The Saudi Data and AI Authority (SDAIA) has updated the Regulation on Personal Data Transfer Outside the Kingdom, introducing new guidelines under the Personal Data Protection Law (PDPL). These revisions, effective 1 September 2024, include significant changes to the previous regulations.
Key Updates:
- The new Data Transfer Regulations maintain similar concepts regarding adequate jurisdictions and purposes for transfer but reduce the number of appropriate safeguards from four to three, removing “binding codes of conduct.”
- Controllers using one of the three safeguards (Standard Contractual Clauses, Binding Common Rules, or Certificate of Accreditation) are exempt from the data minimization obligation.
- Risk assessments are now required only when implementing an appropriate safeguard or transferring sensitive data continuously or widely outside KSA, thus narrowing the scope of this requirement.
Binding Common Rules (BCRs):
SDAIA has released guidelines for Binding Common Rules, detailing how organizations should prepare BCRs. These rules apply to groups of entities under shared control, ensuring compliance with PDPL. BCRs must outline controller obligations, data subject rights, breach notification procedures, and cooperative measures with authorities.
Standard Contractual Clauses (SCCs):
New SCCs have been issued, akin to the EU’s, with four versions available (controller to processor, controller to controller, processor to controller, and processor to processor). Modifications to SCCs are not allowed, and importers must comply with KSA laws, posing potential operational challenges for international stakeholders.
SDAIA Rules and Guidelines:
Additional rules and guidelines include:
- Rules for Appointment of Personal Data Protection Officer
- Privacy Policy Guidelines
- Minimum Personal Data Determination Guidelines
- National Register of Controllers Rules
- Personal Data Destruction, Anonymization, and Pseudonymization Guidelines
- Personal Data Disclosure Cases Guidelines
- Personal Data Processing Activities Records Guidelines
These updates aim to streamline PDPL compliance and provide clearer frameworks for data transfer outside Saudi Arabia.