Guidelines for Binding Common Rules (BCR) For Personal Data Transfer – Definitions clarify the key terms used throughout the BCR Guidelines. Understanding these terms is crucial for Controllers, Processors, and other entities handling personal data transfers under the Saudi Personal Data Protection Law (PDPL). Each definition aligns with legal and operational expectations under Saudi law and offers a shared vocabulary for cross-border compliance implementation.
The following terms and phrases, wherever stated in these clauses, shall have the meanings assigned to each of them unless the context indicates otherwise:
Guidelines for Binding Common Rules (BCR) For Personal Data Transfer – Definitions
The Kingdom
The Kingdom of Saudi Arabia (KSA)
The Law
The Personal Data Protection Law (PDPL) issued by Royal Decree No. (M/19) dated 9/2/1443 AH and amended by Royal Decree No. (M/148) dated 5/9/1444 AH.
Regulations
The Implementing Regulations of the Law “Includes both of the implementing Regulations and the implementing Regulation for Personal Data Transfer outside the Kingdom.”
The Competent Authority
Saudi Data & AI Authority (SDAIA)
Appropriate Safeguards
The requirements imposed by the competent authority on controllers, which include adherence to the Law and Regulations when transferring or disclosing personal data to entities outside the Kingdom. This applies in cases where exemptions are granted from the conditions for providing an appropriate or minimum level of personal data protection, to ensure appropriate level of protection when transferring personal data outside the Kingdom that meets at least the standards prescribed by the Law and Regulations.
Binding Common Rules (BCR)
Rules established by the controller, applicable to each controller and processing party within a group of multinational entities, ensure appropriate protection for personal data transferred outside the Kingdom at a level not less than that prescribed by the Law and Regulations.
International Organization
A legal body comprising members from at least three countries, operating in multiple sovereign states, established through a formal legal document such as a treaty or agreement based on international law, and this legal document defines the aims and objectives of the international organization and its structures, decision-making powers and jurisdiction. (e.g. the United Nations, the World Bank, the League of Arab States, the Arab Monetary Fund). These organizations engage in international activities and must comply with various Personal Data protection laws across different jurisdictions.
Transfer of Personal Data
Transfer, disclosure (or granting of access) of Personal Data from the Kingdom of Saudi Arabia to Controllers, Processors, or other recipients in countries or international organizations other than the Kingdom of Saudi Arabia where neither the Personal Data Exporter nor the Importer of the Personal Data. Third-Party Data Transfers/Subsequent Transfers: The transfer of Personal Data from an external country or international organization to Controllers or Processors within the same country/organization or in another country/organization.
Group of Entities
A set of legal entities engaged in joint economic activities such as franchising, joint ventures, or professional partnerships. These entities operate under shared control for example, ownership, common economic interests, financial participation, or the governance rules.
