Guidelines for Binding Common Rules (BCR) For Personal Data Transfer
Introduction
Based on the Personal Data Protection Law, issued by Royal Decree No. (M/19) dated 9/2/1443 AH (the "Law") and amended by Royal Decree No. (M/148) dated 5/9/1444 AH, and its contents on the permissibility of transferring Personal Data outside the Kingdom. The Regulation on the Transfer of Personal Data Outside the Kingdom ("Transfer Regulation") sets out the provisions to be followed upon transfer, including the Rules applied in cases where Controllers are exempted from the requirements to comply with the level of protection and the minimum level of transfer of Personal Data stipulated in sub-paragraphs (b) and (c) of Paragraph (2) of Article (29) of the Law and provisions of the Regulation on the Transfer of Personal Data Outside the Kingdom.
Purpose
The purpose of these rules is to ensure that a level of protection for personal data is applied that is not less than the level of protection prescribed by the Law and its Regulations. This is achieved by specifying obligations of the parties involved in the transfer when personal data is transferred or disclosed to a country or international organization that does not have an adequate level of protection for personal data. This document provides comprehensive instructions for a range of entities operating within and outside the Kingdom regarding the preparation of Binding Common Rules. Binding Common Rules are considered one of the appropriate safeguards that data controllers may use, in addition to processors acting on behalf of and based on the instructions of the data controller. They are also used alongside standard contractual clauses and certifications from an entity licensed by the competent authority, in accordance with the provisions governing the transfer of personal data outside the Kingdom.
Definitions
The following terms and phrases, wherever stated in these clauses, shall have the meanings assigned to each of them unless the context indicates otherwise:
The Kingdom: The Kingdom of Saudi Arabia (KSA).
The Law: The Personal Data Protection Law (PDPL) issued by Royal Decree No. (M/19) dated 9/2/1443 AH ("The Law") and amended by Royal Decree No. (M/148) dated 5/9/1444 AH.
Regulations: The "Implementing Regulations of the Law", including both the “Implementing Regulations" and the Regulations for the Transfer of Personal Data Outside the Kingdom.
The Competent Authority: Saudi Data & AI Authority (SDAIA).
Appropriate Safeguards: The requirements imposed by the competent authority on controllers, which include adherence to the Law and Regulations when transferring or disclosing personal data to entities outside the Kingdom. This applies in cases where exemptions are granted from the conditions for providing an appropriate or minimum level of personal data protection, to ensure appropriate level of protection when transferring personal data outside the Kingdom that meets at least the standards prescribed by the Law and Regulations.
Binding Common Rules (BCR): Rules established by the controller, applicable to each controller and processing party within a group of multinational entities, ensure appropriate protection for personal data transferred outside the Kingdom at a level not less than that prescribed by the Law and Regulations.
International Organizations: A legal body comprising members from at least three countries, operating in multiple sovereign states, established through a formal legal document such as a treaty or agreement based on international law, and this legal document defines the aims and objectives of the international organization and its structures, decision-making powers and jurisdiction. (e.g., the United Nations, the World Bank, the League of Arab States, the Arab Monetary Fund). These organizations engage in international activities and must comply with various Personal Data protection laws across different jurisdictions.
Transfer of Personal Data: Transfer, disclosure (or granting of access) of Personal Data from the Kingdom of Saudi Arabia to Controllers, Processors, or other recipients in countries or international organizations other than the Kingdom of Saudi Arabia where neither the Personal Data Exporter nor the Personal Importer is a Data Subject.
Third Party Data Transfers/Subsequent Transfers: The transfer of Personal Data from an external country or international organization to Controllers or Processors within the same country/organization or in another country/ organization.
Group of Entities: A set of legal entities engaged in joint economic activities such as franchising, joint ventures, or professional partnerships. These entities operate under shared control for example, ownership, common economic interests, financial participation, or the governance rules.
Scope
This document specifies the requirements and guidelines related to Binding Common Rules. It applies to data controllers or processors based on the instructions of the data controller and on their behalf, without prejudicing the responsibilities of the data controller to the competent authority or the data subject, as applicable, when transferring personal data outside the Kingdom to a country or international organization that does not have an appropriate level of Personal Data protection.
The Geographical Scope of Binding Common Rules
The geographical scope of the Binding Common Rules includes all Personal Data transfers made by Controllers located within the Kingdom to any country/ organization outside the Kingdom.
