PDPL Article 29: What 'Adequate Protection' Actually Requires

What Article 29 Actually Says

Article 29 of Saudi Arabia's Personal Data Protection Law (PDPL) prohibits the transfer of personal data outside the Kingdom unless the destination country or entity provides a level of protection for personal data at least equivalent to that afforded under the PDPL itself. The Implementing Regulations, issued by SDAIA, flesh out the procedural and substantive requirements that organizations must satisfy before any such transfer occurs.

The plain reading of Article 29 is deceptively simple. The compliance burden it imposes is not.

The Three Lawful Bases for Cross-Border Transfer

Under the PDPL and its Implementing Regulations, an organization may transfer personal data outside Saudi Arabia on one of three grounds:

• Adequacy decision: SDAIA has determined that the recipient country or international organization offers adequate protection. As of the date of this article, Saudi Arabia has not published a formal adequacy list. No country has been formally designated as adequate, which eliminates this basis for almost all current transfers.
• Appropriate safeguards: The transferring organization has put in place appropriate safeguards, such as contractual clauses approved or recognized under Saudi law, binding corporate rules for intra-group transfers, or other mechanisms that SDAIA accepts as providing equivalent protection. These must be documented before the transfer occurs, not retrospectively.
• Derogations for specific situations: In limited circumstances, a transfer may proceed without an adequacy decision or safeguards. The PDPL recognizes derogations for explicit consent of the data subject, performance of a contract to which the data subject is a party, public interest, the establishment or exercise of legal claims, and protection of vital interests. Derogations are narrow in scope and cannot be used as a general substitute for a structured transfer mechanism.

What "Adequate Protection" Means in Practice

The phrase "adequate protection" is not defined by reference to a checklist. SDAIA's Implementing Regulations indicate that adequacy is assessed by reference to the nature of the data, the purpose and duration of the processing, the laws of the destination country, and the technical and organizational measures in place at the recipient.

For organizations relying on the appropriate safeguards basis, this means a written transfer agreement or set of contractual clauses must address, at minimum: the purpose limitation of the transferred data, the security measures the recipient will maintain, the data subject rights the recipient will honor, the mechanism by which the transferring organization can audit or verify compliance, and the process for handling breach notification. A vendor data processing agreement drafted under GDPR standards is not automatically compliant with PDPL requirements. The standards overlap but are not identical.

Documentation Requirements

Article 29 compliance is not a one-time assessment. The PDPL requires organizations to maintain records of cross-border transfer activities as part of their broader data processing register obligation. For each transfer, the register must capture the legal basis relied upon, the identity of the recipient, the categories of data transferred, the destination country, and — where safeguards are used — a copy of or reference to the instrument providing those safeguards.

In practice, organizations with cloud infrastructure hosted outside Saudi Arabia, SaaS vendors processing personal data in foreign jurisdictions, or group entities sharing HR and customer data across borders are engaged in cross-border transfers whether or not they have documented them as such. Each of those flows requires a legal basis.

Common Gaps

Enforcement patterns and compliance assessments reveal several recurring failures:

• Undocumented transfers: Organizations have not mapped which data flows cross a border, so they cannot assess whether those flows have a legal basis.
• Reliance on adequacy that does not exist: Some organizations assume that transfers to major cloud providers or to GDPR-compliant countries are automatically permissible. They are not. PDPL adequacy is a Saudi determination, and it has not been made.
• Generic vendor agreements: Standard vendor agreements do not contain the PDPL-specific provisions required to constitute appropriate safeguards under Saudi law.
• Derogation overreach: Organizations invoke the contractual necessity or consent derogations for bulk, ongoing data transfers, which is not a permissible use of a narrow exception.
• No audit mechanism: Even where contractual clauses exist, they contain no right of audit or verification, which is a substantive defect in the safeguard instrument itself.

The Compliance Threshold in Plain Terms

An organization meets the Article 29 threshold when it can demonstrate, with documentation, that every cross-border data flow has been identified, that each flow has a specific legal basis under the PDPL, and that any reliance on safeguards is supported by an instrument that addresses the substantive content requirements. The absence of a Saudi adequacy list is not a temporary exemption — it is the operative legal environment. Organizations operating on the assumption that an adequacy list is forthcoming and that transfers will be grandfathered are misjudging the regulatory risk.