Saudi Arabia updates Data Transfer Regulations and introduces the first set of Standard Contractual Clauses

04 Sept 2024 4 minute read

- Share by email
- Share on
- Twitter
- LinkedIn
- Facebook
- Google plus
- Get link
- Get QR Code
- Download
- Print

AI AI (Artificial Intelligence) Artificial Intelligence DT Featured Content

In brief

On 1 September 2024, the Saudi Data and AI Authority (SDAIA) published the Regulation on Personal Data Transfer Outside the Kingdom ("Data Transfer Regulations"), which amended the previous Transfer Regulations under the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443 AH and amended by Royal Decree No. (M/148) dated 5/9/1444 AH ("PDPL"). SDAIA also published additional information on Standard Contractual Clauses and Binding Common Rules, two of the appropriate safeguards for transferring data outside of the Kingdom, as well as a number of PDPL-related rules and guidelines. A summary of our initial takeaways can be found below.

In more detail

Regulation on personal data transfer outside the Kingdom

On 1 September 2024, SDAIA published the Data Transfer Regulations, which amend the previous version of the Data Transfer Regulations. A few key points to note with respect to the Data Transfer Regulations are as follows:

The Data Transfer Regulations contain similar concepts with respect to adequate jurisdictions and purposes for transfer that were set out under the previous version.
Where a jurisdiction is not deemed adequate, the Data Transfer Regulations also make provision for appropriate safeguards as set out in the previous version. However, the number of available safeguards has been reduced from four to three – "binding codes of conduct" are no longer listed as an appropriate safeguard under the Data Transfer Regulations.
Article 4 of the Data Transfer Regulations appears to suggest that controllers relying on one of the three appropriate safeguards available (Standard Contractual Clauses, Binding Common Rules, and Certificate of Accreditation) will be exempt from the obligation to limit the data transferred to the minimum amount of personal data needed (i.e., alignment with the data minimisation principle).
The Data Transfer Regulations make provision for risk assessments to be conducted in a manner similar to that under the previous version. However, the scenarios in which a risk assessment must be conducted have changed. Under the previous version, a risk assessment was required to be conducted where a transfer took place on the basis of an appropriate safeguard or where a controller was unable to rely on an appropriate safeguard and an adequacy decision had not been issued. Under the Data Transfer Regulations, a risk assessment must be conducted where a controller has implemented an appropriate safeguard or where sensitive data is being transferred to entities outside KSA on a continuous or widespread basis – in other words, the scope of the risk assessment obligation has been reduced.

The Data Transfer Regulations can be found here.

Appropriate safeguards

Binding Common Rules

SDAIA has issued guidelines on Binding Common Rules for personal data transfers ("BCR Guidelines"). The BCR Guidelines provide instructions on how organisations should prepare BCRs. The BCRs will apply to a "Group of Entities" (i.e. a set of legal entities engaged in joint economic activity, operating under shared control), and all entities must comply with the PDPL and its Regulations.

With respect to the content of BCRs, they must include, for example, the controller's obligations as set out under the PDPL, data subject rights and procedures for notifying the competent authority and data subjects where a data breach has occurred. The BCR Guidelines also note that a record of members under the BCRs and records of processors and sub-processors must be maintained. They set out how the BCRs can be binding on members of the Group of Entities, as well as procedures for how the Group of Entities must cooperate with the competent authority and ensure adherence to the BCRs and KSA laws and regulations.

The BCR Guidelines can be found here.

Standard Contractual Clauses

On 1 September, SDAIA published the Standard Contractual Clauses for Personal Data Transfer ("SCCs") – one of the appropriate safeguards under the Data Transfer Regulations. Implementation of the SCCs helps to ensure personal data transferred outside KSA is subject to a level of protection equal to that provided under the PDPL. A couple of takeaways with respect to the SCCs are as follows:

The SCCs demonstrate similarity to the EU SCCs in many ways. For example, four versions of the SCCs have been published in a manner similar to the EU SCCs (controller to processor, controller to controller, processor to controller and processor to processor). In addition, any modification of the SCCs will render them invalid, and to the extent the SCCs are incorporated into a contract, the provisions of the contract must not conflict with the SCCs.
The SCCs also require data importers to submit to KSA law and to comply with and enforce any binding decision under KSA laws and regulations, which will be particularly of note to importers based outside KSA – this provision suggests such controllers will also be responsible for compliance with PDPL obligations. It raises questions with respect to the operational burden that may be placed on international stakeholders receiving personal data from KSA.

The SCCs can be found here.

SDAIA Rules and Guidelines

In addition to the above, SDAIA has also published a range of rules and guidelines to provide additional details on the applicable framework or help facilitate compliance with other key areas of the PDPL, such as DPO appointment, privacy policy implementation and RoPA implementation. These are as follows:

Rules for Appointment of Personal Data Protection Officer
Elaboration and Developing Privacy Policy Guidelines
Minimum Personal Data Determination Guidelines
Rules Governing the National Register of Controllers Within the Kingdom
Personal Data Destruction, Anonymization and Pseudonymization Guidelines
Personal Data Disclosure Cases Guidelines
Personal Data Processing Activities Records Guidelines.

These rules/guidelines can be found here.

Should you have any queries with respect to the above, or with respect to PDPL compliance more generally, please do not hesitate to contact a member of the Baker McKenzie team above.

Contact Information

Zahi Y. Younes
Partner
Riyadh
Read my Bio
zahi.younes@bakermckenzie.com

Rosanne Brennan
Senior Legal Manager
Belfast
rosanne.brennan@bakermckenzie.com

Maher Ghalloussi
Associate
Dubai
Read my Bio
maher.ghalloussi@bakermckenzie.com

Marilyn Acquah
Associate
London
Read my Bio
marilyn.acquah@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.