Many businesses operating globally hold the European Union’s General Data Protection Regulation (GDPR) or the UK Data Protection Act 2018 (DPA 2018) as the gold standard for personal data protection. While achieving compliance with these laws is a significant undertaking, the reality of global data governance is that your efforts in Europe do not automatically provide legal"coverage" in other sovereign territories like the United ArabEmirates (UAE) or the Kingdom of Saudi Arabia (KSA).
Data compliance is highly jurisdictional. If your business processes data related to residents in the Gulf Cooperation Council (GCC) region, you must comply specifically with their respective local laws.
The StartingPoint: The EU/UK Data Framework
The GDPR(Regulation (EU) 2016/679) lays down rules for the processing of personal data relating to natural persons. The EU GDPR applies to processing carried out in the context of the activities of an establishment in the Union. The DPA 2018 in the UK supplements the UK GDPR, and terms used in Part 2 of the DPA 2018generally have the same meaning as in the UK GDPR.
A core principle for Controllers (those determining the purposes and means of processing) and Processors (those acting on behalf of the controller) operating under this framework is that if data must be transferred outside the EU/UK to a"third country," specific safeguards must be met. In the absence ofan adequacy decision deeming the third country to have an adequate level of protection, appropriate safeguards, such as binding corporate rules or standard data protection clauses, are required for the transfer.
However, even if a transfer from the EU/UK complies with GDPR export rules, this compliance does not satisfy the requirements imposed by the destination country on the data’s arrival.
The MiddleEastern Reality: Extraterritorial Reach
Both the UAE and Saudi Arabia have established national data protection frameworks that explicitly mandate compliance from entities established outside their borders if they handle the data of their residents.
1. The UAE (Federal Decree by Law No. 45 of 2021)
The UAE's data protection decree applies broadly to the processing of personal data using electronic systems or other means. Importantly, its scope is extraterritorial:
• It applies to Each Controller or Processor residing outside the State and carrying outthe activities of processing Personal Data of Data Subjects inside the State.
• "Processing" covers any operation on Personal Data, including collecting, storing, recording, organising, modifying, circulating, retrieving, exchanging, sharing, or transmitting it.
• "Cross-BorderProcessing" is defined as the dissemination, use, transmission, sharing, or processing of Personal Data outside the State.
Controllers under this law must maintain records that specifically include details relatedto the cross-border movement and processing of such data. Furthermore, the processor must provide sufficient guarantees to implement technical and organisational measures ensuring compliance with the Decree.
2. Saudi Arabia (Personal Data Protection Law)
The SaudiPersonal Data Protection Law (PDPL) similarly casts a wide net based on the data subject’s location:
• The Law applies to the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom.
• A Controller(the entity specifying the purpose and manner of processing) is obliged to usea privacy policy, available to Data Subjects, specifying the purpose of collection, personal data to be collected, and the means used for collection, processing, storage, and destruction.
• When a Controller seeks to Transfer Personal Data outside the Kingdom or disclose it to a party outside the Kingdom, specific conditions must be met.The transfer must not prejudice national security and must typically ensure an adequate level of protection, defined as being at least equivalent to the level of protection guaranteed by the Saudi Law and Regulations.
Conclusion: Layered Compliance is Essential
While beingGDPR compliant means you adhere to fundamental principles like fairness, accountability, and purpose limitation, this achievement only covers one aspect of global operation. The UAE and Saudi Arabia regulate the processing of theirresidents' data regardless of where your company is based.
To ensure lawful operation in these jurisdictions, an organisation must:
1. Meet GDPR/UKDPA Requirements: Maintain appropriate safeguards for any data transfer out of Europe.
2. Meet LocalRequirements: Implement specific processes defined by the UAE and Saudi laws, particularly regarding local definitions, accountability (including records of cross-border transfers), and local data protection officer requirements (UAE).
Think of GDPR compliance as mastering the rules of a large, complex international airport.You know how to safely handle and export valuable goods (data) to many destinations. But once the package lands in a new country (UAE or KSA), you must also follow that nation's unique customs, security, and storage laws to complete the journey legally. Your compliance efforts must be layered and customised for each sovereign legal environment.
86-90 Paul Street
London
EC2A 4NE
.png){kind=small}