An Overview of Saudi Arabia’s Guidelines for Binding Common Rules (BCR) For Personal Data Transfer

I. Introduction

As organizations amass massive volumes of data and global data flows are shared across borders, the need for robust mechanisms to protect personal data has become critical.

Consequently, the Saudi Data and AI Authority (SDAIA) released the Regulation on Personal Data Transfer Outside the Kingdom (Transfer Regulation) and the Guidelines for Binding Common Rules (BCR) For Personal Data Transfer addressing personal data transfers outside the Kingdom.

This guide dives into the BCRs, exploring their role as a mechanism for ensuring compliance with data protection standards during cross-border data transfers.

II. What are the Transfer Regulations?

On 1 August 2024, the Saudi Data and AI Authority (SDAIA) released the updated Regulation on Personal Data Transfer Outside the Kingdom (Transfer Regulation), which amended the previous regulations under the Personal Data Protection Law (PDPL), originally issued by Royal Decree No. M/19 and later amended by Royal Decree No. M/148.

The Regulation outlines the purposes for transferring or disclosing personal data outside the Kingdom and the procedures and standards for evaluating the level of personal data protection outside the Kingdom. It ensures compliance with privacy laws under the Saudi Data & Artificial Intelligence Authority (SDAIA).

It also includes the conditions under which data controllers are exempt from meeting the protection standards and the minimal requirements for transferring personal data outlined in Article 29 of the PDPL and the regulation itself. In addition, a risk assessment must be conducted before transferring or disclosing personal data to a party outside the Kingdom.

Learn more about the Regulation on Personal Data Transfer Outside the Kingdom.

III. What are Binding Common Rules?

On 1 September 2024, the Saudi Data and AI Authority (SDAIA) released the updated Guidelines for Binding Common Rules (BCR) For Personal Data Transfer, which elaborates on how BCRs will be conducted as per the PDPL. The previous regulations under the Personal Data Protection Law (PDPL), originally issued by Royal Decree No. M/19 and later amended by Royal Decree No. M/148.

The BCR Guidelines ensure the secure transfer of personal data in accordance with the Kingdom’s data protection regulations. These Guidelines provide multinational corporations operating in the Kingdom with a framework for legally transferring personal data beyond the Kingdom while protecting individuals' privacy.

IV. Whom Do the Rules Apply To

A. Material Scope

The Guideline outlines BCR requirements for controllers or processors that transfer personal data outside Saudi Arabia to countries or organizations lacking adequate data protection at a level equivalent to that required by Saudi law and regulations. It offers comprehensive guidance on creating and using BCR to ensure the safe transfer of personal data to organizations within and outside the Kingdom.

B. Territorial Scope

The Binding Common Rules' geographic reach includes any transfers of personal data from Saudi Arabian controllers to any nation or entity outside the Kingdom.

V. Key Definitions Under the Rules

A. Appropriate Safeguards

The SDAIA requires controllers to comply with the PDPL and its Implementing Regulations when transferring or disclosing personal data to entities outside the Kingdom. This includes cases where an exemption from the prescribed data protection standards has been granted. The controller must still ensure that the level of protection afforded to the personal data is at least equivalent to that required by the PDPL and its regulations, even when the data is transferred abroad.

B. Binding Common Rules (BCRs)

A set of legally binding rules established by the controller, applicable to all controllers and processors within a multinational group of entities. These rules ensure that the data protection standards meet or exceed those required by the PDPL and its Implementing Regulations, even when data is shared internationally.

C. Transfer of Personal Data

Transfer, disclosure (or granting of access) of Personal Data from the Kingdom of Saudi Arabia to Controllers, Processors, or other recipients in countries or international organizations other than the Kingdom of Saudi Arabia where neither the Data Exporter nor the Importer is a Data Subject.

D. International Organizations

A legal body comprising members from at least three countries, operating in multiple sovereign states, established through a formal legal document such as a treaty or agreement based on international law, and this legal document defines the aims and objectives of the international organization and its structures, decision-making powers and jurisdiction. (e.g., the United Nations, the World Bank, the League of Arab States, and the Arab Monetary Fund). These organizations engage in international activities and must comply with various Personal Data protection laws across different jurisdictions.

E. Group of Entities

A set of legal entities engaged in joint economic activities such as franchising, joint ventures, or professional partnerships. These entities operate under shared control, for example, ownership, common economic interests, financial participation, or the governance rules.

VI. Requirements for BCRs

The Guidelines outline the following requirements for BCRs:

1. The Group of Entities is responsible for ensuring that BCR mentions the rights of data subjects, including the right to compensation for rights violations and controllers' obligations under the PDPL and Regulations.
2. To ensure compliance with the BCRs, the Group of Entities, including the personal data importer, shall collaborate with the SDAIA and appropriate authorities, comply with their requests, and provide the required documentation and information.
3. An authorized person within the Group of Entities must approve the BCR internally, ensuring that all compliance and data protection procedures have been assessed and validated.
4. The BCR must be legally binding on each and every member of the Group of Entities, ensuring a uniform level of data protection. Every member who receives personal data is required to comply with the Implementing Regulations and the PDPL.
5. In addition to the BCR, the PDPL, and its Implementing Regulations, comprehensive policies on data protection, data subject rights, security measures, audits, and managing data breaches and complaints must be established.

