Demystifying Cross-Border Data Transfers in Saudi Arabia

1. Why this matters

Saudi organizations increasingly rely on regional or global cloud, HR/payroll, CRM and analytics platforms. Article 29 of the Personal Data Protection Law (PDPL) and the SDAIA Regulation on Personal Data Transfer outside the Kingdom (Transfer Regulation) indeed restrict how personal data may leave KSA - but they do not impose a blanket ban.

For most day-to-day business scenarios transfers remain perfectly lawful once the steps below are followed.

 

2. Sector-specific checkpoints - check before proceed

PDPL and the SDAIA Transfer Regulation are your starting point, but some industries carry extra rules that must be complied with. For example, organizations in Saudi Arabia's financial sector, such as banks, insurance companies, and fintech firms, may need to first obtain a "no-objection" letter from the Saudi Central Bank before transferring or storing personal data outside the Kingdom. Also, the data of Saudi governmental agencies, as a general rule, must not be transferred to cloud-storage systems located outside the Kingdom.

Therefore, before proceeding with the transfers, always check your sector-specific rules – whether they add any additional restrictions to the requirements of the six-step compliance roadmap.

 

3. The six-step compliance roadmap

Follow the below key six steps to legally transfer personal data outside Saudi Arabia.

N	Step	What to do	Practical tip
1	Map & classify data	Identify the personal data to be transferred and the destination systems. Record it in your records of processing activities (RoPA).	Always keep RoPA updated. This is your key document in the area of data privacy.
2	Confirm a lawful basis	Confirm and document the lawful bases from those specified in the PDPL: consent, legitimate interest, etc. Record it in the RoPA.	You must have 2 lawful bases in place: (i) one for processing the personal data in general (take from the list in articles 5-6 of the PDPL) and (ii) one for the disclosure of the personal data (take from the list in article 15 of the PDPL).
3	Check the transfer purpose	A transfer is allowed only where one of the purposes in article 29 (1) of the PDPL or article 2 of the Transfer Regulation applies - e.g. performing a contract with the individual, central processing, service provision to the data subject, scientific research, etc.   The transfer must also not harm national security or the Kingdom’s vital interests.	Routine IT support, group HR and cloud back-ups usually qualify as “central processing”.
4	Look for the “white list”	If the destination country appears on SDAIA’s “white list” with countries having adequate personal data protection - you may proceed with the transfer.	As of today, no “white list” exist. You must regularly check if it is adopted and what countries it includes.
5	Apply an approved safeguard	Where no adequacy finding exists, choose one: - SDAIA Standard Contractual Clauses (SCCs) - Binding Common Rules (BCRs) for a corporate group - Certificate from an accredited body	SCC is the most quick safeguard to prepare and use, as of today.   The certification scheme is currently not in the operation.
6	Complete a Transfer Risk Assessment (TRA)	Prepare a Transfer Risk Assessment whenever (i) the destination is not on SDAIA’s white list or (ii) the dataset is sensitive (e.g. contains health data) and the transfer is continuous or large-scale.	Document risks and mitigation measures. Use your existing data protection impact assessments as an example, to build upon the TRA.

 

4. Key documents you must keep

- Records of Processing Activities (RoPA) - must list every cross-border processing, its lawful basis and security controls.

- Transfer Risk Assessment files – prepare the assessment report, based on the published SDAIA guidance.

- Executed SCCs / approved BCR policy / certificates – formalize these documents that are the required safeguards for transfer of personal data outside Saudi Arabia. Check article 4 on which document is required for your transfer.

 

5. How we can help you

Eversheds and Konexo supports Saudi and international companies in managing cross-border data transfers with clarity and confidence. Here is how we can help:

- Fast-track transfer assessments and implementation – We run tailored PDPL transfer reviews and prepare regulator-ready documentation, including TRA reports and other necessary documents.

- Sector rule overlays – We identify any SAMA, NCA or other sector-specific requirements that may apply to your project.

- Training and readiness – We equip your legal, compliance and IT teams with the practical knowledge they need to handle cross-border data transfers.

Each solution is hands-on, fast to deploy, and tailored to the Saudi regulatory landscape.