection of personal data outside the Kingdom shall also apply to cities, special economic zones, and global trade centers.
Article 4: Cases in Which Controllers Are Exempt from the Requirements to Comply with the Appropriate Level of Protection and the Minimum Transfer of Personal Data
- In accordance with the cases of exemption specified in paragraph (2) of this Article, the controller shall implement the following appropriate safeguards:
A.Standard contractual clauses.
B.Binding common rules.
C.Certificate of accreditation. - The controller is exempt from the two conditions required for transferring or disclosing personal data to a party outside the Kingdom, as stipulated in paragraphs (b) and (c) of paragraph (2) of Article (29) of the Law, or either of them. However, the transfer or disclosure of personal data to a party outside the Kingdom shall still be subject to appropriate safeguards in the following cases:
A.If the transfer or disclosure of personal data is to be made between public bodies to implement an agreement to which the Kingdom is a party or to serve its interests, the controllers must include standard provisions for the protection of personal data in the relevant agreements or memoranda of understanding.
B.If the transfer or disclosure is non-recurring or for a limited period and involves a limited number of data subjects, the controller must comply with the standard contractual clauses. Alternatively, if the transfer or disclosure is made to a body that has received an approval certificate from an entity licensed by the competent authority and the data is not sensitive.
C.If the transfer or disclosure of personal data is necessary to perform central operations and the controller is part of a group of multinational entities, the controller and its affiliates must comply with binding common rules or standard contractual clauses that ensure adherence to the requirements stipulated by the Law and Regulations. Alternatively, the entity to which the personal data will be transferred or disclosed must obtain a certificate of approval issued by a body licensed by the competent authority.
D.If the transfer or disclosure is made to provide a service or benefit directly to the data subject in a manner that does not violate their expectations or conflict with their interests, and if the transfer or disclosure is to a party that has received an approval certificate from a body licensed by the competent authority, provided that the data must not be sensitive.
E.If the transfer or disclosure of personal data is necessary for conducting scientific research and studies, it must be limited to the minimum amount of data required. The controller must either comply with standard contractual clauses or ensure that the transfer or disclosure is made to a body that has received an approval certificate from an entity licensed by the competent authority, provided that the data must not be sensitive. - Appropriate safeguards must ensure that controllers comply with the provisions set out in the Law and its Regulations, as well as protect the rights of personal data subjects, including the right to file a complaint with the competent authority and to seek compensation for any damage caused by violations of these rights.
- The competent authority may review the adequacy of the appropriate safeguards specified for each exemption case outlined in paragraph (2) of this Article, and may amend them every two years or as necessary.
Article 5: Subsequent Transfer of Personal Data
Without prejudice to the provisions of Articles (8) and (15) of the Law and Article (17) of the Implementing Regulations, the Law and Regulations shall apply to subsequent transfers of personal data that has been transferred or disclosed to a party outside the Kingdom.
Article 6: Revocation of Exemption
- None of the exemptions granted in accordance with the cases stipulated in Article (4) of the Regulation shall apply if any of the following situations arise:
A.The controller has failed to implement the appropriate safeguards.
B.If the competent authority determines that the appropriate safeguards are inadequate for any specific case. - If any of the conditions stipulated in subparagraphs (a) and (b) of paragraph (1) of this Article are met, the controller shall halt the transfer or disclosure and notify the entities to whom the personal data was transferred or disclosed.
Article 7: Risk Assessment of Transferring or Disclosing Personal Data to a Party Outside the Kingdom
- The controller shall conduct a risk assessment before transferring or disclosing personal data to a party outside the Kingdom in the following cases:
A.Transfer or disclosure of personal data to a party outside the Kingdom in accordance with Article (4) of the Regulation.
B.Transferring or disclosing sensitive data to entities outside the Kingdom on a continuous or widespread basis. - Risk assessment of transferring or disclosing personal data to a party outside the Kingdom should include the following elements:
A.The purpose and legal basis for transferring or disclosing personal data to a party outside the Kingdom.
B.A description of the nature of the transfer or disclosure of personal data to a party outside the Kingdom, including the activities involved in processing the data and their geographical scope.
C.The appropriate safeguards and measures implemented for transferring or disclosing personal data to a party outside the Kingdom, and their adequacy in ensuring an appropriate level of protection for personal data not less than that prescribed by the Law and Regulations.
D.The measures used to ensure that the transfer or disclosure of personal data to a party outside the Kingdom is limited to the minimum amount of data required to achieve the intended purposes, in cases not exempted by subparagraph (c) of paragraph (2) of Article (29) of the Law.
E.The potential material or moral effects of transferring or disclosing personal data to a party outside the Kingdom and the likelihood of their occurrence.
F.The measures or controls that will be applied to prevent potential risks to personal data subjects or to mitigate their effects if they occur.
Article 8: Guides and Guidelines
The competent authority shall issue guides and guidelines related to the provisions contained in this regulation.
Article 9: Enforcement
The Regulation shall enter into force on the date of its publication in the Official Gazette.