Requirements for Binding Common Rules
1. The Group of Entities must ensure that the Binding Common Rules (BCR) include Controllers' obligations stipulated in the PDPL and Regulations, in addition to the rights of Data Subjects, including claiming compensation for damage resulting from violation of such rights.
2. The Group of Entities, including the Personal Data Importer, must cooperate with the competent authority, comply with all its requests and inquiries, and provide the necessary documents and information to ensure adherence to the Binding Common Rules.
3. BCR must be approved internally by the authorized person within the Group of Entities. This process includes reviewing and validating all the data protection measures and compliance mechanisms to be taken regarding Personal Data protection.
4. BCR shall be legally enforceable on every member of the Group of Entities and provide a consistent standard of data protection. Every member of the Group of Entities that receives the relevant Personal Data must comply with the provisions set out in the Law and Regulations.
5. In addition to the BCR, detailed policies shall be developed on data protection, Data Subject rights, security measures, audit programs, and mechanisms for handling data breach incident and complaints in compliance with the Law and Regulations.
6. Binding Common Rules are subject to the laws in force in the Kingdom, and any dispute arising from application of the rules shall fall under jurisdiction of the courts of the Kingdom. The Personal Data Importer/s within the group of entities agree to submit to jurisdiction of the Kingdom.
Guidelines
General guidelines
1. Parties to a binding agreement shall ensure that none of its provisions conflict with the Binding Common Rules (BCR) or limit their scope of application.
2. The Controller must provide the competent authority, upon request, with evidence of its compliance with the Binding Common Rules, Law, and Regulations.
3. The Controller must establish an effective prompt incident response plan to address personal data breach incident, damage, or unauthorized access.
4. The Binding Common Rules must include procedures for notifying the competent authority and data subjects upon discovering a data breach that could harm the transferred personal data or the data subjects, or that conflicts with their rights or interests.
5. Updates to the list of members under the Binding Common Rules may be made under the following conditions:
a. Maintaining an updated record of members of the Binding Common Rules, data processors, and sub-processors involved in personal data processing activities, and facilitating data subjects' access to the list of members of the Binding Common Rules.
b. Keeping a report that explains the reasons for the updates or changes to members' record.
6. The exemption status under the Binding Common Rules does not apply if the Data Controller fails to implement them, or if the competent authority finds them inadequate.
Details of the Entity Implementing the BCR
FIRST SECTION
This section should be used to document details about the entity within the Group of Entities that is implementing the Binding Common Rules (BCR).
1. Name of the Group: Provide the official name of the Group of Entities, for example: "**** Group".
2. Address of the Headquarters of the Group: Specify the complete address of the main headquarters of the Group of Entities, for example: "123 Main Street, Riyadh, Saudi Arabia".
3. Name of the Entity: State the name of the entity within the Kingdom of Saudi Arabia responsible for the BCR, according to the commercial registration number of that entity, and confirm that such entity has the financial capability to provide compensations for any liabilities under the BCR, for example: "****** Company".
4. Legal Form of the Entity: Indicate the legal form of the entity, for example: "Corporation ".
5. Commercial Registration Number of the Entity: Provide the commercial registration number assigned to the entity by the relevant Saudi Arabian authority, for example: "123******"
6. Address of the Entity in the KSA: Enter the full address of the entity within the Kingdom of Saudi Arabia, for example: "457 Industrial Zone, Jeddah, Saudi Arabia".
7. Registration Number of the Entity at the Competent Authority: Provide the registration number assigned by the Competent Authority if available, for example: "987754321"
8. Business Sector of the Entity: Specify the business sector in which the entity operates, for example: "Information Technology"
9. Name, Address, and Commercial Registration Number of All Entities of the Group Inside the Kingdom: List all entities within the Group located in Saudi Arabia, along with their addresses and commercial registration numbers, for example: "**** Riyadh, 789 Commerce St, Riyadh, CR No.112233", "**** Jeddah, 457 Trade Rd, Jeddah, CR No. 44****".
10. Position of the Entity Within the Group: Describe the role or position of the entity within the Group of Entities structure worldwide, for example: "Regional Headquarters for the Middle East".
11. Name and Position of )the Person in Charge of the BCR(: Provide the full name and job title of the individual responsible for managing the BCR, for example: "Abdulrahman, Personal Data Protection Officer".
