The Controller may transfer personal data outside of Oman in accordance with the Executive Regulations except if it was processed in violation of the DPL or would cause harm to the data subject.
The personal data may be transferred outside the UAE if there is an adequate level of protection in the country to which the data is to be transferred. If there is not an adequate level of protection, data may be transferred outside the UAE (i) under a contract or agreement that obliges the entity in the country without adequate protection to implement the provisions, measures, controls and requirement set out in the DPL (ii) if express consent of the data subject is obtained (iii) if the transfer is necessary to comply with a legal obligation, enter into or execute a contract between the Controller and Data Subject, or between the Controller and a third party to achieve the Data Subject’s interest, perform a procedure relating to international judicial cooperation or protect the public interest.
Personal data may not be transferred outside KSA (except to implement an obligation under a convention or to serve the interests of KSA), unless the following conditions are met (i) the transfer does not prejudice national security (ii) sufficient guarantees are provided for preserving confidentiality of the data being transferred so the level of protection is the same as set out in the DPL (iii) transfer is limited to the minimum personal data needed (iv) the regulator approves the transfer pursuant to the Regulations.
Service Providers shall notify the data subject in the event where the Service Provider intends to transfer the personal data outside Kuwait in accordance with the data classification policy issued by the regulator.
The Controller shall
be prohibited from taking any decision or measure that may limit the Cross Border Data Flow, unless the processing of such data is in breach of the DPL, or where such processing may cause serious damage to the data or to the data subject’s privacy.
Data should not be transferred outside Bahrain except in the following cases (i) transfers to a country or territory included in a the adequate level of protection country list attached to Decision No. 42 of 2022 (ii) transfers with the regulator’s permission which must be requested in accordance with Article 3 of Decision No. 42 of 2022 and will be issued in a case by case basis if the regulator is satisfied that the data will have an adequate level of protection.
If the country to which the data is being transferred does not have an adequate level of protection, the data may still be transferred in the following cases (i) if the data subject consents (ii) if the data is already publicly available (iii) if the transfer is necessary to implement a contract between the Controller and the data subject, execute or conclude a contract between the Controller and a third party for the benefit of the data subject, protect the data subject’s vital interests, comply with a legal or judicial obligation or order, and investigation of, directly claiming or defending a legal claim.