General rules for transferring personal data outside the geographical borders of the Kingdom
1. Scope of Policy Application
This policy applies to the following:
- All personal, academic, and research data that is transferred, stored, or processed outside the Kingdom.
- All data transfers to international cloud service providers.
- All research agreements and joint projects that require data sharing with external parties.
- Data stored on systems or electronic platforms located outside the Kingdom.
Exemptions:
- Anonymized data that does not contain personal or sensitive information.
- Data published openly by the university as part of its open data policy.
- Data whose transfer is mandated by law or regulation under international agreements signed by the Kingdom.
2. Core Principles for Cross-Border Data Transfer
National Data Sovereignty
- Priority must be given to storing and processing data within the Kingdom whenever possible, utilizing local cloud service providers approved by the Digital Government Authority and the National Cybersecurity Authority.
- Data may not be transferred outside the Kingdom unless no suitable local solution exists that meets the university’s operational requirements.
Legal Basis for Transfer
- Data may not be transferred outside the Kingdom unless a clear legal basis exists, such as:
- Approval from the relevant regulatory authority.
- Fulfillment of legal or contractual obligations that require data sharing with an external entity.
- Participation in globally recognized research platforms that require the exchange of research data.
Data Protection Compliance in the Receiving Country
- The receiving country must be included on the list of approved countries published by the National Data Management Office, confirming that the country provides a level of data protection equivalent to or higher than the standards of the Kingdom.
- If the receiving country is not on the approved list, a comprehensive risk assessment must be conducted before transfer approval is granted.
Minimum Necessary Data
- Data transferred must be limited to the minimum necessary to fulfill the legal or operational purpose of the transfer.
- Personal data must be anonymized before transfer whenever possible.
Data Protection During Transfer
- Data must be encrypted during transfer using strong encryption protocols such as AES-256 or equivalent.
- Data must be transmitted over secure channels such as encrypted VPNs or private communication networks that ensure protection against data interception during transfer.
Data Subject Consent
- If the data concerns identifiable individuals (e.g., students or employees), their explicit written or electronic consent must be obtained prior to transfer, unless there is a legal obligation or legitimate interest that justifies the transfer.
- The privacy notice must clearly state how the data will be used, the receiving party, and the safeguards in place to protect the data.