Overview
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Description and Details to Be Covered by the BCR (Second Section) specifies the description and details that must be covered by the Binding Common Rules. It focuses on identifying the Personal Data involved, the affected Data Subjects, the purposes and destinations of transfers, the frequency of transfers, contractual arrangements with Controllers and Processors, and supporting annex documentation.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
SECOND SECTION
This section should be used to document details about the entity within the Group of Entities that is implementing the Binding Common Rules (BCR)
- Type or Categories of Personal Data to be Transferred and Covered by the BCR: Specify the types or categories of Personal Data that will be transferred under the BCR. This shall include a clear description of the data types
- Categories of Data Subjects Whose Personal Data to Be Transferred: Identify the categories of Data Subjects whose Personal Data will be transferred in addition to those affected by the transfer
- Purposes of Transferring Personal Data: Clearly state the reasons for transferring Personal Data outside the Kingdom. Explain the processing activities that will occur after the data has been transferred
- Countries to Which Personal Data to Be Transferred: List all the countries to which Personal Data will be transferred under the BCR. Ensure each country is specified accurately
- Frequency of Transfer: Indicate how often Personal Data will be transferred. Choose from "One-Off," "Continuous or "Periodic" and provide further details if necessary
- Contractual Arrangements: Detail Any Contractual Arrangements Regarding the Use of Controllers and their contracted Processors along with their Compliance to the BCR.
- Additional Documents to Be Provided as an Annex: List the additional documents that should be included as annexes to provide further clarity and support for the BCR.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
1. Type or Categories of Personal Data to be Transferred and Covered by the BCR
This requirement explains that the types or categories of Personal Data to be transferred under the Binding Common Rules must be specified, including a clear description of the data types involved.
2. Categories of Data Subjects Whose Personal Data to Be Transferred
This requirement explains that the categories of Data Subjects whose Personal Data will be transferred must be identified, including any categories affected by the transfer.
3. Purposes of Transferring Personal Data
This requirement explains that the purposes for transferring Personal Data outside the Kingdom must be clearly stated, along with an explanation of the processing activities that will take place after the transfer.
4. Countries to Which Personal Data to Be Transferred
This requirement explains that all countries to which Personal Data will be transferred under the Binding Common Rules must be listed and accurately specified.
5. Frequency of Transfer
This requirement explains that the frequency of Personal Data transfers must be indicated, using options such as one off or continuous, with additional details provided where necessary.
6. Contractual Arrangements
This requirement explains that contractual arrangements involving Controllers and their contracted Processors must be detailed, including how those arrangements align with compliance with the Binding Common Rules.
7. Additional Documents to Be Provided as an Annex
This requirement explains that additional documents must be listed as annexes where needed to provide further clarity and support for the Binding Common Rules.
