Overview
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – General Guidelines sets out general requirements that apply to the implementation and operation of Binding Common Rules. It addresses consistency of contractual provisions, evidence of compliance, breach response preparedness, notification procedures, governance of BCR membership updates, and circumstances in which exemption status under the Binding Common Rules does not apply.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
General Guidelines
- Parties to a binding agreement shall ensure that none of its provisions conflict with the Binding Common Rules (BCR) or limit their scope of application.
- The Controller must provide the competent authority, upon request, with evidence of its compliance with the Binding Common Rules, Law, and Regulations.
- The Controller must establish an effective prompt incident response plan to address personal data breach incident, damage, or unauthorized access.
- The Binding Common Rules must include procedures for notifying the competent authority and data subjects upon discovering a data breach that could harm the transferred personal data or the data subjects, or that conflicts with their rights or interests.
- Updates to the list of members under the Binding Common Rules may be made under the following conditions:
- Maintaining an updated record of members of the Binding Common Rules, data processors, and sub-processors involved in personal data processing activities, and facilitating data subjects' access to the list of members of the Binding Common Rules.
- Keeping a report that explains the reasons for the updates or changes to members' record.
- The exemption status under the Binding Common Rules does not apply if the Data Controller fails to implement them, or if the competent authority finds them inadequate.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
1. Consistency of Binding Agreements
This guideline requires that parties to a binding agreement ensure that none of the agreement’s provisions conflict with the Binding Common Rules or limit their scope of application.
2. Evidence of Compliance
This guideline requires the Controller to provide the competent authority, upon request, with evidence demonstrating compliance with the Binding Common Rules, the Law, and the Regulations.
3. Incident Response Preparedness
This guideline requires the Controller to establish an effective and prompt incident response plan to address personal data breach incidents, data damage, or unauthorized access.
4. Breach Notification Procedures
This guideline requires the Binding Common Rules to include procedures for notifying the competent authority and data subjects when a data breach is discovered that could harm transferred personal data, harm data subjects, or conflict with their rights or interests.
5. Governance of BCR Membership Updates
This guideline allows updates to the list of members under the Binding Common Rules, provided that an updated record of members, data processors, and sub-processors is maintained, that data subjects can access the list of members, and that a report is kept explaining the reasons for any updates or changes.
6. Loss of Exemption Status
This guideline clarifies that the exemption status under the Binding Common Rules does not apply if the Data Controller fails to implement the Binding Common Rules or if the competent authority determines that they are inadequate.
