SAUDI ARABIA Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Shahad Al Humaidani and Khaled Al Khashab, GLA & Company
is generally prohibited unless specific appropri - ate safeguards are implemented, such as stand - ard contractual clauses, binding common rules, or approval certificates from a licensed body as outlined in Article 4. These safeguards ensure that the data is protected at a level consistent with Saudi regulations, even when transferred internationally. Before transferring personal data outside the Kingdom, controllers are required to conduct a risk assessment under Article 7 of the Transfers Regulation. This assessment is mandatory for transfers involving sensitive data or when the transfer is made under the exemptions speci - fied in Article 4 of the Transfers Regulation. The risk assessment must evaluate several factors, including the purpose and legal basis for the transfer, the nature of the data and the appro - priate safeguards in place to protect the data. Additionally, the assessment must consider the potential material or moral effects of the trans - fer and the likelihood of risks to data subjects. This ensures that controllers carefully weigh the necessity of the transfer against the potential risks to individuals’ privacy and data security. The risk assessment requirement underscores the importance of ensuring that international transfers are conducted responsibly and in com - pliance with the Transfers Regulation. Furthermore, the Transfers Regulation allows for exemptions from the general restrictions on international data transfers in specific cases, as outlined in Article 4(2). For example, transfers are permitted for central operations within mul - tinational entities, scientific research or to pro - vide services to data subjects, provided that the appropriate safeguards are in place. However, even in these cases, the data must be limited to the minimum amount necessary to achieve the intended purpose, and the receiving entity
must ensure compliance with Saudi data pro - tection standards. If the competent authority determines that the safeguards are inadequate, the transfer may be halted, and the controller must notify the relevant entities under Article 6 of the Transfers Regulation. These restrictions and requirements ensure that international data transfers are conducted in a manner that priori - tises the protection of personal data and aligns with KSA’s legal and regulatory framework. 5.2 Government Notifications and Approvals Government approval for certain international data transfers is required under the Transfers Regulation. Transfers to countries or organisa - tions on the competent authority’s approved list under Article 3(1) do not need additional approv - al, but transfers to non-listed countries require appropriate safeguards, such as standard con - tractual clauses or binding common rules, which may need to be reviewed or approved. As of January 2025, such a list of countries is yet to be published. For specific cases such as scientific research or providing services to data subjects, the receiving entity must hold an approval certificate from a licensed body under Article 4(2)(E), provided that the transferred data is not sensitive data. Addi - tionally, controllers must conduct a risk assess - ment for sensitive data transfers as per Article 7. While not all transfers require explicit approv - al, the Transfers Regulation ensures oversight through conditions such as exemptions from such approvals and the potential revocation of such exemptions if the stated safeguards are inadequate. Controllers must ensure compliance with the Regulation, which may involve notifying or seeking approval from the competent author - ity, particularly for sensitive data or transfers to
366 CHAMBERS.COM
Powered by FlippingBook