Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules says that to qualify as an appropriate safeguard under the PDPL, Binding Common Rules must meet strict legal, procedural, and operational criteria. These rules ensure that personal data transferred outside Saudi Arabia by multinational groups maintain a consistent and enforceable level of protection across all member entities, mirroring the standards of the PDPL. This includes obligations toward data subjects, enforceability, internal governance, cooperation with SDAIA, and legal jurisdiction within the Kingdom.
BCRs must be legally binding, enforceable across the group, aligned with PDPL, and supported by internal policies, legal jurisdiction in Saudi Arabia, and full cooperation with SDAIA.
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (1)
Include PDPL Obligations
The Controller shall implement response and containment procedures for personal data breach incident in accordance with best international practices and relevant regulatory requirements, including, but not limited to, the following measures to control personal data breach incidents:
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (2)
SDAIA Cooperation Required
The Group of Entities, including the Personal Data Importer, must cooperate with the competent authority, comply with all its requests and inquiries, and provide the necessary documents and information to ensure adherence to the Binding Common Rules.
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (3)
Internal Approval Process
BCR must be approved internally by the authorized person within the Group of Entities. This process includes reviewing and validating all the data protection measures and compliance mechanisms to be taken regarding Personal Data protection.
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (4)
Legally Binding Rules
BCR shall be legally enforceable on every member of the Group of Entities and provide a consistent standard of data protection. Every member of the Group of Entities that receives the relevant Personal Data must comply with the provisions set out in the Law and Regulations.
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (5)
Backed by Policies
In addition to the BCR, detailed policies shall be developed on data protection, Data Subject rights, security measures, audit programs, and mechanisms for handling data breach incident and complaints in compliance with the Law and Regulations.
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (6)
Saudi Legal Jurisdiction
Binding Common Rules are subject to the laws in force in the Kingdom, and any dispute arising from application of the rules shall fall under jurisdiction of the courts of the Kingdom. The Personal Data Importer/s within the group of entities agree to submit to jurisdiction of the Kingdom.
Explanation of Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules
Must reflect legal and rights-based obligations:
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (1) says that BCRs must capture all controller duties under PDPL and preserve data subjects’ rights, including compensation claims.
Importers must support audits and respond to queries:
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (2) says that full transparency and support must be given to the authority, including submission of requested documents.
BCRs must be vetted and validated internally:
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (3) says that an authorized group representative must formally approve the BCRs with validation of controls and safeguards.
Must be enforceable across all entities receiving data:
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (4) says that each group entity must treat BCRs as mandatory, aligned with the Law and Regulations.
Must include supporting governance, security, and incident plans:
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (5) says that BCRs must be accompanied by policies for data protection, rights handling, breaches, audits, and complaints.
Disputes must be resolved in Saudi Arabia:
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules (6) says that any conflicts must be addressed under Saudi law, and foreign entities must submit to Kingdom court jurisdiction.
