Cross-Border Data Transfer Under PDPL

The Personal Data Protection Law (PDPL) restricts the transfer of personal data outside the Kingdom. The general principle: transfer is prohibited except when a legal exception applies. SDAIA is responsible for determining adequate countries and the details of safeguards.

Adequacy determinations: SDAIA may issue a list of countries or regions offering an equivalent level of protection. Transfer to an adequate country does not require additional safeguards. As of this guide, the official list is limited — transfer to most countries requires another basis.

Contractual safeguards: in the absence of adequacy, transfer is permitted with contractual safeguards — such as Standard Contractual Clauses (SCCs) — ensuring the recipient commits to adequate protection standards. SDAIA may approve model clauses. Contracts with cloud providers and foreign processors must include these clauses.

Transfer of personal data outside the Kingdom is restricted by default — adequacy, contractual safeguards, or explicit consent lift the restriction when conditions are met.

Consent-based transfer: explicit, specific consent from the data subject to the transfer may suffice in certain cases. Consent must be prior, informed, and withdrawable. Relying on consent as a standing mechanism is administratively complex — contractual safeguards are often preferable for business relationships.

Other exemptions may include: legal obligation, protection of vital interests, lawfully published data, and transfer in the context of judicial or international cooperation. Each exemption must be documented and justified.

Cloud hosting: using AWS, Azure, or Google Cloud in regions outside the Kingdom involves data transfer. A Data Processing Agreement (DPA) with the provider, Standard Contractual Clauses, and a Transfer Impact Assessment (TIA) are required. Major providers offer ready DPAs and SCCs — verifying their alignment with PDPL is essential.

Transfer impact assessment: before transferring to a non-adequate country, an assessment is recommended to determine: the level of protection in the destination country, the possibility of access by its authorities, and any additional safeguards applied. The assessment is documented and updated periodically.

Liability: the exporter (controller) remains responsible for ensuring the recipient complies with adequate standards. Contracts must bind the recipient and provide an enforcement mechanism — arbitration or jurisdiction.