The core concepts of the Personal Data Transfer Regulations are heavily inspired by the EU General Data Protection Regulation ("GDPR"). They split transfers of personal data from the KSA into two categories; (1) countries that are considered by SDAIA to provide an appropriate level of protection to personal data ("Adequate Countries"); and (2) countries that are deemed not to provide an adequate level of protection to personal data ("Non-Adequate Countries"). 

Chapter 2 of the Regulations sets out the evaluation criteria used by SDAIA and the procedure for determining and reassessing whether a country is an Adequate Country. Although a list of Adequate Countries has not yet been issued at the time of writing, we are aware that this task is viewed as a priority for SDAIA and the industry, and efforts are well underway to conduct the required adequacy assessments.

Whilst one might reasonably hope the list of Adequate Countries to comprise in part the jurisdictions deemed "adequate" under the GDPR, we cannot conclude this for certain at this time.

If a cross-border transfer is made to a Non-Adequate Country, then the Regulations provide several mechanisms (referred to in this article as "Safeguards") to legitimise such transfers. The Safeguards listed in Chapter 3 of the Regulations largely reflect the Safeguards that feature in the GDPR and specifically include:  

• Binding Common Rules: equivalent to binding corporate rules, these rules apply to all parties engaged in a joint economic activity, including their employees. These rules must be approved by SDAIA on a case-by-case basis;   
• Standard Contractual Clauses ("SCCs"): a set of standard form clauses for inclusion in contracts that are designed to ensure a sufficient level of protection for personal data. The SCCs are yet to be published, however the Regulations envisage that SDAIA will develop and adopt its own template;
• Certifications of compliance with the PDPL: These certificates will be issued by SDAIA and will contain enforceable commitments placed on the data importer in the Non-Adequate Country, obliging them to apply appropriate safeguards; and
• Binding Codes of Conduct: These codes of conduct will need to be approved by SDAIA and will be issued on a case-by-case basis. They will also contain enforceable commitments from the data recipient in the Non-Adequate Country. 

In addition to these Safeguards, there are several derogations available which can be relied on to make cross-border transfers to Non-Adequate Countries. The Regulations suggest that these derogations should only be relied upon in the absence of an adequate level of protection for the data being transferred and where no other appropriate Safeguards can be identified. These derogations include: 

• where the transfer of personal data is necessary for the performance of an agreement to which the data subject is a party;
• where the controller is a public entity and:
  • the transfer or disclosure is necessary for the protection of the KSA's national security, or it is in the public interest; or
  • the controller is a public entity and the transfer or disclosure is necessary for the investigation or detection of crimes or the prosecution of their perpetrators, or for the execution of penal sanctions; or
• where the transfer is necessary to protect the vital interests of a data subject that is unreachable. 

In the same manner as under the GDPR, we anticipate that SDAIA may encourage companies to make systematic transfers to Non-Adequate Countries in reliance on an approved Safeguard, such as the SCCs. However, in the absence of guidance to the contrary, it will be interesting to see if organisations choose to rely on the derogations more broadly. 

The Personal Data Transfer Regulations introduced additional legal grounds for carrying out cross-border transfers of personal data, including for the following grounds:

• where the processing operations enable the controller to carry out its activities, including central management operations;
• where the processing results in the provision of a service or benefit to the data subject; and
• where the processing is to conduct scientific research and studies.

We expect that further guidance will be provided in due course as to whether one of the legal grounds for processing under Article 6 of the PDPL must also be satisfied prior to reliance on one of these grounds, or whether these grounds and the grounds in Article 6 are cumulative and one may rely exclusively on either the legal grounds set out in Article 6 of the PDPL or those set out in Article 2(4) of the Personal Data Transfer Regulations to conduct processing, which includes making cross-border personal data transfers.

The Implementing Regulations expand the concept of consent and draw a distinction between ordinary consent and "explicit consent", which is the standard of consent required by controllers who wish to process Sensitive Data (as that term is described in the PDPL), as well as for automated personal data processing. 

If an organisation relies on consent to legitimise its processing of an individual's personal data, the consent must be given freely and must not be obtained through misleading methods. The processing purpose should be explained to the data subject in a way that is clear and specific, and independent consent must be obtained for each processing purpose. 

As is the case under the GDPR, consent can be withdrawn at any time and the Implementing Regulations specify that the procedure for doing so must be similar to or easier than the process for originally providing consent.

