The Operative Legal Environment

Saudi Arabia's PDPL prohibits the transfer of personal data outside the Kingdom unless specified conditions are met. The framework contemplates that SDAIA would publish a list of countries determined to offer adequate protection for personal data, and that transfers to those countries could proceed on the basis of that adequacy determination. As of the date of this article, no such list has been published. This is not a transitional gap — it is the operating environment, and every organization transferring personal data out of Saudi Arabia is operating within it.

The absence of an adequacy list does not mean cross-border transfers are prohibited. It means that every transfer must be conducted on one of the other available legal bases, and that the organization must have documented evidence of that basis before the transfer occurs. The compliance question is not whether a transfer can happen — it is whether the organization has done what the law requires to make it lawful.

The Three Available Legal Bases

In the absence of an adequacy decision, the PDPL and Implementing Regulations provide three alternative legal bases for cross-border transfer:

  • Contractual necessity: The transfer is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the data subject's request. This basis is narrow in scope. It covers transfers that are genuinely essential for the delivery of a specific service to the individual — for example, transferring personal data to an international courier service to execute a delivery. It does not cover ongoing transfers to cloud vendors, shared service centers, or group entities that are structural elements of how an organization processes data generally, rather than transaction-specific necessities.
  • Public interest: The transfer is necessary for the performance of an obligation imposed by law or for the protection of the public interest. This basis applies to transfers required by international treaty obligations, regulatory coordination between Saudi regulators and foreign counterparts, or other genuine public interest grounds. It is not available as a general basis for commercial processing.
  • Explicit consent: The data subject has given explicit consent to the transfer of their personal data to the specific recipient country or entity, after being informed of the absence of adequate protection in the destination and the risks that entails. This is the most widely misapplied basis in practice. Consent under the PDPL must be freely given, specific, informed, and unambiguous. Consent buried in a privacy notice, bundled with consent for other processing activities, or obtained as a condition of service does not meet this standard. For routine commercial data transfers — such as HR data to a global HRIS platform, or customer data to an international CRM — obtaining valid explicit consent for each transfer is generally impractical and not the appropriate legal basis.

Standard Contractual Clauses Under Saudi Law

The PDPL framework references "appropriate safeguards" as a mechanism for cross-border transfer, analogous to the standard contractual clauses (SCCs) mechanism under the EU's GDPR. However, SDAIA has not yet issued a set of approved model contractual clauses for use under Saudi law. This creates a specific compliance challenge: organizations that want to rely on contractual safeguards must determine what substantive content those contractual provisions must include to constitute adequate safeguards under the PDPL, in the absence of a published template.

Based on the Implementing Regulations' description of the content that appropriate safeguards must cover, contractual transfer provisions under Saudi law should address, at minimum: purpose limitation binding on the recipient, security obligations at least equivalent to those applied by the transferring organization, data subject rights that the recipient will honor, the right of the transferring organization to audit or verify compliance, the obligation of the recipient to notify the transferring organization of any personal data breach within a timeframe that allows the transferring organization to meet its own SDAIA notification obligations, and data retention and deletion obligations that align with the transferring organization's PDPL obligations.

Documentation Required Today

Regardless of which legal basis an organization relies upon, the PDPL's Implementing Regulations require specific documentation to be maintained before and during any cross-border transfer:

  • An entry in the data processing register that identifies the transfer, the legal basis, the recipient, and the destination country
  • For contractual safeguards: the executed agreement or specific contractual provisions that constitute the safeguard instrument
  • For consent-based transfers: records of consent, including the information provided to the data subject about the destination country and risks, and the mechanism by which consent was obtained
  • For public interest transfers: the specific legal obligation or public interest ground, with reference to the applicable law or regulatory requirement
  • A record of any data protection impact assessment conducted in connection with the transfer

The documentation obligation is not a formality. In enforcement proceedings, SDAIA has treated the absence of documentation as evidence that no legal basis existed at the time of transfer — even where the organization subsequently identified a legal basis that would have been available. The compliance record must exist contemporaneously with the transfer.

When to Expect an Adequacy List

SDAIA has indicated in public guidance that it is actively developing a framework for adequacy determinations, including assessments of the data protection regimes of countries that are significant trading and investment partners for Saudi Arabia. However, no timeline has been announced, and no draft list has been published for consultation. Organizations operating on an assumption that an adequacy list is imminent — and that the interim compliance burden will be regularized once the list is published — are accepting a risk that the current enforcement environment does not support. The practical implication is that the compliance infrastructure an organization builds today to meet the no-adequacy-list environment is the same infrastructure that will underpin its compliance once a list is published: the adequacy list, when it arrives, will simplify rather than replace the transfer documentation obligations.