Saudi Arabia’s Personal Data Protection Law (PDPL) comes into force on 13th September 2024 and regulates the collection, handling, disclosure and use of personal data. Like many data protection laws around the world, including the UK GDPR, the PDPL contains strict rules about when personal data can be transferred outside the jurisdiction. 

Article 29 of PDPL states that when transferring personal data outside Saudi Arabia, Data Controllers must ensure that that the receiving country or international organisation has an appropriate level of personal data protection. The Regulation on the Transfer of Personal Data Outside the Kingdom (Transfer Regulation) provides more detail about the rules to be followed upon transfer. Two of the circumstances where personal data transfers are allowed outside the Kingdom is when Standard Contractual Clauses are used and where personal data is transferred among a group of multinational entities, provided that the Data Controller and its entities abide by Binding Common Rules (BCRs).

The Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, recently released the draft Standard Contractual Clauses (SCCs) for Personal Data Transfer and Guidelines for Binding Common Rules. Bothe are open for comment for the next 8 days. In July SDAIA also published draft rules for the appointment of a DPO under the PDPL.

SCCs and BCRs are vital safeguards, defining the obligations of Data Controllers and Data Processors involved in cross-border data transfers, thereby ensuring compliance and protecting personal data even beyond the Kingdom’s borders. Organisations doing business in the Middle East need to carefully consider the impact of the rules on international transfers under the PDPL. Thought must also be given to the appointment and training of a suitably qualified DPO. 

Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses. 

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Author: actnowtraining

Act Now Training is Europe’s leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms.
Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple.
Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.
View all posts by actnowtraining