12. Contact Details of Person (Point of Contact) - (Address, Email, Phone Number): Enter the contact details for the point of contact, including their address, email, and phone number, for example: "789 Compliance Blvd, Riyadh, Saudi Arabia, Abdulrahman @example.com, +966-000-000***".
13. Name, Title, and Full Contact Details of Any Representative(s) Instructed to Act on Behalf of the Entity: Provide the details of any external legal or advisory professionals assisting with the BCR documentation, if any, for example: "Amal, Senior Counsel, Legal Advisors, Amal@example.com, +966-000-00****”
14. Additional Documents to Be Provided as an Annex: Include a detailed chart illustrating the organizational structure and geographical location of all Group members bound by the BCR.
Description and Details to Be Covered by the BCR
SECOND SECTION
1. Type or Categories of Personal Data to be Transferred and Covered by the BCR: Specify the types or categories of Personal Data that will be transferred under the BCR. This shall include a clear description of the data types.
2. Categories of Data Subjects Whose Personal Data to Be Transferred: Identify the categories of Data Subjects whose Personal Data will be transferred in addition to those affected by the transfer.
3. Purposes of Transferring Personal Data: Clearly state the reasons for transferring Personal Data outside the Kingdom. Explain the processing activities that will occur after the data has been transferred.
4. Countries to Which Personal Data to Be Transferred: List all the countries to which Personal Data will be transferred under the BCR. Ensure each country is specified accurately.
5. Frequency of Transfer: Indicate how often Personal Data will be transferred. Choose from "One-Off," "Continuous," or "Periodic," and provide further details if necessary.
6. Contractual Arrangements: Detail Any Contractual Arrangements Regarding the Use of Controllers and their contracted Processors along with their Compliance to the BCR.
7. Additional Documents to Be Provided as an Annex: List the additional documents that should be included as annexes to provide further clarity and support for the BCR.
Binding Nature of the BCR
1. Binding Characteristics of the BCR: Demonstrate and specify how the BCR are to be made binding on the members of the Group:
- Intra-Group Agreements: Describe the legally binding agreements within the Group that enforce the BCR. Include details on how these agreements are formulated and signed by all relevant entities.
- Undertakings by the Parent Company: Explain any undertakings imposed by the parent company on the members of the Group.
- Binding Requirements: Outline the specific binding requirements that the Group members shall be burdened with. Provide references to internal documents or legal provisions that enforce these requirements.
Controllers have the right to enforce the BCR against any BCR member for any violation of the agreed-upon texts. All BCR members have agreed to this provision as part of their commitments.
2. Enforcement by Members of the Group: Describe the enforcement mechanisms available to Group members within the Kingdom and internationally. Include any specific procedures for reporting and addressing non-compliance.
Example: The BCR can be enforced by any member of the Group through established internal reporting mechanisms and compliance programs. Members established in the Kingdom have specific procedures to escalate issues to the Group’s Data Protection Officer, who coordinates with the Competent Authority to ensure enforcement.
3. Binding upon Employees: Explain how the BCR will be made binding upon the employees of the Group members.
- Employment Contract: Describe how BCR obligations are included in employment contracts.
- Company Policies: Explain how the BCR texts are included in relevant company policies.
- Disciplinary Sanctions: Provide details on disciplinary measures for non-compliance with BCR.
4. Obligations on Sub-Processors: Describe the contractual obligations imposed on Sub- Processors, including the measures taken for non-compliance
5. Third-Party Beneficiary Rights: Describe the measures taken to enable Data Subjects to practice their rights and seek redress. Include details on how these rights are respected and how Data Subjects can seek redress in case of violation of their rights
6. Transparency in Regard to BCR: Describe the communication means and channels used to make the BCR accessible to Personal Data Subjects. Include details on channels available for Personal Data Subjects, such as websites or other accessible platforms.
7. Awareness and Training: Describe how employees of the Group members will be trained for compliance with and be made aware of the obligations and requirements set out in the BCR. The training program must ensure that all employees understand their responsibilities and the Personal Data Protection requirements stipulated in the Law and Regulations.
8. Complaint Handling: Describe the mechanisms that will be implemented to ensure efficient handling of complaints regarding the BCR and related transfers outside the Kingdom. It should be made clear that Personal Data Subjects can easily submit complaints and that these complaints are addressed promptly and effectively.
9. Auditing Process: Describe the auditing process that will be implemented to ensure compliance with the BCR by each member of the Group. It should include sufficient information on the audits.
