International Transfers under Saudi Arabia’s New Data Protection Law

g3d1d4047c90bc0c419c619bde4858fa2830a156a02d95ece0646e3d5fb00012fe869c0b40bd58c4eace22f15f8f124d85a64d6684b8664611fdbb56b7a168259_1280-7013022.jpg

Saudi Arabia’s Personal Data Protection Law (PDPL) comes into force on 14th September 2024 and regulates the collection, handling, disclosure and use of personal data. Like many data protection laws around the world, including the UK GDPR, the PDPL contains strict rules about when personal data can be transferred outside the jurisdiction. 

Article 29 of PDPL states that when transferring personal data outside Saudi Arabia, Data Controllers must ensure that that the receiving country or international organisation has an appropriate level of personal data protection. The Regulation on the Transfer of Personal Data Outside the Kingdom (Transfer Regulation) provides more detail about the rules to be followed upon transfer. Two of the circumstances where personal data transfers are allowed outside the Kingdom is when Standard Contractual Clauses are used and where personal data is transferred among a group of multinational entities, provided that the Data Controller and its entities abide by Binding Common Rules (BCRs).

The Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, recently released the draft Standard Contractual Clauses (SCCs) for Personal Data Transfer and Guidelines for Binding Common Rules. Bothe are open for comment for the next 8 days. In July SDAIA also published draft rules for the appointment of a DPO under the PDPL.

SCCs and BCRs are vital safeguards, defining the obligations of Data Controllers and Data Processors involved in cross-border data transfers, thereby ensuring compliance and protecting personal data even beyond the Kingdom’s borders. Organisations doing business in the Middle East need to carefully consider the impact of the rules on international transfers under the PDPL. Thought must also be given to the appointment and training of a suitably qualified DPO. 

Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Leave a Reply

Discover more from Your Front Page For Information Governance News

Subscribe now to keep reading and get access to the full archive.

Continue reading