International Transfers under Saudi Arabia’s New Data Protection Law – Your Front Page For Information Governance News
Saudi Arabia’s Personal Data Protection Law (PDPL) comes into force on 13th September 2024 and regulates the collection, handling, disclosure and use of personal data. Like many data protection laws around the world, including the UK GDPR, the PDPL contains strict rules about when personal data can be transferred outside the jurisdiction.
Article 29 of PDPL states that when transferring personal data outside Saudi Arabia, Data Controllers must ensure that that the receiving country or international organisation has an appropriate level of personal data protection. The Regulation on the Transfer of Personal Data Outside the Kingdom (Transfer Regulation) provides more detail about the rules to be followed upon transfer. Two of the circumstances where personal data transfers are allowed outside the Kingdom is when Standard Contractual Clauses are used and where personal data is transferred among a group of multinational entities, provided that the Data Controller and its entities abide by Binding Common Rules (BCRs).
The Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, recently released the draft Standard Contractual Clauses (SCCs) for Personal Data Transfer and Guidelines for Binding Common Rules. Bothe are open for comment for the next 8 days. In July SDAIA also published draft rules for the appointment of a DPO under the PDPL.
SCCs and BCRs are vital safeguards, defining the obligations of Data Controllers and Data Processors involved in cross-border data transfers, thereby ensuring compliance and protecting personal data even beyond the Kingdom’s borders. Organisations doing business in the Middle East need to carefully consider the impact of the rules on international transfers under the PDPL. Thought must also be given to the appointment and training of a suitably qualified DPO.
Through our KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses.
Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!
Source link