KSA PDPL » Standard Contractual Clauses (SCCs) For Personal Data Transfer – Scope

Standard Contractual Clauses (SCCs) For Personal Data Transfer – Scope

This article is verified from SDAIA
halaprivacy.com
Athif Mohammed
Published: November 16, 2025
Updated: December 23, 2025

Overview

Standard Contractual Clauses For Personal Data Transfer – Scope defines when and to whom the Saudi Standard Contractual Clauses for Personal Data Transfer apply. It clarifies that these Clauses are issued by SDAIA as the Competent Authority and apply as an appropriate safeguard for transferring Personal Data outside the Kingdom to countries or international organizations that do not provide an appropriate level of Personal Data protection.

This section also confirms that the use of SCCs does not reduce or shift the Controller’s legal responsibilities under the Saudi Personal Data Protection Law (PDPL).

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Scope

This document specifies the Standard Contractual Clauses issued by the Competent Authority in Appendix (1) of this document. These Clauses also apply to data controllers or Processors based on the instructions of the data controller and on their behalf, without prejudicing the responsibilities of the data controller to the competent authority or the data subject, as applicable, when transferring Personal Data outside the Kingdom to a country or international organization that does not have an appropriate level of Personal Data protection.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Applicability of the SCCs

This provision establishes that the SCCs are formally issued by the Competent Authority and are contained in Appendix (1). Controllers and Processors must rely on this standardized form when SCCs are required, and may not substitute alternative contractual wording unless expressly permitted by SDAIA.

Controllers and Processors Acting on Instructions

The Scope confirms that SCCs apply not only to Controllers, but also to Processors acting on the Controller’s instructions and on their behalf. This ensures that cross-border transfers remain protected throughout the processing chain, including outsourced or delegated processing activities.

No Limitation of Controller Responsibility

This section makes clear that entering into SCCs does not reduce, shift, or limit the Controller’s responsibilities under the Law. Controllers remain fully accountable to the Competent Authority and to Data Subjects, regardless of whether the transfer is carried out directly or through a Processor.

Transfers to Non-Adequate Jurisdictions

The Scope explicitly applies to transfers of Personal Data outside the Kingdom to countries or international organizations that do not provide an appropriate level of Personal Data protection. In such cases, SCCs function as one of the appropriate safeguards to ensure that Saudi PDPL protection standards continue to apply after Personal Data is transferred outside the Kingdom.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Table of Contents

← PDPL Compliance Ecosystem