Overview
Guidelines for Binding Common Rules (BCR) for Personal Data Transfer – Scope defines who the BCR framework applies to and in which transfer scenarios it may be used. It clarifies that these guidelines govern the use of Binding Common Rules by Controllers and Processors when transferring personal data outside the Kingdom of Saudi Arabia to jurisdictions that do not provide an appropriate level of personal data protection.
This section establishes the applicability of BCRs without reducing the legal responsibilities of Controllers under the Saudi Personal Data Protection Law (PDPL), its Implementing Regulations, and the oversight of the Competent Authority (SDAIA).
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Scope
This document specifies the requirements and guidelines related to Binding Common Rules. It applies to data controllers or processors based on the instructions of the data controller and on their behalf, without prejudicing the responsibilities of the data controller to the competent authority or the data subject, as applicable, when transferring personal data outside the Kingdom to a country or international organization that does not have an appropriate level of Personal Data protection.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Applicability of the Guidelines
This provision explains that the document applies specifically to the requirements and guidance governing Binding Common Rules. It establishes that the Guidelines are intended to regulate how BCRs are prepared, implemented, and relied upon as an appropriate safeguard for personal data transfers outside the Kingdom.
Controllers and Processors in Scope
Preservation of Controller Responsibilities
This section clarifies that applying Binding Common Rules does not prejudice or limit the responsibilities of the data controller toward the Competent Authority or the data subject.
Controllers remain fully accountable for compliance with the Personal Data Protection Law (PDPL) and its Implementing Regulations, regardless of whether personal data is transferred under BCRs.
Transfers to Jurisdictions Without Adequate Protection
The scope is limited to situations where personal data is transferred outside the Kingdom to a country or international organization that does not provide an appropriate level of personal data protection.
In these circumstances, Binding Common Rules operate as a safeguard mechanism to ensure that personal data transferred outside the Kingdom continues to receive protection consistent with Saudi legal and regulatory requirements.
