Overview
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer “Definitions” establishes the key legal and operational terms used throughout the BCR framework. These definitions ensure consistent interpretation of the Personal Data Protection Law (PDPL), its Implementing Regulations, and the Transfer Regulation when applying Binding Common Rules as an appropriate safeguard for transferring personal data outside the Kingdom of Saudi Arabia (KSA).
By clearly defining the scope of entities, authorities, safeguards, and transfer concepts, this section provides a foundational reference for Controllers, Processors, and group entities implementing BCRs under the Saudi PDPL cross-border transfer regime.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Definitions
The following terms and phrases, wherever stated in these clauses, shall have the meanings assigned to each of them unless the context indicates otherwise:
- The Kingdom: The Kingdom of Saudi Arabia (KSA).
- The Law: The Personal Data Protection Law (PDPL) issued by Royal Decree No. (M/19) dated 9/2/1443 AH ("The Law") and amended by Royal Decree No. (M/148) dated 5/9/1444 AH.
- Regulations: The "Implementing Regulations of the Law", including both the “Implementing Regulations" and the Regulations for the Transfer of Personal Data Outside the Kingdom.
- The Competent Authority: Saudi Data & AI Authority (SDAIA).
- Appropriate Safeguards: The requirements imposed by the competent authority on controllers, which include adherence to the Law and Regulations when transferring or disclosing personal data to entities outside the Kingdom. This applies in cases where exemptions are granted from the conditions for providing an appropriate or minimum level of personal data protection, to ensure appropriate level of protection when transferring personal data outside the Kingdom that meets at least the standards prescribed by the Law and Regulations.
- Binding Common Rules (BCR): Rules established by the controller, applicable to each controller and processing party within a group of multinational entities, ensure appropriate protection for personal data transferred outside the Kingdom at a level not less than that prescribed by the Law and Regulations.
- International Organizations: A legal body comprising members from at least three countries, operating in multiple sovereign states, established through a formal legal document such as a treaty or agreement based on international law, and this legal document defines the aims and objectives of the international organization and its structures, decision-making powers and jurisdiction. (e.g., the United Nations, the World Bank, the League of Arab States, the Arab Monetary Fund). These organizations engage in international activities and must comply with various Personal Data protection laws across different jurisdictions.
- Transfer of Personal Data: Transfer, disclosure (or granting of access) of Personal Data from the Kingdom of Saudi Arabia to Controllers, Processors, or other recipients in countries or international organizations other than the Kingdom of Saudi Arabia where neither the Personal Data Exporter nor the Personal Importer is a Data Subject.
- Third Party Data Transfers/Subsequent Transfers: The transfer of Personal Data from an external country or international organization to Controllers or Processors within the same country/organization or in another country/ organization.
- Group of Entities: A set of legal entities engaged in joint economic activities such as franchising, joint ventures, or professional partnerships. These entities operate under shared control for example, ownership, common economic interests, financial participation, or the governance rules.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
1. The Kingdom
This term refers specifically to the Kingdom of Saudi Arabia. It establishes the territorial scope from which personal data originates and within which the Personal Data Protection Law (PDPL) applies before any cross-border transfer takes place.
2. The Law
The Law refers to the Saudi Personal Data Protection Law (PDPL) issued by Royal Decree No. (M/19) and amended by Royal Decree No. (M/148). It forms the primary legal framework governing personal data processing, including conditions for transferring personal data outside the Kingdom.
3. Regulations
Regulations refer collectively to the Implementing Regulations of the Personal Data Protection Law (PDPL) and the Regulations governing the Transfer of Personal Data Outside the Kingdom. Together, these instruments provide detailed procedural, technical, and compliance requirements that supplement the Law.
4. The Competent Authority (SDAIA)
The Competent Authority is the Saudi Data and AI Authority. SDAIA is responsible for supervising compliance with the Personal Data Protection Law (PDPL), issuing guidance and approvals, and enforcing regulatory requirements related to personal data transfers, including Binding Common Rules.
