Overview
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Requirements for Binding Common Rules sets out the mandatory legal, organizational, and governance conditions that a Group of Entities must satisfy when adopting Binding Common Rules as a safeguard for personal data transfers outside the Kingdom of Saudi Arabia. It establishes that BCRs must fully reflect Controllers’ obligations under the Saudi Personal Data Protection Law (PDPL) and its Regulations, ensure enforceable rights for Data Subjects, provide regulatory cooperation mechanisms, and guarantee consistent and legally binding data protection standards across all group members.
This section also confirms the jurisdiction of Saudi courts and the applicability of Saudi law to Binding Common Rules.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Requirements for Binding Common Rules
- The Group of Entities must ensure that the Binding Common Rules (BCR) include Controllers' obligations stipulated in the PDPL and Regulations, in addition to the rights of Data Subjects, including claiming compensation for damage resulting from violation of such rights.
- The Group of Entities, including the Personal Data Importer, must cooperate with the competent authority, comply with all its requests and inquiries, and provide the necessary documents and information to ensure adherence to the Binding Common Rules.
- BCR must be approved internally by the authorized person within the Group of Entities. This process includes reviewing and validating all the data protection measures and compliance mechanisms to be taken regarding Personal Data protection.
- BCR shall be legally enforceable on every member of the Group of Entities and provide a consistent standard of data protection. Every member of the Group of Entities that receives the relevant Personal Data must comply with the provisions set out in the Law and Regulations.
- In addition to the BCR, detailed policies shall be developed on data protection, Data Subject rights, security measures, audit programs, and mechanisms for handling data breach incident and complaints in compliance with the Law and Regulations.
- Binding Common Rules are subject to the laws in force in the Kingdom, and any dispute arising from application of the rules shall fall under jurisdiction of the courts of the Kingdom. The Personal Data Importer/s within the group of entities agree to submit to jurisdiction of the Kingdom.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
1. Inclusion of PDPL Obligations and Data Subject Rights
Binding Common Rules must expressly incorporate all Controllers’ obligations set out under the Personal Data Protection Law (PDPL) and its Regulations. This includes the protection of Data Subject rights (DSR) and the ability of Data Subjects to claim compensation for damages resulting from violations of those rights. The provision ensures that BCRs are not limited to operational safeguards but also provide enforceable rights and remedies.
2. Regulatory Cooperation and Accountability
3. Internal Approval and Validation Mechanisms
4. Legal Enforceability Across the Group
5. Supporting Policies and Operational Frameworks
In addition to the Binding Common Rules themselves, the Group of Entities must develop detailed supporting policies. These policies must address data protection, Data Subject rights (DSR), security measures, audit programs, and procedures for handling data breach incidents and complaints. This ensures that BCRs are supported by practical and operational compliance mechanisms.
