Saudi Arabia: Entry into force of Regulations for transferring personal data outside the geographical borders of the Kingdom of Saudi Arabia

On 14 September 2024, the regulations on the transfer of personal data outside the geographical borders of the Kingdom of Saudi Arabia (KSA) entered into force alongside the Personal Data Protection Law (PDPL). Under the regulations, the transfer of personal data is allowed if it does not prejudice the Kingdom's national security and respects the rights of the data subjects. The regulations specify that the transfers will be allowed based on an adequacy decision and international treaties and outline the process for the Competent Authority to assess if the data protection level in other jurisdictions is equal or higher to those applicable in Saudi Arabia. In the absence of an adequacy decision, the transfers will be allowed to jurisdictions that don't have legal requirements that would negatively impact the data subject's rights and based on safeguards, such as binding common rules, standard contractual clauses, certifications of compliance with the Law and Regulations of KSA and binding codes of conduct. The regulations outline exemptions in the case of adequacy decision absence and inability to implement the safeguards, such as the need to perform an agreement to which the data subject is a party, the entity is a public institution, and the transfer is necessary for national security or for the public interest or for investigation purposes, and lastly, if the transfer is necessary to protect the vital interests of a data subject.