International Personal Data Transfers under Saudi Arabia’s Data Protection Law

The Kingdom of Saudi Arabia (“Saudi Arabia”) has seen a significant increase in foreign investments since the implementation of the country’s Vision 2030. Such influx has led to frequent inquiries from foreign and local investors on the permissibility of cross-border transfers of personal data outside Saudi Arabia. There continues to be a certain perception that Saudi Arabia is a data localization jurisdiction when it comes to the processing of personal data.¹There are separate local requirements with respect to other forms of data, e.g., highly confidential state secrets. The question has become even more relevant with the adoption of the regional headquarter program established by the Ministry of Investment of Saudi Arabia, which has increased and will likely continue to increase data flows from Saudi Arabia to other regions and global headquarters.²https://www.investsaudi.sa/en/rhq

Saudi Arabia’s data protection framework, set out in the Personal Data Protection Law (“PDPL”),³Personal Data Protection Law, Royal Decree No. M/19 of 9/2/1443H (16 September 2021), as amended by Royal Decree No. M/148 dated 5/9/1444H (27 March 2023) continues to develop and evolve. For international organizations building or investing in Saudi operations, whether through local entities, joint ventures, or service partnerships, the rules governing data transfers out of Saudi Arabia are now a board-level issue. Many readers will be familiar with the EU GDPR’s (“GDPR”) architecture and its well-trodden mechanisms for international transfers. The PDPL, while relying on many of the fundamental principles of the GDPR, takes a slightly different path in both structure and emphasis, and this alert compares those nuances in the context of international transfers. Understanding those differences, and the direction of travel, will be critical to designing resilient and compliant data flows between Saudi entities and international global headquarters to support international businesses looking at expanding or beginning to establish their Middle East operations.

In August 2024, the Saudi Data and AI Authority (“SDAIA”) issued the Regulation on Personal Data Transfer Outside the Kingdom of Saudi Arabia (“Transfer Regulations”), which permits the transfer of personal data outside Saudi Arabia if certain conditions and safeguards are met. The Transfer Regulations supplement the PDPL and its Implementing Regulations (together, the “Saudi DP Laws”). Recently, SDAIA also published guidance on implementing certain appropriate safeguards as discussed below to protect the security and confidentiality of personal data being transferred.

This alert summarizes, at a high-level, the legal requirements for cross-border transfers of personal data under Saudi DP Laws, compares some of the requirements with the GDPR and provides recommendations and key takeaways for international organizations which may engage in such cross-border transfer of Saudi personal data as part of their operations.

It is worth stating at the outset that the PDPL’s scope of application is broader than that of the GDPR. Under the GDPR, extraterritorial scope is limited to processing activities undertaken in relation to the offering of goods and services to, or monitoring the behavior of, individuals in the EU. By contrast Article 3 of the PDPL states that the PDPL applies to the processing of personal data of individuals residing in Saudi Arabia by entities outside of Saudi Arabia. The PDPL, therefore, has a broader reach and it is important to bear in mind at the outset when approaching Saudi data protection law compliance.

1. Requirements for Cross-Border Personal Data Transfers

A data controller (person or entity that determines the manner and purpose of processing) is permitted under the Saudi DP Laws to transfer personal data outside of Saudi Arabia: (a) to achieve permitted purposes under the PDPL (“Permitted Purposes”); and (b) if certain conditions are met (“Additional Conditions”). However, there are certain scenarios set out in the Transfer Regulations which do not need to satisfy an Additional Condition so long as the relevant Appropriate Safeguard as set out in further detail in this section is used (“Exempt Cases”).

Permitted Purposes

The Permitted Purposes (in Article 29(1) of the PDPL) are: (a) performing an obligation under an agreement to which Saudi Arabia is a party; (b) serving the interests of Saudi Arabia; (c) performing an obligation to which the data subject is a party; or (d) any “other purpose” as set out in the Transfer Regulations.

With respect to the ‘other purposes’, those are found in Article 2 of the Transfer Regulations. Such other purposes comprise: (i) performing necessary operations for central processing to enable the controller to conduct its activities; (ii) providing a service or benefit to the data subject; and (iii) conducting scientific research and studies. For most international organizations conducting business in Saudi Arabia, the other purposes set out in Article 2 of the Transfer Regulations are likely to be the relevant ones.

