KSA | JU | General rules for transferring personal data outside the geographical borders of the Kingdom

Facebook of Jouf University

X of Jouf University

Instagram of Jouf University

Youtube of Jouf University

General rules for transferring personal data outside the geographical borders of the Kingdom

1. Scope of Policy Application

This policy applies to the following:

All personal, academic, and research data that is transferred, stored, or processed outside the Kingdom.
All data transfers to international cloud service providers.
All research agreements and joint projects that require data sharing with external parties.
Data stored on systems or electronic platforms located outside the Kingdom.

Exemptions:

Anonymized data that does not contain personal or sensitive information.
Data published openly by the university as part of its open data policy.
Data whose transfer is mandated by law or regulation under international agreements signed by the Kingdom.

2. Core Principles for Cross-Border Data Transfer

National Data Sovereignty

Priority must be given to storing and processing data within the Kingdom whenever possible, utilizing local cloud service providers approved by the Digital Government Authority and the National Cybersecurity Authority.
Data may not be transferred outside the Kingdom unless no suitable local solution exists that meets the university’s operational requirements.

Legal Basis for Transfer

Data may not be transferred outside the Kingdom unless a clear legal basis exists, such as:
- Approval from the relevant regulatory authority.
- Fulfillment of legal or contractual obligations that require data sharing with an external entity.
- Participation in globally recognized research platforms that require the exchange of research data.

Data Protection Compliance in the Receiving Country

The receiving country must be included on the list of approved countries published by the National Data Management Office, confirming that the country provides a level of data protection equivalent to or higher than the standards of the Kingdom.
If the receiving country is not on the approved list, a comprehensive risk assessment must be conducted before transfer approval is granted.

Minimum Necessary Data

Data transferred must be limited to the minimum necessary to fulfill the legal or operational purpose of the transfer.
Personal data must be anonymized before transfer whenever possible.

Data Protection During Transfer

Data must be encrypted during transfer using strong encryption protocols such as AES-256 or equivalent.
Data must be transmitted over secure channels such as encrypted VPNs or private communication networks that ensure protection against data interception during transfer.

Data Subject Consent

If the data concerns identifiable individuals (e.g., students or employees), their explicit written or electronic consent must be obtained prior to transfer, unless there is a legal obligation or legitimate interest that justifies the transfer.
The privacy notice must clearly state how the data will be used, the receiving party, and the safeguards in place to protect the data.

Share this post