Standard Contractual Clauses For Personal Data Transfer – Rules set out the mandatory rules for using SDAIA’s SCCs when transferring personal data outside Saudi Arabia to jurisdictions without adequate protection. It confirms that SCCs are binding, cannot be altered except for blank fields, and must not be contradicted by other contract terms. It also emphasizes that all parties remain bound by PDPL obligations and that data importers must fully cooperate with SDAIA’s oversight, including enforcement, audit, and jurisdictional acceptance. If compliance becomes impossible, the data exporter must suspend transfers.
SCCs are mandatory, non-negotiable templates that ensure PDPL-compliant transfers, and any changes or non-cooperation can suspend the data flow.
Standard Contractual Clauses For Personal Data Transfer – Rules (1)
SCC Function
The Standard Contractual Clauses, as set out in Appendix (1) attached to this document, provide protection for Personal Data and an appropriate guarantee in accordance with the provisions of the Law and Regulations for the transfer or disclosure of Personal Data to entities outside the Kingdom from the Personal Data Exporter to the Personal Data Importer.
Standard Contractual Clauses For Personal Data Transfer – Rules (2)
Contract Inclusion
Standard Contractual Clauses specify Clauses that must be included in a contract or agreement between the Personal Data Exporter and the Personal Data Importer or placed in a separate contract or agreement.
Standard Contractual Clauses For Personal Data Transfer – Rules (3)
Law Precedence
The adoption of Standard Contractual Clauses does not prejudice the parties’ obligations under the Law and Regulations when processing Personal Data.
Standard Contractual Clauses For Personal Data Transfer – Rules (4)
No Conflicts
If the Standard Contractual Clauses are included in a contract or agreement, no explicit or implicit term or provision therein shall conflict with them or limit the scope of their application or the protection expected from them. In addition, the contracting parties have the right to include any additional conditions related to the processing of Personal Data, provided that such additional conditions do not contradict and/or undermine any of the requirements of the Standard Contractual Clauses or the Law and Regulations.
Standard Contractual Clauses For Personal Data Transfer – Rules (5)
No Modifications
If any party modifies the approved text (except the blank fields that are required to be filled in Standard Contractual Clauses), such modifications shall not be recognized by the Competent Authority and shall be deemed a violation of the provisions of the Law and Regulations.
Standard Contractual Clauses For Personal Data Transfer – Rules (6)
Multiparty Use
Standard Contractual Clauses can involve more than two parties, so Controllers and additional Processors can join these Clauses as Personal Data Exporters or Personal Data Importers, depending on the nature of their role throughout the duration of the contract.
Standard Contractual Clauses For Personal Data Transfer – Rules (7)
Legal Compliance in Recipient
Personal data may not be transferred under the Standard Contractual Clauses if the laws and regulations of the recipient country or international organization prevent the Personal Data Importer from complying with the Standard Contractual Clauses.
Standard Contractual Clauses For Personal Data Transfer – Rules (8)
Jurisdiction Submission
To ensure effective enforcement of these Clauses, the Personal Data Importer submits to the jurisdiction of the Kingdom and undertakes to comply with and enforce any binding decision under applicable Kingdom Laws and Regulations.
Standard Contractual Clauses For Personal Data Transfer – Rules (9)
Cooperation Obligations
The Personal Data Importer must agree to respond to the Competent Authority’s requests and cooperate with its auditing procedures and approved compliance follow-up measures, including corrective measures and actions, and confirm to the Competent Authority in writing that the necessary actions have been taken.
Standard Contractual Clauses For Personal Data Transfer – Rules (10)
Suspension Triggers
After the adoption of the Standard Contractual Clauses, if the Personal Data Exporter determines that the Personal Data Importer is unable or no longer able to fulfill the obligations set forth in these Clauses, or the Personal Data Importer notifies the Personal Data Exporter if there is reason to believe that the obligations set forth in these Clauses cannot be fulfilled, the Personal Data Exporter must suspend transfers unless alternative measures or guarantees are adopted that meet the requirements set forth in the Law and Regulations.
Standard Contractual Clauses For Personal Data Transfer – Rules (11)
Authority Amendments
The Competent Authority may, at its discretion, make any change to the Standard Contractual Clauses contained in this document, and if any change is made, the Competent Authority will issue rules regarding transitional measures, as well as rules regarding the remaining validity period of agreements under the previous Standard Contractual Clauses.
Explanation of Standard Contractual Clauses For Personal Data Transfer – Rules
Legal Guarantee:
Standard Contractual Clauses For Personal Data Transfer – Rule (1) says that SCCs provide lawful protection and assurance when personal data is transferred to a recipient outside KSA.
Binding Inclusion:
Standard Contractual Clauses For Personal Data Transfer – Rule (2) says that SCCs must be fully incorporated into the agreement between exporter and importer or included in a separate document.
No Waiver of Obligations:
Standard Contractual Clauses For Personal Data Transfer – Rule (3) says that using SCCs does not reduce or replace the parties’ other obligations under the PDPL or its regulations.
Supremacy of SCCs:
Standard Contractual Clauses For Personal Data Transfer – Rule (4) says that no contract clause can override, weaken, or contradict the SCCs. Additional terms can be added only if they align fully with PDPL and SCC requirements.
Template Integrity:
Standard Contractual Clauses For Personal Data Transfer – Rule (5) says that except for blank fields, any modification to SCC wording invalidates the clauses and breaches the Law.
Multi-Entity Support:
Standard Contractual Clauses For Personal Data Transfer – Rule (6) says that SCCs can include multiple parties (controllers and processors) as either data exporters or importers.
Restrictions on Transfer:
Standard Contractual Clauses For Personal Data Transfer – Rule (7) says that if the laws of the receiving country prevent SCC compliance, data transfers cannot proceed under these SCCs.
KSA Enforcement Power:
Standard Contractual Clauses For Personal Data Transfer – Rule (8) says that the data importer must accept the jurisdiction of Saudi Arabia and agree to comply with its binding legal decisions.
SDAIA Oversight:
Standard Contractual Clauses For Personal Data Transfer – Rule (9) says that importers must cooperate with SDAIA, including audits, compliance checks, and any follow-up corrective measures, and confirm their implementation in writing.
Transfer Suspension:
Standard Contractual Clauses For Personal Data Transfer – Rule (10) says that if the importer cannot fulfill SCC duties, the exporter must stop transfers unless other legal safeguards are adopted.
SDAIA Right to Revise:
Standard Contractual Clauses For Personal Data Transfer – Rule (11) says that SDAIA can amend the SCCs and issue guidance for transitional periods or how old SCCs will remain valid after the change.
