Updates to Saudi Arabia's Personal Data Protection Regulations: SCCs, Guidelines and More

As part of the latest developments regarding the personal data protection regulations in the Kingdom of Saudi Arabia ("KSA"), the Saudi Data and Artificial Intelligence Authority ("SDAIA") issued the Regulation on Personal Data Transfer Outside the Kingdom (the "Data Transfer Regulations") on September 1, 2024, which amended the previously issued data transfer regulations under the Personal Data Protection Law issued by Royal Decree No. M/19 dated 9/2/1443H (as amended) (the "PDPL").  In addition, SDAIA issued standard contractual clauses for personal data transfers outside of the Kingdom.

Data Transfer Regulations

1. The Data Transfer Regulations provide the definition of Appropriate Safeguards as follows: The requirements imposed by the competent authority on controllers, which include adherence to the Law and Regulations when transferring or disclosing personal data to entities outside the Kingdom. This applies in cases where exemptions are granted from the conditions for providing an appropriate or minimum level of personal data protection, to ensure appropriate levels of protection when transferring personal data outside the Kingdom that meet at least the standards prescribed by the Law and Regulations.
2. The Data Transfer Regulations provide parallel provisions in relation to adequate jurisdictions and purposes for transfer that were provided under the prior regulations.
3. Article 4 of the Data Transfer Regulations provides that the controller must implement the following appropriate safeguards for the transfer of personal data:
   (a) Standard contractual clauses;
   (b) Binding common rules; and
   (c) Certificate of accreditation.
4. Article 4 of the Data Transfer Regulations further provides that controllers relying on one of the three appropriate safeguards available will be exempt from the obligation to limit the data transferred to the minimum amount of personal data needed.
5. The Data Transfer Regulations provide that a risk assessment must be conducted where a controller has implemented an appropriate safeguard or where sensitive data is being transferred to entities outside KSA on a continuous or widespread basis.  The scope of the risk assessment obligation has been reduced compared to the scope provided in the prior regulations.

Standard Contractual Clauses

6. The Data Transfer Regulations provide the definition of Standard Contractual Clauses as per the following: Mandatory provisions governing the transfer of personal data outside the Kingdom that ensure appropriate level of protection for such data not less than the standard prescribed by the Law and Regulations. These provisions are in accordance with a standard form issued by the competent authority.
7. There are four published versions of the Standard Contractual Clauses (controller to processor, controller to controller, processor to controller and processor to processor).
8. Any modification of the Standard Contractual Clauses will deem them invalid and the provisions of a contract must not conflict with the Standard Contractual Clauses.
9. Standard Contractual Clauses can involve more than two parties, so controllers and additional processors can be bound by such clauses as personal data exporters or personal data importers, depending on the nature of their role throughout the duration of the relevant contract(s).
10. Personal data may not be transferred under the Standard Contractual Clauses if the laws and regulations of the recipient country or international organization prevent the personal data importer from complying with the Standard Contractual Clauses.
11. Standard Contractual Clauses require data importers (based outside of KSA) to comply with and enforce any binding decision under KSA laws and regulations which may impose a burden on international shareholders receiving personal data from KSA.

Binding Common Rules

12. The Data Transfer Regulations provide the definition of Binding Common Rules as follows: Rules established by the controller, applicable to each controller and processing party within a group of multinational entities, that ensure appropriate protection for personal data transferred outside the Kingdom at a level not less than that prescribed by the PDPL and its regulations.
13. Any group of entities, including the personal data importer, must cooperate with the competent authority (i.e., SDAIA), comply with all its requests and inquiries and provide the necessary documents and information to ensure adherence to the Binding Common Rules.
14. The Binding Common Rules must include, as an example, the controller's obligations as set out under the PDPL, data subject rights and procedures for notifying SDAIA and data subjects where a data breach or similar incident has occurred. The Binding Common Rules guidelines also provide that a record of members under the Binding Common Rules and records of processors and sub-processors must be maintained.

In addition, SDAIA published several guidelines to provide additional input on the applicable framework and to help facilitate compliance with other key areas of the PDPL, such as data protection officer (DPO) appointments, privacy policy guidelines, personal data destruction, anonymization and pseudonymization guidelines and data disclosure cases guidelines.

We are keeping an eye on any further developments in relation to these developments.  Please do not hesitate to contact us if you have any questions or need assistance with your organization's compliance framework in light of these developments in Saudi Arabia.