Global Data and Cyber Handbook

Saudi Arabia

Select a Topic
Start Comparison
Data localization and regulation of non-personal data
Jump to
Data localization and regulation of non-personal data Start Comparison
Are there data localization/data residency or other types of laws that may require the retention and storage of data in the local jurisdiction, or prohibit the transfer of data out of the jurisdiction?

Last review date: 31 December 2024

Yes.

☒  b)    other laws that may require the retention and storage of personal data (including, for example, where such data is part of another type of record or dataset) in the local jurisdiction or otherwise prohibit the transfer or disclosure of the personal data outside of the local jurisdiction:

         tax or financial record laws

         employment laws

In addition to the personal data transfer restrictions under the PDPL and the Data Transfer Regulations, there are various sectoral rules focused on data localization:

  • The Cloud Computing Services Provisioning Regulations (CCSPRs) issued by the Communications, Space and Technology Commission (CST) apply to the hosting of data in the context of the provision of a cloud computing service. The CCSPRs require all cloud service providers (CSPs) registered with the CST, as well as cloud customers, to ensure that no data of Saudi Arabia's public sector entities/government authorities is transferred outside Saudi Arabia for any purpose, permanently or temporarily (e.g., for caching, redundancy or similar purposes), unless this is expressly allowed under the laws or regulations of Saudi Arabia. Government entities are only permitted to host their data with CSPs that have the appropriate licenses issued by/or registrations with the CST. In addition, consent is required from both the CST and the customer before the service provider transfers any data outside of Saudi Arabia.
  • The Implementing Regulations of the Income Tax Law require that taxpayers' books be kept in Saudi Arabia.
  • The Labor Law requires that certain records, statements and files are maintained at the workplace, whether in hard or soft copy.
  • The Insurance Market Code of Conduct Regulation requires insurance companies to ensure, at all times, that customer personal data is protected. This means that the data must be obtained and used only for specified and lawful purposes, kept by the insurance company in Saudi Arabia, provided to the customer upon their written request, and not disclosed to any third party without the prior authorization of SAMA.
Does law or regulation impose mandatory requirements to share or make accessible non-personal data?

Last review date: 31 December 2024

         Obligation for public sector organizations to share or make accessible non-personal data

If so, please provide brief details of the relevant law or regulation.

Saudi Arabia is actively promoting open data as part of its Vision 2030 initiative, aiming to increase transparency, encourage public participation, and foster innovation. This initiative is outlined in the Open Data Policy that was published by SDAIA in 2020. This policy outlines the principles and guidelines for open data in Saudi Arabia, emphasizing free access, reuse, and redistribution of data while respecting privacy and security considerations.

What specific obligations do these data-sharing rules impose on private organizations?

Last review date: 31 December 2024

         Obligation to share data on request

         Obligation to share data proactively

         Obligation to (re)design products or services to facilitate data accessibility

         Obligation to standardize products or services to facilitate data portability or interoperability

{{ $store.state.loadingScreen.message }} ...