Standard Contractual Clauses (SCCs) For Personal Data Transfer – Definitions

Definitions

In this document, unless explicitly stated otherwise, the following terms shall have the meanings assigned to each of them below:

• The Kingdom: The Kingdom of Saudi Arabia (KSA)
  
  
• The Law: The Personal Data Protection Law (PDPL) issued by Royal Decree No. (M/19) dated 9/2/1443 AH and amended by Royal Decree No. (M/148) dated 5/9/1444 AH.
  
  
• Regulations: The Implementing Regulations of the Law “Includes both of the implementing Regulations and the implementing Regulation for Personal Data Transfer outside the Kingdom.”
  
  
• The Competent Authority: Saudi Data & AI Authority (SDAIA)
  
  
• Appropriate Safeguards: The requirements imposed by the competent authority on controllers, which include adherence to the Law and Regulations when transferring or disclosing personal data to entities outside the Kingdom. This applies in cases where exemptions are granted from the conditions for providing an appropriate or minimum level of personal data protection, to ensure appropriate level of protection when transferring personal data outside the Kingdom that meets at least the standards prescribed by the Law and Regulations.
  
  
• Standard Contractual Clauses: Mandatory provisions governing the transfer of personal data outside the Kingdom that ensure appropriate level of protection for such data not less than the standard prescribed by the Law and Regulations. These provisions are in accordance with a standard form issued by the competent authority.
  
  
• International Organization: A legal body comprising members from at least three countries, operating in multiple sovereign states, established through a formal legal document such as a treaty or agreement based on international law, and this legal document defines the aims and objectives of the international organization and its structures, decision-making powers and jurisdiction. (e.g. the United Nations, the World Bank, the League of Arab States, the Arab Monetary Fund). These organizations engage in international activities and must comply with various Personal Data protection laws across different jurisdictions.
  
  
• Transfer of Personal Data: Transfer, disclosure (or granting of access) of Personal Data from the Kingdom of Saudi Arabia to Controllers, Processors, or other recipients in countries or international organizations other than the Kingdom of Saudi Arabia where neither the Personal Data Exporter nor the Importer of the Personal Data.
  
  
• Third-Party Data Transfers/Subsequent Transfers: The transfer of Personal Data from an external country or international organization to Controllers or Processors within the same country/organization or in another country/organization.