Chapter 1 - Definitions and General Provisions:
– Defines terms like personal data transfer, regulations, anonymization, pseudonymization etc.
– Allows controllers to transfer/disclose personal data outside Saudi Arabia if it doesn’t compromise national security, vital interests of the Kingdom or violate other laws
– Mandates limiting transfer/disclosure to the minimum necessary data by using tools like data maps
– Ensures transfers don’t impact data subjects’ ability to exercise rights, withdraw consent, be notified of breaches, measures for data security, etc.
– Permits transfers for purposes like enabling controller’s operations, providing benefit to data subject, scientific research
Chapter 2 - Transfer Based on Adequate Protection Level:
– Outlines criteria like existence of data protection laws, rule of law, implementation effectiveness, ability for data subjects to exercise rights, supervisory authorities etc. to evaluate adequate protection level in other countries/sectors
– Competent Authority to assess and submit results/recommendations to Prime Minister on issuing adequacy decisions or negotiating international agreements
– Adequacy decisions/international agreements to be reviewed at least once every 4 years
– Can propose amendments, termination based on review results
Chapter 3 - Exemption Cases:
– If no adequate protection and safeguards under Article 5 cannot be used, allows transfers for purposes like contract performance, national security, crime investigation, protecting vital interests
– Outlines use of safeguards like binding corporate rules, standard contractual clauses, certifications, codes of conduct when no adequate protection
– Details components binding corporate rules must contain
– Adoption of safeguards doesn’t limit controller responsibilities under the law
Chapter 4 - Final Provisions:
– Mandates risk assessments when using safeguards, transferring sensitive data at scale, or using exemptions
– Outlines minimum elements for risk assessments like purpose, scope, safeguards, impact assessment
– Allows Competent Authority to stop transfers impacting national security or if high privacy risks
– Empowers Competent Authority to issue guidelines
– Sets regulation enforcement aligned with overarching data protection law
The regulation establishes a framework allowing global personal data flows while ensuring adequate protection standards are met and Saudi national interests remain protected.