Saudi Arabia updates data transfer regulations and

brief

On September 1, 2024, the Saudi Data and Artificial Intelligence Authority (SDAIA) issued the Regulation on Transfer of Personal Data Outside Saudi Arabia (“Data transfer regulations”), which amends the transfer regulations under the Personal Data Protection Law, previously promulgated by Royal Decree No. (M/19) dated 9/2/1443 AH and amended by Royal Decree No. (M/148) dated 5/9/1444 AH (“Human papillomavirus“). SDAIA also published additional information on standard contractual clauses and binding common rules, two appropriate safeguards for data transfers outside of Saudi Arabia, as well as a number of rules and guidelines related to the PDPL. Our preliminary conclusions are summarized below.

Provisions on the transfer of personal data abroad

On September 1, 2024, SDAIA issued the Data Transfer Regulations, which revised the previous Data Transfer Regulations. Regarding the Data Transfer Regulations, several key points to note are as follows:

• The data transfer regulations contain similar concepts regarding appropriate jurisdiction and transfer purposes as set out in previous versions.
• If a jurisdiction is deemed insufficient, the Data Transfer Regulation also provides for appropriate safeguards, as in the previous version. However, the number of available safeguards has been reduced from four to three – with a “binding code of conduct” no longer listed as an appropriate safeguard under the Data Transfer Regulation.
• Article 4 of the Data Transfer Regulation appears to indicate that a controller that relies on one of the three appropriate safeguards (standard contractual clauses, binding common rules and certification) will be exempted from the obligation to limit the data transferred to the minimum amount of personal data required (i.e. consistent with the principle of data minimization).
• The Data Transfer Regulation provides that risk assessments are to be conducted in a similar manner to the previous version. However, the circumstances in which a risk assessment must be conducted have changed. Under the previous version, a risk assessment had to be conducted if the data transfer was carried out on the basis of appropriate safeguards or if the controller could not rely on appropriate safeguards and an adequacy decision had not been issued. Under the Data Transfer Regulation, a risk assessment must be conducted if the controller has implemented appropriate safeguards or if sensitive data is being transferred to entities outside Saudi Arabia on an ongoing or extensive basis – in other words, the scope of the obligation to conduct a risk assessment has been narrowed.

The data transfer regulations can be found here.

Appropriate safeguards

Common binding rules

SDAIA publishes guidance on binding common rules for the transfer of personal data (“BCR GuidelinesThe BCR Guidelines provide instructions on how organizations should prepare their BCRs. The BCRs will apply to a “group of entities” (i.e. a group of legal entities engaged in joint economic activities, operating under common control), all of which must comply with the PDPL and its regulations.

Regarding the content of the BCRs, they must include the controller’s obligations under the PDPL, the rights of data subjects, and the procedures for notifying competent authorities and data subjects in the event of a data breach. The BCR Guidelines also state that records of members under the BCRs and records of processors and subprocessors must be kept. They set out how the BCRs are binding on members of the entity group and how the entity group cooperates with competent authorities and ensures compliance with the BCRs and KSA laws and regulations.

BCR guidance can be found here .

Standard Contractual Clauses

On September 1, SDAIA issued the Standard Contractual Clauses for Transfer of Personal Data (“Standard Contractual Clauses”).Squamous cell carcinoma“) – This is one of the appropriate safeguards provided for in the Data Transfer Regulation. Implementing SCCs helps ensure that personal data transferred outside of KSA is protected to the same level as provided under the PDPL. A few key points about the SCCs are as follows:

• The SCCs are similar to the EU SCCs in many respects. For example, four versions of the SCCs have been issued in a similar manner to the EU SCCs (controller to processor, controller to controller, processor to controller, and processor to processor). In addition, any modification of the SCCs will render them invalid, and if the SCCs are incorporated into a contract, the provisions of the contract may not conflict with the SCCs.
• The SCCs also require data importers to comply with KSA laws and to comply with and enforce any binding decisions under KSA laws and regulations, which is particularly important for importers located outside the KSA – the provision indicates that such controllers will also be responsible for complying with the PDPL obligations. It raises questions about the operational burden that international stakeholders who receive personal data from the KSA may bear.

The SCC can be found here.

SDAIA Rules and Guidelines

In addition to the above, SDAIA has also published a series of rules and guidelines to provide more details on the applicable framework or to help facilitate compliance with other key areas of the PDPL, such as DPO appointment, privacy policy implementation and RoPA implementation. They are as follows:

• Rules for the Appointment of a Personal Information Protection Officer
• Develop and develop privacy policy guidelines
• Guidelines for Determining Minimum Personal Information
• Rules for the Management of the National Register of Controllers in the Kingdom
• Guidance on the destruction, anonymization and pseudonymization of personal data
• Guidelines on Personal Data Disclosure Cases
• Guidance on Recordkeeping of Personal Data Processing Activities.

These rules/guidelines can be found here.

If you have any questions regarding the above or regarding PDPL compliance generally, please feel free to contact a member of the Baker McKenzie team listed above.