Cross Border Data Transfers in KSA: Standard Contractual Clauses vs. Binding Common Rules

Briefing

28 January 2026

12 MIN READ

2 AUTHORS

The issue of cross-border personal data transfer in the Middle East is developing and very much on the radar of businesses in the region. Recently, the offshore jurisdictions of the Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC) in the UAE, and the Qatar Financial Centre (QFC) in Qatar announced that they recognise one another as jurisdictions with an adequate level of protection, thereby allowing cross-border transfers between them without any further additional safeguards transfer mechanisms.

In this article we look at the regulatory framework for data transfer outside the Kingdom of Saudi Arabia (KSA) and weigh up the advantages and disadvantages of the alternative approaches available to data controllers: simpler, prescriptive Standard Contractual Clauses (SCCs) or more comprehensive and flexible Binding Common Rules (BCRs).

The Framework

In KSA, the Competent Authority for protection of personal data is the Saudi Arabian Data & Artificial Intelligence Authority (“SDAIA“). SDAIA is responsible for implementing and enforcing the Personal Data Protection Law (“PDPL“) and the Regulation on Personal Data Transfer Outside the Kingdom (the “Transfer Regulation”).

The starting point, pursuant to PDPL Article 29, is that a data controller may transfer personal data, or disclose it to a party, outside of KSA if it is:

relating to performing an obligation under an agreement, to which KSA is a party.

to serve the interests of the Kingdom.

for the performance of an obligation to which a data subject is a party.

to fulfil other purposes as set out in the Transfer Regulation.

The transfer must be limited to the minimum amount of personal data needed, and it must not cause any prejudice to national security or the vital interests of the Kingdom.

The Transfer Regulation expands on the permitted purposes, at Article 2, whereby a controller may transfer personal data outside of KSA when:

conducting processing operations that enable the controller to carry out its activities, including central management operations.

providing a service or benefit to the data subject.

conducting scientific research and studies.

The transfer must not prejudice the data subject’s ability to exercise rights guaranteed in the PDPL and Executive Regulations, or the ability to withdraw consent to processing.

Nor may the transfer prejudice the controller’s ability to: comply with the requirements for notifying a personal data breach; adhere to the provisions, controls and procedures for disclosing personal data; comply with the provisions and controls for destroying personal data; or take the necessary organisational, administrative and technical measures to ensure the security of personal data.

The question many data controllers ask in KSA is what is the best method for performing a cross-border transfer. There are four possible routes.

If a country or international organisation is deemed by SDAIA to provide an appropriate level of protection for personal data that is not less than that prescribed by the PDPL and its Executive Regulations, then the transfer may take place (subject to various controls). Per Article 3 of the Transfer Regulation, SDAIA must publish a list of approved countries and international organisations which, to-date, is yet to be released.

In the absence of an adequate level of protection, and until release of the list of approved countries and international organisations, the controller may, subject to a risk assessment, transfer personal data outside of KSA provided that the regulatory requirements of that country do not negatively affect the privacy of the data subject or the controller’s ability to enforce appropriate safeguards. In such case the controller must implement one of the following appropriate safeguards:

Standard Contractual Clauses (SCCs).
Binding Common Rules (BCRs).
Certificate of Accreditation (CoA).

Defining the SCCs

SDAIA has issued a suite of SCC templates (controller–controller, controller–processor, processor-processor, and processor-controller) that operate as an approved contract between the “Personal Data Exporter” in KSA and the “Personal Data Importer” abroad. The key points under SDAIA’s SCC guidance are:

The clauses are essentially a fixed template. SDAIA explicitly states that parties may only fill in the blank fields and select the appropriate template/appendices, noting that any substantive modification to the text “shall not be recognised by [SDAIA] and shall be deemed a violation . . . .”

The Personal Data Importer must yield to KSA law and the jurisdiction of the KSA courts, and must undertake to cooperate fully with SDAIA (including audits, corrective measures and compensation where ordered). This is required even if the Personal Data Importer is offshore with no presence or operations in KSA.

SCCs cannot be used if the laws of the Personal Data Importer’s country would prevent the Personal Data Importer from complying with the clauses.

In other words, SCCs are highly prescriptive. If used as a formal safeguard, they should be stated verbatim. Any additional or commercial details must be set aside in a separate, standalone document apart from the SCCs and not attached to them as in normal commercial practice.

Defining the BCRs

BCRs, as defined in SDAIA’s BCRs Guidelines, are a set of internal, group-wide rules adopted by a group of entities (inside and outside KSA) that act as a kind of “internal data protection framework” for all cross-border transfers within that group.