Additional Conditions

Further to selecting a Permitted Purpose for the transfer of data, the transfer must also satisfy all of the Additional Conditions. The Additional Conditions are: (a) the transfer must not cause any prejudice to national security or the vital interests of Saudi Arabia, (b) the data importer must be located in a jurisdiction that affords an ‘adequate level of protection’ (as determined by the SDAIA), and (c) the transfer must be subject to the principle of data minimization. 

Given that SDAIA has not disclosed the list of approved jurisdictions, we continue to advise our clients to limit the transfer of Saudi personal data to jurisdictions that have been deemed adequate by the European Commission under the GDPR.

Appropriate Safeguards for Exempt Cases

The Transfer Regulations specify certain Exempt Cases under which an international transfer is permitted even if it may not satisfy either or both of Additional Conditions (b) or (c), provided an appropriate safeguard (“Appropriate Safeguard”) is used with respect to such international data transfer and the data exporter undertakes a risk assessment.

The Transfer Regulations sets out three distinct types of Appropriate Safeguard which a data controller may rely on when transferring person data for an Exempt Case:

1. Standard Contractual Clauses (“Saudi SCCs”). SCCs are mandatory provisions governing the transfer of personal data outside Saudi Arabia to ensure the adequate protection of such personal data. Users of the EU SCCs will recognize the modular nature of the Saudi SCCs, requiring international organizations to select the relevant template depending on the nature of the relationship between the data exporter and data importer, namely, whether the relationship is ‘Controller to Controller’, ‘Controller to Processor’, ‘Processor to Processor’ or ‘Processor to Controller’.
   
   
2. Binding Common Rules (“BCRs”). BCRs are stringent global rules established by the data controller to safeguard intra-group cross-border transfers of personal data, meaning that BCRs are not an available safeguard when an organization anticipates the transfer of personal data with third-party vendors internationally.
   
   
3. Certificate of Accreditation (“Certificate”). A Certificate issued by approved agencies to controllers and processors certifying their level of compliance with Saudi data protection law requirements. As of today, there is limited information on the nature of such a Certificate though it is anticipated that SDAIA will issue further guidance as mandated under the PDPL.

We focus below on the three Exempt Cases most relevant to international organizations. It is worth noting that when transferring Saudi personal data outside Saudi Arabia in the context of the provision of a direct benefit or service to users, the transfer will be deemed appropriately safeguarded if the non-Saudi-based data importer holds and adheres to a Certificate. The suitability of Appropriate Safeguards applicable to each Exempt Case will be reviewed every two years by SDAIA.

a. A transfer as part of centralized operations. 

A transfer may fall within this category if the:

1. transfer or disclosure of personal data is necessary to perform centralized operational processes. Operational processes are generally defined as operational processes essential for the controller’s activities, including human resources operations, billing, accounting, and other workflow-related procedures; and
2. the controller is part of a group of multinational entities.

The controller must implement BCRs or Saudi SCCs, or the data importer must hold a Certificate.

b. A transfer to provide direct benefit or service.

A transfer may fall within this category if the transfer:

1. is made to provide a service or benefit directly to the data subject; and
2. does not violate the data subject’s expectations or conflict with the data subject’s interests.

The data importer must hold a Certificate, and the transfer must not involve the transfer of sensitive data. ⁴Under the PDPL, “Sensitive Data” is defined as “Personal Data revealing racial or ethnic origin, or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or Genetic Data for the purpose of identifying the person, Health Data, and data that indicates that one or both of the individual’s parents are unknown.”

c. A transfer that is necessary for scientific research.

A transfer may fall under this category if the:

1. purpose of the transfer is to conduct scientific research and studies; and
2. data is limited to the minimum amount necessary to achieve the research objective.

The controller must implement Saudi SCCs or ensure the data importer holds a Certificate and the transfer must not involve the transfer of sensitive data.

Risk Assessment When Implementing Appropriate Safeguards

To rely on Appropriate Safeguards, a Saudi-based controller must also undertake a risk assessment prior to the transfer of personal data outside Saudi Arabia. In February 2025, SDAIA issued the Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom.⁵SDAIA – Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom, Link. These guidelines outline the steps and detailed phases required to assess the risks associated with the international transfer of personal data to foreign entities.

