Skip to main content
General rules for transferring personal data outside the geographical borders of the Kingdom

1. Scope of Policy Application

This policy applies to the following:

  • All personal, academic, and research data that is transferred, stored, or processed outside the Kingdom.
  • All data transfers to international cloud service providers.
  • All research agreements and joint projects that require data sharing with external parties.
  • Data stored on systems or electronic platforms located outside the Kingdom.

Exemptions:

  • Anonymized data that does not contain personal or sensitive information.
  • Data published openly by the university as part of its open data policy.
  • Data whose transfer is mandated by law or regulation under international agreements signed by the Kingdom.

2. Core Principles for Cross-Border Data Transfer

National Data Sovereignty

  • Priority must be given to storing and processing data within the Kingdom whenever possible, utilizing local cloud service providers approved by the Digital Government Authority and the National Cybersecurity Authority.
  • Data may not be transferred outside the Kingdom unless no suitable local solution exists that meets the university’s operational requirements.

Legal Basis for Transfer

  • Data may not be transferred outside the Kingdom unless a clear legal basis exists, such as:
    • Approval from the relevant regulatory authority.
    • Fulfillment of legal or contractual obligations that require data sharing with an external entity.
    • Participation in globally recognized research platforms that require the exchange of research data.

Data Protection Compliance in the Receiving Country

  • The receiving country must be included on the list of approved countries published by the National Data Management Office, confirming that the country provides a level of data protection equivalent to or higher than the standards of the Kingdom.
  • If the receiving country is not on the approved list, a comprehensive risk assessment must be conducted before transfer approval is granted.

Minimum Necessary Data

  • Data transferred must be limited to the minimum necessary to fulfill the legal or operational purpose of the transfer.
  • Personal data must be anonymized before transfer whenever possible.

Data Protection During Transfer

  • Data must be encrypted during transfer using strong encryption protocols such as AES-256 or equivalent.
  • Data must be transmitted over secure channels such as encrypted VPNs or private communication networks that ensure protection against data interception during transfer.

Data Subject Consent

  • If the data concerns identifiable individuals (e.g., students or employees), their explicit written or electronic consent must be obtained prior to transfer, unless there is a legal obligation or legitimate interest that justifies the transfer.
  • The privacy notice must clearly state how the data will be used, the receiving party, and the safeguards in place to protect the data.
Contact