Some key features from SDAIA’s BCRs Guidelines are that:

BCRs must cover the controller’s obligations under the PDPL and its Executive Regulations and must reflect the rights of data subjects, including the right to compensation.

The BCRs must be legally binding on every entity in the group that is subject to them and must be enforceable both externally by data subjects and internally. Therefore, the implicit intent of the BCRs is to apply to head offices headquartered in KSA with various international subsidiaries structured offshore. The BCRs would provide an umbrella of security from the KSA headquarters and downwards to the offshore subsidiary entities that transfer personal data between themselves.

The group must maintain policies, audit programs, breach-notification procedures, complaint handling and governance structures (including the appointment of DPO(s)) that evidence practical compliance with SDAIA’s BCRs requirements. In this sense the BCRs are not a contract, but part of a larger compliance structure.

The BCRs are subject to KSA law and the jurisdiction of the KSA courts, and the group should be able to provide SDAIA, if requested, with evidence of compliance and an up-to-date record of BCR members, processors and sub-processors.

SDAIA’s BCRs Guidelines also make clear that BCRs are an exemption mechanism that may be rejected if the controller fails to implement them properly or if SDAIA finds them inadequate.

Comparative Analysis

From a legal standpoint, both SCCs and BCRs are acceptable appropriate safeguards, provided that all other conditions for offshore personal data transfer apply. Whilst they are both prescriptive in nature, they both provide a degree of transparency when conducting offshore data transfers. When choosing between them, the advantages and disadvantages of each option can be determined based on the motivations, incentives, and goals of the controller.

The SCCs are more precise in that they provide a regulator-approved contract governing personal data transfers between exporters and importers. SCCs can involve more than two parties, so controllers and additional processors can join these clauses as exporters or importers, depending on the nature of their role throughout the duration of the contract. Proving compliance by way of the SCCs is arguably more straightforward because it involves simply using SDAIA’s standard template and inserting the names and corporate details of the exporter and importer. However, this may introduce a degree of rigidity whereby controllers and corporate groups are unable to shape and craft the language of the applicable requirements in a way that best suits them.

In contrast, BCRs can be more comprehensive. Whilst BCR’s would naturally apply to larger groups of entities, they arguably introduce an element of uncertainty. That said, the BCRs are more flexible and, rather than having to utilise prescriptive language, allow the controller a degree of freedom to shape and craft the requirements set out in SDAIA’s BCR guidelines in a way that best suits the group.

However, adopting the BCRs can be a significant investment, as it entails a comprehensive compliance framework and not just a single documented contract as in the SCCs. Entities that are unable to make such an investment may prefer to avoid the BCRs, as intensive and ongoing regular requirements such as training, audits, and complaint mechanisms must be put into place and shared with SDAIA upon request.

On the other hand, that investment could be considered as compelling by other regulators or stakeholders. Entities with activities that fall under other regulatory oversight (e.g., the Capital Market Authority (CMA) or Saudi Central Bank (SAMA) for financial institutions) or who work in sensitive industries or with major in-Kingdom institutions may be encouraged to invest in a robust compliance framework with fully functioning BCRs rather than case-by-case SCCs.

Conversely, businesses with lower budgets may be best served by adopting SCCs.

Relatedly, the BCRs require disclosure to SDAIA of the corporate structure chart of the group. Where a corporate group wishes to transfer personal data offshore without disclosing the shareholding and ownership of the related entities, the SCCs may be preferred instead of the BCRs.

If the SCCs are more objective (meaning compliance is easily proven by using the prescribed template), then the BCRs are more subjective. In other words, controllers choosing compliance by way of the BCRs must have a higher risk appetite because the subjective nature of the BCRs necessarily means that SDAIA will have room for interpretation if an investigation into the group’s compliance is opened.

Going forward, an additional route available in KSA for the transfer of personal data outside of KSA will be via a Certificate of Accreditation. The PDPL provides that SDAIA shall issue regulatory rules for licensing entities that issue accreditation certificates for controllers and processors. It also provides that SDAIA will coordinate with the Digital Government Authority regarding licensing for entities providing services on behalf of government entities.

Conclusion

In conclusion, in situations where there is an equal choice to be made between the SCCs and BCRs, controllers should consider their current status in the market and long-term goals when conducting transfers of personal data outside of KSA. Controllers that remain unsure of the appropriate approach may wish to consider starting with the more straightforward, less costly option of the SCCs, then consider moving to the BCRs if the circumstances justify doing so in the longer term.