Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations. Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
- IT systems or data feeds which lead to personal data being stored on databases hosted outside the country;
- people/entities outside the country being able to access or "see" personal data held in the country; and
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
Saudi Arabia’s new Personal Data Protection Law (PDPL) limits controllers transferring personal data outside of the country, but until the executive regulations are released, it is unclear when personal data transfers will be permitted.
Under the PDPL, personal data can only be transferred by controllers:
- when required to comply with an agreement to which Saudi Arabia is a party;
- to serve Saudi interests; or
- for other purposes to be set out in the executive regulations.
When personal data transfers are permitted, they must meet the following requirements:
- The transfer/disclosure should not prejudice the national security or vital interests of Saudi Arabia.
- There must be sufficient guarantees for preserving the confidentiality of personal data so that the level of protection is not less than under the PDPL and its regulations.
- The transfer/disclosure is limited to the minimum amount of personal data required for the transfer/disclosure.
- The regulatory authority approves the transfer/disclosure in accordance with regulations.
In certain instances, the Cloud Computing Regulatory Framework (CCRF) may apply. Under the CCRF, cloud service customers are required to categorize their data into one of 4 categories. Data that is categorized as ‘Level 3’ or ‘Level 4’ cannot be transferred outside the country or processed in a public cloud. HR related employee data would generally be classified as ‘Level 1’ or ‘Level 2’ data. In some instances employers in certain regulated industries or who hold highly sensitive staff data may use a ‘Level 3’ categorization, which would prohibit data from being transferred outside Saudi Arabia.
HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. The executive regulations should provide more clarity on when international personal data transfers are permitted and how limited exceptions may apply.