When relying upon the legitimate interest lawful basis for processing personal data, controllers must adhere to specific conditions which are set out in the Implementing Regulations. Importantly, one of those conditions is that such processing must not include Sensitive Data. 

Another condition is that the controllers must balance the rights and interests of the data subject against the legitimate interests of the controller and that the controller's own legitimate interests should not override the rights and interests of the data subject (similar to a legitimate interest assessment under the GDPR).

The Implementing Regulations provide that controllers who engage processors to process personal data on their behalf must enter into agreements with those processors that include sufficient assurances related to the protection of the personal data they process. These agreements must contain specific obligations that will be recognisable to those familiar with Article 28 of the GDPR. However, the Implementing Regulations feature some key differences, including that the processor must confirm that they are not subject to any other regulations in any other countries that impact their ability to comply with the PDPL.

Critically, the Implementing Regulations specify that if the processor violates the instructions issued by the controller under the data processing agreement, they will be considered to be a controller and shall be held directly accountable for any associated breaches of the PDPL. This is likely to have a significant impact on data processing agreements, specifically in relation to the indemnities that are provided and the practices associated with documenting instructions from controller to processor. We expect that further guidance will also be published in respect of claims that can be brought by data subjects in these circumstances.

The Implementing Regulations clarify certain requirements in respect of data subject rights and require that controllers respond to data subject requests within 30 days, extendable by a further 30 days where the request requires unexpected or unusual additional effort or where the controller receives multiple requests from the data subject. This is a shorter extension period than that available under the GDPR, which allows up to maximum of three calendar months to respond to complex or multiple requests. 

The Regulations also permit controllers to refuse to act on data subject requests that are repetitive, manifestly unfounded, or which require disproportionate efforts. It will therefore be interesting to see how controllers exploit these rights in practice and/or whether any further guidance is provided on these rights.

Controllers must notify SDAIA of personal data breaches within 72 hours of becoming aware of the breach where it may cause harm to the personal data, the data subject or where it conflicts with their rights or interests. 

If the controller is unable to provide the requisite information to SDAIA related to the data breach within the 72-hour time limit, it must provide such information as soon as possible together with the justifications for delay. 

Data subjects must be notified of personal data breaches without undue delay if the breach might cause damage to the data subjects' data or conflict with their rights or interests. Notably, this threshold for data subject notifications is lower than that included in other modern data protection laws. In the absence of further guidance, we may see more data breaches that meet this notification threshold.

Article 25 of the Implementing Regulations sets out when DPIAs must be conducted and specifies the information that should be included, as a minimum. The circumstances where a DPIA must be completed include, amongst others, where the processing involves Sensitive Data or the use of a new technology.

Articles 28 and 29 of the Implementing Regulations respectively deal with the processing of personal data for advertising or awareness purposes and for direct marketing purposes. Consent is required for both purposes and controllers must also provide an easy and simplified mechanism to enable data subjects and targeted recipients to stop receiving advertising and marketing materials at any time. 

We expect that further guidance will be provided in due course to clarify the distinction between advertising under Article 28 and direct marketing under Article 29. In addition, it remains to be seen how Article 28 in particular, is intended to operate, as organisations across a variety of sectors are often required to provide data subjects with certain information updates from time to time. 

Businesses that do carry out direct marketing activities should proactively work to obtain the necessary consents from data subjects in advance of the PDPL's enforcement on 14 September 2024. Rigorous internal processes and training will also need to be implemented to ensure that these new requirements are not breached.

The Implementing Regulations oblige controllers to appoint one or more persons to be responsible for the protection of personal data (i.e., a DPO), including where the primary activities of the controller are based on processing operations that require regular and systematic monitoring of data subjects or the main activities of the controller involves the processing of Sensitive Data. 

Organisations are free to appoint a DPO internally or to engage a third-party company that provides DPO services.

Under Articles 26 and 27 of the Implementing Regulations, SDAIA envisages the adoption of additional controls and procedures which must be followed by controllers when processing Health Data and Credit Data (as those terms are defined in the PDPL). These additional requirements will be developed by the sector regulators in collaboration with SDAIA.

In the meantime, the Implementing Regulations require that all stages of Health Data processing is documented and that the person in charge of (or responsible for) each stage can be readily identified, which suggests that an ordinary Records of Processing Activity ("ROPA") would not suffice for this purpose and that disclosure of a data subject's Credit Data requires the data subject's consent.