Pursuant to Article 7 of the Transfer Regulations, this risk assessment will need to consider: (a) the purpose of the transfer or disclosure; (b) a description of the nature of the transfer, including the activities involved in processing the data and their geographical scope; (c) the appropriate safeguards and measures implemented for transferring personal data to a party outside Saudi Arabia; (d) the adequacy of the recipient in ensuring an appropriate level of protection for personal data not less than that prescribed by the PDPL; and (e) the measures used to ensure that the transfer of personal data is limited to the minimum amount necessary to achieve the intended purpose, in line with the principle of data minimization.

2. Comparison with GDPR & EU SCCs

In our experience, Saudi SCCs will likely be the most common safeguard used to document the cross-border transfers of personal data. SDAIA has issued guidelines on the Saudi SCCs, ⁶SDAIA - Standard Contractual Clauses For Personal Data Transfers, Link. and we point out to a few interesting points of comparison between the Saudi SCCs and the EU SCCs below.

1. Security measures: Compared to EU SCCs, the Saudi SCCs provide a more detailed and granular list of security measures in their appendices regarding maintaining the security of the personal data at all stages of the processing. This prescriptive articulation indicates an intentional effort to support Saudi data exporters in identifying and requiring baseline technical and organizational controls from overseas importers, acknowledging that some may be less familiar with the security expectations long embedded within the more mature EU regulatory framework. In practice, the measures operate as a pragmatic checklist, narrowing interpretive uncertainty and facilitating demonstrable and critical due diligence and accountability in cross‑border transfers.
   
   
2. Accession of new parties: EU SCCs have an optional ‘docking clause’ to enable additional parties to join the transfer contract. Although the Saudi SCCs do not contain such a clause, the guidelines seem to permit its inclusion.

Recommendations for Organizations Engaged in International Transfers of Personal Data

Given the nascency of the development of the Saudi DP Laws, there is limited precedent on the application of the rules. That said, as under the GDPR, demonstration of good faith compliance is key to minimizing regulatory risks. Therefore, when transferring personal data outside Saudi Arabia, international organizations should consider the following measures:

1. Assess the purpose of transfer: Confirm that the transfer aligns with one of the Permitted Purposes under Saudi DP Laws and whether the purpose could also fall within the narrower scope of Exempt Cases.
   
   
2. Evaluate jurisdictional adequacy: Until SDAIA publishes the list of approved jurisdictions, prioritize transfers to countries recognized under the GDPR adequacy framework.
   
   
3. Implement Appropriate Safeguards: Where transfers do not cause any prejudice to national security or the vital interests of Saudi Arabia and are made to jurisdictions without adequate protection, ensure that such transfer is protected through Saudi SCCs, BCRs, or a Certificate as applicable.
   
   
4. Conduct risk assessments: Before any transfer, perform and document a thorough risk assessment based on the SDAIA guidance, addressing the nature, scope, and safeguards of the transfer, and ensure data minimization principles are upheld.
   
   
5. Monitor regulatory updates: Stay informed about SDAIA’s future publications, especially the list of approved jurisdictions, any changes to the Transfer Regulations, and further guidance on the Saudi DP Laws.
   
   
6. Train internal teams: Educate legal, compliance, business, human resources, and IT teams on the Saudi DP Laws requirements and the implications of cross-border data transfers to ensure consistent and lawful practices.
   
   
7. Appoint data privacy lead, maintain processing records, and consider specific local requirements: From a governance perspective, appointing a local privacy lead, aligning incident management to Saudi notification requirements, and maintaining records accessible to Saudi authorities can be as important as the transfer instrument itself. For global privacy teams, this means that standard playbooks need Saudi-specific compliance considerations, not just GDPR baseline compliance-mapping.

Conclusion

The Saudi DP Laws introduce a structured and principle-based framework for cross-border personal data transfers, emphasizing national interest, data subject rights, and adequate protection standards. While the absence of an official list of approved jurisdictions presents a challenge, organizations can mitigate risks by aligning with international best practices, such as those set out under the GDPR, implementing robust transfer safeguards, and documenting measures to demonstrate good faith compliance with the Saudi DP Laws.

As the regulatory landscape continues to evolve, proactive compliance and ongoing monitoring will be key to maintaining lawful and secure data transfer operations. We will continue to observe closely these developments, including in relation to tailored regulatory guidance, which will give further insight and legal certainty for the transfer of Saudi personal data abroad.