Saudi Arabia: Implemented SDAIA Guidelines for Binding Common Rules (BCR) for Personal Data Transfer

On 2 September 2024, the Guidelines for Binding Common Rules (BCR) for Personal Data Transfer issued by the Saudi Arabia Authority for Data and Artificial Intelligence (SDAIA) entered into force. The Guidelines clarify the obligations of entities transferring personal data outside Saudi Arabia to entities in countries or international organisations not recognised for providing an adequate level of personal data protection. The initiative is grounded in the Personal Data Protection Law, as amended by Royal Decrees No. (M/19) and No. (M/148), and aims to ensure that the protection afforded to personal data transferred internationally meets or exceeds the standards set within the Kingdom. The Guidelines outline the process for creating Binding Common Rules (BCR) for controllers or processors involved in such data transfers, providing instructions for entities operating both within and outside Saudi Arabia on developing these BCRs to comply with the Transfer Regulation and the Personal Data Protection Law.