General Guidelines

Parties to a binding agreement must ensure that:

• No provisions conflict with the BCR or limit their application;
• The controller must provide evidence of compliance with the BCR, Law, and Regulations upon the SDAIA’s request and establish an effective incident response plan for data breaches or unauthorized access;
• The BCR must include procedures for notifying the SDAIA and affected data subjects in case of a breach that could harm the data or infringe on data subjects' rights;
• A list of members must be kept, including data processors and sub-processors, and must be regularly updated and made accessible to data subjects. A report must be kept detailing the reasons for any changes or updates to the list; and
• The exemption under the BCRs is void if the Data Controller fails to implement them, or if the SDAIA deems the rules inadequate.

VII. Personal Data Protection Measures

The Guidelines outline specific personal data protection measures, including:

A. Personal Data Protection Officer Requirement (DPO)

Organizations, particularly those handling large volumes of personal data, must appoint DPOs and internal/external auditors to oversee personal data protection compliance. The DPO oversees the organization’s data protection strategy, ensures compliance with the guidelines, and liaises with regulatory authorities. Organizations should detail the appointment process for DPOs and clearly define their roles and responsibilities for transparency and accountability purposes.

B. Collaboration and Responsibilities of Personal Data Protection Officers (DPOs)

Organizations should promote coordination among the network of DPOs to maintain uniform data protection procedures. This involves regular communication, sharing best practices, and coordinating group policy to comply with legal obligations. Organizations should also specify their collaboration with the network of DPOs inside the group and the roles and responsibilities of those involved in protecting personal data.

C. Transparency Requirement

Organizations must take relevant steps to ensure transparency in handling personal data, such as establishing a detailed privacy notice and frequently updating data subjects.

D. Personal Data Processing

To ensure compliance with the relevant regulations and laws, organizations should establish clear processes for processing personal data in accordance with Binding Corporate Rules (BCR). This entails establishing procedures for handling data legally, transparently, and securely while upholding accountability and uniformity throughout all processes.

E. Data Minimization Requirement

Organizations must ensure that only the bare minimum of personal data is obtained and processed. For example, data collection is limited to what is required for the intended purpose. Organizations then must describe the measures in place to ensure that only the minimum necessary personal data is collected and processed and outline the organization's retention and deletion practices. Include details on how retention periods and data destruction policies align with the PDPL.

F. Purpose Limitation Requirement

Organizations must ensure that data processing is limited to specific, legitimate purposes in accordance with the legal basis. For example, organizations must retain personal data only for as long as necessary and then securely delete it.

G. Sensitive Data Processing Requirement

Organizations should implement additional safeguards for processing sensitive data to ensure compliance with legal and regulatory obligations.

H. Records of Processing Activities (RoPA)

Organizations must maintain records of personal data processing activities to demonstrate accountability and compliance with the BCRs and PDPL.

I. Data Protection Impact Assessment (DPIA)

Organizations must conduct DPIAs for processing activities that pose high risks to data subjects. DPIAs must be completed before starting any processing activities affecting individual privacy, mainly when dealing with sensitive data or large-scale processing.

J. Personal Data Quality Requirement

In accordance with legal and regulatory obligations, organizations should implement policies ensuring personal data quality and accuracy. This involves consistent data validation, timely updates, and consistency.

K. Security Requirement

Organizations must implement robust security measures to protect personal data from unauthorized access and describe their measures.

L. Data Breach Incident Reporting Requirement

Organizations should establish processes for swiftly reporting incidents of personal data breaches in accordance with laws and regulations. This involves establishing precise reporting deadlines, outlining notification procedures, and maintaining contact with relevant authorities and impacted parties to reduce risks effectively.

M. Subsequent Transfer Requirement

Organizations should impose restrictions on subsequent transfers of personal data to third parties. This involves assessing the legality of such transfers, securing the required protections, and ensuring third parties implement data protection guidelines.

N. Transfer Impact Assessment

Organizations must conduct transfer impact assessments to mitigate risks associated with the international transfer of personal data.

VIII. Conclusion

Organizations should specify data transfer types, volumes, and frequencies to ensure transparency and compliance. The BCRs' binding character must also be stated clearly to prove they are enforceable.

Organizations must also specify how they will cooperate with the appropriate authority, like SDAIA, ensuring they understand and meet the communication, supervision, and regulatory compliance standards and align with Saudi Arabia’s evolving regulatory landscape.

IX. How Securiti Can Help

Securiti emerges as a pivotal catalyst for organizations seeking to navigate and comply with Saudi Arabia’s data privacy landscape. Securiti’s robust modules fortify organizations against potential cyber threats and ensure alignment with Saudi Arabia’s stringent data privacy laws.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments.

Request a demo to learn more.