SAUDI ARABIA Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Shahad Al Humaidani and Khaled Al Khashab, GLA & Company
5. International Considerations 5.1 Restrictions on International Data Transfers There are restrictions on the transfer of data out - side KSA; however, the transfer of data outside Saudi Arabia for processing (including storage) of personal data is possible, provided that such transfer is performed in compliance with the PDPL and any other applicable law in KSA. The NDMO sets out general standards for per - sonal data transfer beyond the geographical limits of KSA, in order to specify the terms and conditions for cross-border transfer and stor - age of personal data for both public and private entities, and while pointing out the sovereignty of personal data. The standards also stipulate the rights of personal data owners, along with general guidelines and exceptions for personal data transfer beyond KSA’s borders – thereby creating secure processing for personal data and idealising national data privacy and security. The Regulation on Personal Data Transfer Out - side the Kingdom (the “Transfers Regulation”) imposes several restrictions on the international transfer of personal information to ensure that such transfers comply with KSA’s data protec - tion standards. According to Article 29 of the PDPL, personal data may only be transferred outside the Kingdom if the receiving country or entity provides an appropriate level of protec - tion that meets or exceeds the standards set by Saudi law. This requirement is further detailed in Article 3 of the Transfers Regulation, which mandates that the competent authority publish and maintain a list of countries or international organisations that meet these protection standards. If the receiving country is not on this list, the transfer
processing activities. This is specified in Article 6(1) of the PDPL. Informed consent is comprised of the following elements: • freely given – consent must be freely given without coercion, as outlined in Article 6(1) of the PDPL; • specific and explicit – consent must be spe - cific to the processing activities and must be explicitly granted, as required by Article 6(1) of the PDPL; • consent should be given by a person who has full legal capacity; and • consent should be documented by means allowing future verification. 4.3 Employment Privacy Law No special regulations explicitly deal with work - place privacy. The PDPL does not make a spe - cial distinction between the treatment of data subjects generally and that of those who are simultaneously considered employees of the controller; so, a controller’s employees should enjoy (at a minimum) the same rights and rem - edies as under the minimum standards that a data controller uses with data subjects generally. Accordingly, the PDPL does not adversely affect how employment relationships develop in KSA. 4.4 Transfer of Personal Data in Asset Deals Please see 3.3 Rights and Obligations Under Applicable Data Regulation .
365 CHAMBERS.COM
Powered by FlippingBook