Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Purpose explains why Binding Common Rules (BCRs) exist. When personal data is transferred outside Saudi Arabia to a country that does not provide an adequate level of legal protection, BCRs act as an alternative safeguard to maintain PDPL‑level protection.
These rules set expectations for all entities—inside and outside the Kingdom—on how to draft, implement, and maintain BCRs so that personal data stays protected during transfer and onward processing.
BCRs work alongside other approved safeguards such as Standard Contractual Clauses (SCCs) and accreditation certificates issued by licensed bodies.
Purpose
The purpose of these rules is to ensure that a level of protection for personal data
is applied that is not less than the level of protection prescribed by the Law and its
Regulations. This is achieved by specifying obligations of the parties involved in
the transfer when personal data is transferred or disclosed to a country or
international organization that does not have an adequate level of protection for
personal data. This document provides comprehensive instructions for a range of
entities operating within and outside the Kingdom regarding the preparation of
Binding Common Rules. Binding Common Rules are considered one of the
appropriate safeguards that data controllers may use, in addition to processors
acting on behalf of and based on the instructions of the data controller. They are
also used alongside standard contractual clauses and certifications from an entity
licensed by the competent authority, in accordance with the provisions governing
the transfer of personal data outside the Kingdom.
