SAUDI ARABIA Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Shahad Al Humaidani and Khaled Al Khashab, GLA & Company
non-approved jurisdictions. This framework pri - oritises data protection while allowing interna - tional transfers under strict safeguards. 5.3 Data Localisation Requirements The PDPL does not stipulate that data must be localised, provided the transfer and processing of personal data outside KSA is performed in accordance with the PDPL and any other law or regulation applicable to such personal data in KSA. When transferring personal data outside KSA, special rules and regulations apply; however, these may apply in addition to, and exclusive of, the PDPL depending on the type of data (eg, health data) or sector (eg, financial), or if the localisation of data is in the national security or public interest of KSA. Under such circumstanc - es, the transfer and/or processing of personal data may be restricted or prohibited altogether. From a PDPL perspective, per the August 2024 Regulation on Personal Data Transfer Outside Saudi Arabia, there are no distinct rules for transferring data related to particular sectors; instead, certain types of data are categorised as sensitive, and are subject to stricter transfer requirements. Otherwise, data transfers outside KSA may be permitted subject to certain cir - cumstances. For example, Article 4(2)(C) allows the transfer of sensitive data for central opera - tions within multinational entities, provided that the controller adheres to binding common rules or standard contractual clauses to ensure data protection. Similarly, Article 4(2)(E) permits the transfer of sensitive data for scientific research and studies, but only if the data is limited to the minimum amount required and if the receiving entity has an approval certificate from a body licensed by the competent authority.
Additionally, Article 7 addresses the transfer of sensitive data on a continuous or widespread basis, requiring controllers to conduct a risk assessment before such transfers. This risk assessment must evaluate the purpose and legal basis of the transfer, the nature of the data and the appropriate safeguards in place to ensure compliance with the Regulation. While the Regu - lation does not explicitly differentiate between sectors, it imposes stricter requirements for sen - sitive data, which often includes sector-specific information such as health records or financial data. By requiring standard contractual clauses, binding common rules or approval certificates, the Regulation ensures that all sensitive data, regardless of its sector, is transferred outside KSA only under conditions that guarantee an appropriate level of protection. 5.4 Blocking Statutes KSA has various relevant legal authorities on internet censorship, which are primarily aimed at controlling online content to align with the country’s cultural, religious and legal norms. Key legislation on web censorship are as follows. • ACC: Article 6 prohibits, and prescribes imprisonment and fines as penalties for, the publication, dissemination or promotion of content deemed offensive to public order, religious values or national security. This includes content related to pornography, gambling, blasphemy, defamation and politi - cal dissent. • TCIT Law: Article 24 stipulates that after co- ordination with the competent authorities the Commission must: (a) introduce internet filtering and limit access to specific content on the internet; and (b) prevent or restrict access to internet ser - vices by using internet gateways.
367 CHAMBERS.COM
Powered by FlippingBook