The Saudi Data & AI Authority (SDAIA) published the Standard Contractual Clauses for Personal Data Transfer on the Public Consultation Platform on 15/08/2024; the document covers one of the four safeguards mentioned in the Implementing Regulations to the Personal Data Transfer Outside the Kingdom.
This bulletin will take you through the SDAIA proposed Standard Contractual Clauses templates (the Templates) and certain other possible Transfer methods based on the Personal Data Protection Law (the PDPL).
Scope of Application
All entities and individuals (Controllers and Processors) within the scope of the PDPL that transfer Personal Data outside of the Kingdom.
Summary
The SCC introduces the requirements of one of the four safeguards for transferring personal data outside the Kingdom. However, before summarizing the SCC, we would like to take you through the various possible ways of transferring Personal Data outside the Kingdom, which include:
- Transfer personal data to a country included in the adequacy list, which is a list that contains several countries that provide an adequate level of protection of personal data. Such list is yet to be published.
- In the absence of an adequate level of protection for Personal Data outside the Kingdom, a Controller may Transfer or disclose Personal Data outside the Kingdom, provided that the regulatory requirements in the country or the international organization do not prejudice the privacy of personal data subjects or the ability to enforce appropriate safeguards: The appropriate safeguards may be any of the following (subject to certain additional requirements under the regulations):
- Binding Common Rules: where there are binding rules that apply to parties (inside and outside the Kingdom) involved in/with entities that engage in a joint economic activity (such rules are required to be approved by SDAIA (or the applicable competent authority) on a case by case basis);
- Certifications of compliance: where a certificate is issued by an authorized entity by SDAIA (or the applicable competent authority) to an entity outside the Kingdom that applies the appropriate safeguards, together with the enforceable commitments from the Controller or Processor in the third country to apply the appropriate safeguards;
- Binding Codes of Conduct: where codes of conduct are approved by SDAIA (or the applicable competent authority) based on the requests submitted in each case separately, together with the enforceable commitments of the Controller or Processor in the third country to apply the appropriate safeguards; and
- Standard Contractual Clauses: where clauses are added to applicable contracts to ensure a sufficient level of protection for Personal Data when transferred outside the Kingdom (to any other entity or individual), in accordance with the form of clauses issued by SDAIA (or the applicable competent authority). The proposed Templates the subject of this bulletin address this safeguard.
IMPORTANT NOTE: The Standard Contractual Clauses safeguard would not permit Personal Data to be transferred if the laws and regulations of the recipient country or international organization prevent the Data Importer from complying with the Standard Contractual Clauses.
- If none of the safeguards apply, the Transfer of Personal Data may still be possible to the extent any of the exceptions below apply:
- Transferring data in the cases of extreme necessity to preserve the life or vital interests of the Data Subject or to prevent, examine, or treat disease.
- The Transfer is necessary for the performance of an agreement to which the Data Subject is a party.
- If the Controller is a Public Entity and the Transfer is necessary to protect the Kingdom's national security or the public interest.
- If the Controller is a Public Entity and the Transfer (or Disclosure) is necessary for the investigation or detection of crimes, or the prosecution of their perpetrators, or for the execution of penal sanctions.
In respect of Templates, such seek to regulate and provide a solution to enable entities to transfer Personal Data to entities or individuals outside of the Kingdom where such are in jurisdictions which may not necessarily provide an equivalent level of protection as required under Saudi Arabian law. Entities or individuals wishing to transfer Personal Data to such foreign entities or individuals would be required to incorporate the applicable Templates into their contracts with such foreign party to ensure that such data is handled with the highest level security and compliance.
We note that there are general clauses that apply to all contractual situations, as well as other clauses of a specific nature according to the different following roles:
- a Controller in the Kingdom where it is transferring data to another controller abroad;
- a Controller in the Kingdom where it is transferring data to a Processor abroad;
- a Processor in the Kingdom where it is transferring data to another Processor abroad; and
- a Processor in the Kingdom where it is transferring data to a Controller abroad.
The reason behind the various in the clauses is due to the different requirements for Controllers and Processors under the law and its implementing regulations, since a Controller is the party that specifies the purpose and manner of processing personal data, while the Processor is the party that processes Personal Data for the benefit and behalf of the Controller.
Since the parties may have more than one role under the data Transfer arrangements, more than one clause may be applicable and would be required to be included in the applicable agreements between the parties.
Another important note is that the use of the Templates (and the SCC safeguard) is premised on the fact that the Data Importer must submits to the jurisdiction of courts and judicial committees of the Kingdom and must undertake to comply with any binding decision issued under applicable laws of the Kingdom.
The Expected Effect
Until SDAIA publishes the adequacy list and the other expected rules and guidelines regarding the rest of the safeguards, the SCC provides Controllers and Processors in the Kingdom an avenues for transferring personal data to any Controller or Processor outside of the Kingdom which may not be on the adequacy list.
Link to the Resolution
Standard Contractual Clauses for Personal Data Transfers (ncc.gov.sa)
Publication in the Official Gazette
N/A
The Effective Date
The document is on the Public Consultation Platform from 15/08/2024 until 30/08/2024; after that, the competent Authority will reflect the comments and publish the final approved version on its website. Such date is yet to be determined.
Note: the capitalized terms used herein shall have the meanings ascribed to such terms in the PDPL and its Implementing Regulations.