Cooperation with the Competent Authority
This section outlines the principles and procedures for cooperation between the Group of Entities and the Competent Authority. It ensures that the Group complies with the requirements set by the Competent Authority, facilitating effective oversight and ensuring adherence to the BCR, laws and regulations applicable in the Kingdom.
- Cooperation with the compete authority: Explain the general principles and obligations of the Group of Entities in cooperating with the Competent Authority. It emphasizes the Group members commitment to transparency, responsiveness and collaboration in all matters related to data protection, including the following:
•Provide a statement affirming the Group’s commitment to cooperate fully with the Competent Authority.
•Identify the designated contact point within the Group who will handle requests from the Competent Authority, and include the roles and contact information.
•Outline the procedures for responding to requests, inquiries, and inspections from the Competent Authority. Specify the timelines for providing information and documentation.
•Describe any regular reporting obligations to the Competent Authority, including the types of reports and content. - Compliance with the Competent Authority Directives: Describe how the Group and its members will comply with the Competent Authority’s directives regarding the BCR and the processing of Personal Data.
- The Right of the Competent Authority to Follow up on Compliance: Describe how the Competent Authority can follow up on Groups’ compliance with the BCR and provisions of the Law and Regulations.
Personal Data Protection Measures
Detailed explanations on how data protection measures are taken through the Binding Common Rules (BCR). Supporting documents and references relevant to the BCR must be provided.
•Appointment of Personal Data Protection Officer(s): Detail the process for appointing Data Protection Officers (DPOs) responsible for overseeing data protection compliance. Include the criteria for selection, roles, and responsibilities in accordance with provisions of the Law and Regulations.
•Cooperation among the network of Personal Data Protection Officer(s) within the Group: Describe how DPOs within the Group cooperate to ensure consistent Personal Data Protection practices.
•Roles and Responsibilities of the individuals involved and their cooperation with the network of Personal Data Protection Officer(s) within the Group: Define the roles and responsibilities of Personal Data Protection officers and their interaction with relevant individuals.
•Requirements for Transparency: Specify the measures taken to ensure transparency in Personal Data processing activities conducted by the entity without prejudice to the Law and Regulations.
•Requirements for Personal Data Processing: Describe how Personal Data is processed while ensuring compliance with the BCR in accordance with the Law and Regulations.
•Requirements for Purpose Limitation and Legal Basis: Detail how personal data processing is limited to specific, legitimate purposes in accordance with a legal basis and in compliance with provisions of the Law and Regulations.
•Requirements for Minimum Amount of Personal Data: Outline measures taken to ensure only the minimum necessary Personal Data is collected and processed in compliance with provisions of the Law and Regulations.
•Personal Data Retention and Deletion Periods in accordance with provisions of the Law and Regulations, along with an explanation of data retention and destruction policies.
•Requirements for Sensitive Data (as the case may be): Describe additional measures taken while processing Sensitive Data in compliance with provisions of the Law and Regulations.
•Requirements for Maintaining Records of Personal Data Processing Activities: Describe how records of Personal Data processing activities are maintained in compliance with provisions of the Law and Regulations.
•Requirements for Impact Assessment: Explain the procedures for conducting data protection impact assessments (DPIAs) in compliance with provisions of the Law and Regulations.
•Requirements for Personal Data Quality: Describe measures taken to ensure data accuracy and quality in compliance with provisions of the Law and Regulations.
•Requirements for Personal Data Security: Describe the security measures in place to protect Personal Data in compliance with provisions of the Law and Regulations.
•Requirements for Personal Data Breach Incident Notifications: Describe the procedures and measures taken for notifying Personal Data breach incidents in compliance with provisions of the Law and Regulations.
•Restrictions Regarding Subsequent Transfers: Describe the restrictions on transferring Personal Data to third parties in compliance with provisions of the Law and Regulations.
•Requirements for Conducting Transfer Impact Assessment: Describe the procedures for assessing the impact of Personal Data transfers in compliance with provisions of the Law and Regulations.
Appendices
Appendix 1: Documentation of Details of the Entity Implementing the Binding Common Rules
a. Instructions
•When required, an electronic copy of the BCR will be provided to the Competent Authority. Additional documents can be attached as appropriate.
•Additional documents are included in the last section of the application form.
b. Entity Information
For more details regarding the models, you can see Appendices by visiting The Guidelines for Binding Common Rules (BCR) For Personal Data Transfer