Standard Contractual Clauses For Personal Data Transfer – Scope outlines when and to whom these SCCs apply. It emphasizes that the clauses are mandatory for data transfers from Saudi Arabia to countries or international organizations lacking an appropriate level of personal data protection. Even if a processor acts on behalf of the controller, the controller retains full responsibility for complying with the PDPL, including any obligations toward SDAIA and the individuals whose data is being transferred.
Scope
This document specifies the Standard Contractual Clauses issued by the Competent Authority in Appendix (1) of this document. These Clauses also apply to data controllers or Processors based on the instructions of the data controller and on their behalf, without prejudicing the responsibilities of the data controller to the competent authority or the data subject, as applicable, when transferring Personal Data outside the Kingdom to a country or international organization that does not have an appropriate level of Personal Data protection.
Explanation of Standard Contractual Clauses For Personal Data Transfer – Scope
Mandatory Application
Standard Contractual Clauses For Personal Data Transfer – Scope says that the SCCs defined in Appendix (1) must be used when transferring personal data outside KSA to non-adequate countries or international organizations.
Applies to Both Roles
Standard Contractual Clauses For Personal Data Transfer – Scope also says that these clauses apply directly to controllers and, where relevant, to processors acting on the controller’s behalf, following the controller’s instructions.
Controller Remains Responsible
Standard Contractual Clauses For Personal Data Transfer – Scope says that using a processor does not remove or reduce the controller’s obligations toward SDAIA or data subjects under the PDPL.
