Overview
Standard Contractual Clauses For Personal Data Transfer – Rules establishes how Standard Contractual Clauses (SCCs) must be used, enforced, and respected when transferring Personal Data outside the Kingdom under the Saudi Personal Data Protection Law (PDPL). It clarifies the legal status of SCCs as an appropriate safeguard when relied upon for cross-border transfers, sets strict limits on modification, defines enforcement and jurisdiction requirements, and explains how Controllers and Processors must respond if compliance becomes impossible.
This section also confirms SDAIA’s authority to amend SCCs and manage transitional arrangements.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Standard Contractual Clauses Rules
- The Standard Contractual Clauses, as set out in Appendix (1) attached to this document, provide protection for Personal Data and an appropriate guarantee in accordance with the provisions of the Law and Regulations for the transfer or disclosure of Personal Data to entities outside the Kingdom from the Personal Data Exporter to the Personal Data Importer.
- Standard Contractual Clauses specify Clauses that must be included in a contract or agreement between the Personal Data Exporter and the Personal Data Importer or placed in a separate contract or agreement.
- The adoption of Standard Contractual Clauses does not prejudice the parties' obligations under the Law and Regulations when processing Personal Data.
- If the Standard Contractual Clauses are included in a contract or agreement, no explicit or implicit term or provision therein shall conflict with them or limit the scope of their application or the protection expected from them. In addition, the contracting parties have the right to include any additional conditions related to the processing of Personal Data, provided that such additional conditions do not contradict and/or undermine any of the requirements of the Standard Contractual Clauses or the Law and Regulations.
- If any party modifies the approved text (except the blank fields that are required to be filled in Standard Contractual Clauses), such modifications shall not be recognized by the Competent Authority and shall be deemed a violation of the provisions of the Law and Regulations.
- Standard Contractual Clauses can involve more than two parties, so Controllers and additional Processors can join these Clauses as Personal Data Exporters or Personal Data Importers, depending on the nature of their role throughout the duration of the contract.
- Personal data may not be transferred under the Standard Contractual Clauses if the laws and regulations of the recipient country or international organization prevent the Personal Data Importer from complying with the Standard Contractual Clauses.
- To ensure effective enforcement of these Clauses, the Personal Data Importer submits to the jurisdiction of the Kingdom and undertakes to comply with and enforce any binding decision under applicable Kingdom Laws and Regulations.
- The Personal Data Importer must agree to respond to the Competent Authority's requests and cooperate with its auditing procedures and approved compliance follow-up measures, including corrective measures and actions, and confirm to the Competent Authority in writing that the necessary actions have been taken.
- After the adoption of the Standard Contractual Clauses, if the Personal Data Exporter determines that the Personal Data Importer is unable or no longer able to fulfill the obligations set forth in these Clauses, or the Personal Data Importer notifies the Personal Data Exporter if there is reason to believe that the obligations set forth in these Clauses cannot be fulfilled, the Personal Data Exporter must suspend transfers unless alternative measures or guarantees are adopted that meet the requirements set forth in the Law and Regulations.
- The Competent Authority may, at its discretion, make any change to the Standard Contractual Clauses contained in this document, and if any change is made, the Competent Authority will issue rules regarding transitional measures, as well as rules regarding the remaining validity period of agreements under the previous Standard Contractual Clauses.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
1. Legal Function of SCCs
2. Mandatory Inclusion and Placement
The SCCs themselves define the mandatory provisions that must be incorporated into the contractual relationship between the Personal Data Exporter and Importer. These provisions can be integrated into the primary service or data processing agreement, or they can form a separate, standalone contract. In either case, their inclusion is not optional when SCCs are used as the transfer safeguard.
3. No Reduction of PDPL Obligations
4. Prohibition on Conflicting Clauses
5. Strict Text Integrity
Any modification to the approved SCC text, other than completing required blank fields, is not recognized by the Competent Authority and is considered a violation of the Law and Regulations. This strict rule ensures the SCCs remain a standardized, enforceable safeguard and prevents parties from diluting the mandated level of protection.
