Sign in
Contractual clauses for personal data transfers: The Saudi Data and AI Authority (SDAIA) is seeking public consultation on a proposed set of contractual clauses that, if approved, would become binding in all contracts relating to the access and sharing of Saudi nationals’ personal data with countries or organizations that don’t meet adequate data protection standards. Stakeholders have until Friday, 30 August, to share feedback on the government surveying platform Istitlaa. Here’s the full proposal standard contractual clauses for personal data transfer (pdf).
BACKGROUND- SDAIA launched public consultations in March on a draft policy to regulate access to and the sharing of Saudi data outside of the Kingdom. The new regulations were introduced against the backdrop of the increasing downside risks that arise with tech advancements. The rules regulate how public and personal data must be handled during its collection, storing, processing, dissemination, and use, with an emphasis on the who, what, when, where, why and how of sharing data with parties outside the Kingdom.
The rationale: The proposed contractual clauses ensure that personal data transferred outside of the Kingdome gets the same level of protection as required by the law. They specify the obligations of the parties involved, primarily data controllers, and processors. A data controller is the entity that owns the data, and the processor is the entity on the receiving end.
Notification requirement: If the data importer is unable to meet its obligations under these clauses for any reason, it must notify the data exporter within 24 hours of becoming aware of the issue.
Data protection obligations: The contracting parties must ensure that the specified organizational, administrative, and technical measures provide adequate protection for transferred personal data in line with applicable legal requirements. The data importer is responsible for applying these security measures to all personal data to prevent breaches, unauthorized access, or other risks. Additionally, the data importer must periodically review and update these measures to ensure ongoing compliance with the relevant regulations.
Have inquiries about the use of your personal data? Data importers and exporters are obliged, under the proposed clauses, to handle and respond to any queries or requests from the owner of the data about how their data is being processed and what their rights are in that regard, within 30 days of receiving the request. If the request is complex, the duration may be extended by another 30 days, while notifying the data owner in advance with an explanation for the delay.
Enforcement + jurisdiction: The proposed guidelines indicate that disputes related to such contracts are to be handled by Saudi Arabian courts.
