Search for:
Cybersecurity, Data and Tech

Saudi Arabia updates Data Transfer Regulations and introduces the first set of Standard Contractual Clauses

By , , and 5 Mins Read

In brief

On 1 September 2024, the Saudi Data and AI Authority (SDAIA) published the Regulation on Personal Data Transfer Outside the Kingdom (“Data Transfer Regulations“), which amended the previous Transfer Regulations under the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443 AH and amended by Royal Decree No. (M/148) dated 5/9/1444 AH (“PDPL“). SDAIA also published additional information on Standard Contractual Clauses and Binding Common Rules, two of the appropriate safeguards for transferring data outside of the Kingdom, as well as a number of PDPL-related rules and guidelines. A summary of our initial takeaways can be found below.

In more detail

Regulation on personal data transfer outside the Kingdom

On 1 September 2024, SDAIA published the Data Transfer Regulations, which amend the previous version of the Data Transfer Regulations. A few key points to note with respect to the Data Transfer Regulations are as follows:

  • The Data Transfer Regulations contain similar concepts with respect to adequate jurisdictions and purposes for transfer that were set out under the previous version.
  • Where a jurisdiction is not deemed adequate, the Data Transfer Regulations also make provision for appropriate safeguards as set out in the previous version. However, the number of available safeguards has been reduced from four to three – “binding codes of conduct” are no longer listed as an appropriate safeguard under the Data Transfer Regulations.
  • Article 4 of the Data Transfer Regulations appears to suggest that controllers relying on one of the three appropriate safeguards available (Standard Contractual Clauses, Binding Common Rules, and Certificate of Accreditation) will be exempt from the obligation to limit the data transferred to the minimum amount of personal data needed (i.e., alignment with the data minimisation principle).
  • The Data Transfer Regulations make provision for risk assessments to be conducted in a manner similar to that under the previous version. However, the scenarios in which a risk assessment must be conducted have changed. Under the previous version, a risk assessment was required to be conducted where a transfer took place on the basis of an appropriate safeguard or where a controller was unable to rely on an appropriate safeguard and an adequacy decision had not been issued. Under the Data Transfer Regulations, a risk assessment must be conducted where a controller has implemented an appropriate safeguard or where sensitive data is being transferred to entities outside KSA on a continuous or widespread basis – in other words, the scope of the risk assessment obligation has been reduced.

The Data Transfer Regulations can be found here.

Appropriate safeguards

Binding Common Rules

SDAIA has issued guidelines on Binding Common Rules for personal data transfers (“BCR Guidelines“). The BCR Guidelines provide instructions on how organisations should prepare BCRs. The BCRs will apply to a “Group of Entities” (i.e. a set of legal entities engaged in joint economic activity, operating under shared control), and all entities must comply with the PDPL and its Regulations.

With respect to the content of BCRs, they must include, for example, the controller’s obligations as set out under the PDPL, data subject rights and procedures for notifying the competent authority and data subjects where a data breach has occurred. The BCR Guidelines also note that a record of members under the BCRs and records of processors and sub-processors must be maintained. They set out how the BCRs can be binding on members of the Group of Entities, as well as procedures for how the Group of Entities must cooperate with the competent authority and ensure adherence to the BCRs and KSA laws and regulations. 

The BCR Guidelines can be found here.

Standard Contractual Clauses

On 1 September, SDAIA published the Standard Contractual Clauses for Personal Data Transfer (“SCCs“) – one of the appropriate safeguards under the Data Transfer Regulations. Implementation of the SCCs helps to ensure personal data transferred outside KSA is subject to a level of protection equal to that provided under the PDPL. A couple of takeaways with respect to the SCCs are as follows:

  • The SCCs demonstrate similarity to the EU SCCs in many ways. For example, four versions of the SCCs have been published in a manner similar to the EU SCCs (controller to processor, controller to controller, processor to controller and processor to processor). In addition, any modification of the SCCs will render them invalid, and to the extent the SCCs are incorporated into a contract, the provisions of the contract must not conflict with the SCCs.
  • The SCCs also require data importers to submit to KSA law and to comply with and enforce any binding decision under KSA laws and regulations, which will be particularly of note to importers based outside KSA – this provision suggests such controllers will also be responsible for compliance with PDPL obligations. It raises questions with respect to the operational burden that may be placed on international stakeholders receiving personal data from KSA.

The SCCs can be found here

SDAIA Rules and Guidelines

In addition to the above, SDAIA has also published a range of rules and guidelines to provide additional details on the applicable framework or help facilitate compliance with other key areas of the PDPL, such as DPO appointment, privacy policy implementation and RoPA implementation. These are as follows:

  • Rules for Appointment of Personal Data Protection Officer
  • Elaboration and Developing Privacy Policy Guidelines
  • Minimum Personal Data Determination Guidelines
  • Rules Governing the National Register of Controllers Within the Kingdom
  • Personal Data Destruction, Anonymization and Pseudonymization Guidelines
  • Personal Data Disclosure Cases Guidelines
  • Personal Data Processing Activities Records Guidelines.

These rules/guidelines can be found here.

Should you have any queries with respect to the above, or with respect to PDPL compliance more generally, please do not hesitate to contact a member of the Baker McKenzie team above.

Categories:
Tags:
Author

Zahi is a partner in our Saudi Arabian Corporate and Securities team. He has over 23 years of experience helping companies with complex mergers and acquisitions, divestitures, joint ventures, corporate reorganizations, securities, and capital markets. Zahi’s main focus includes Telecommunications & Technology, Healthcare & Pharmaceutical, and Retail & Consumer Goods sectors.
Known for his deep understanding of Saudi Arabian law and regulations, Zahi is a trusted advisor to leading international and regional companies.

Author

Rosanne Brennan is a Senior Legal Manager in Baker McKenzie, Belfast office.

Author

Maher Ghalloussi is an associate in the Firm's Dubai office. He is qualified in France and has worked in Paris and Dubai.

Author

Marilyn is an associate in the Intellectual Property, Data and Technology team based in London. She joined Baker McKenzie as a Trainee Solicitor in September 2020 and was admitted as a solicitor in England and Wales in September 2022. During her training, Marilyn was seconded to Baker McKenzie's Dubai office for six months and later to Google's commercial legal team for six months.
Marilyn sits on the Steering Committee of Baker McKenzie's race and ethnicity network, BakerEthnicity.

Related Posts