Processor to Controller

Processor to Controller

Capitalised terms used but not defined in these Clauses (including the Appendices) shall have the meanings given to them in the separate agreement between the parties into which these Clauses are incorporated (the “Agreement”) and the corresponding data protection agreement (the “Data Protection Agreement”).

Appendices

Clause (1) Purpose and Scope

  1. The purpose of these Clauses is to ensure that an appropriate level of Personal Data protection equivalent to the level of protection applicable under the Personal Data Protection Law and its Implementing Regulations is applied in the absence of an appropriate level of Personal Data protection outside the Kingdom by specifying the obligations of the parties involved in the transfer of Personal Data to a country or international organization that does not have an appropriate level of Personal Data protection.
  2. Appendix (1) shows the data for both Data Exporters and Data Importers.
  3. These Clauses apply to the transfer of Personal Data as specified in Appendix (2) ("Personal Data to be Transferred or Disclosed").

Clause (2) Impact and Modification

  1. These Clauses set out appropriate safeguards, including rights of complaint by Personal Data Subjects, and cannot be amended except to select the appropriate template or to add or update information in the appendix.
  2. The parties may incorporate these Clauses into a comprehensive agreement or add other clauses or additional guarantees, provided they do not directly or indirectly conflict with these Clauses or infringe on the fundamental rights of Personal Data Subjects.
  3. These Clauses do not relieve any party from its obligations under the Law and Regulations, nor do they prejudice the provisions of the Laws and Regulations in force in the Kingdom or agreements to which the Kingdom is a party.

Clause (3) Rights of Personal Data Subjects

  1. These Standard Contractual Clauses are without prejudice to the rights of Personal Data Subjects under the Law and Regulations.
  2. Personal Data Subjects whose Personal Data is transferred from the parties based on these Standard Contractual Clauses may notify the Competent Authority ("Saudi Data & AI Authority") if they become aware of any violation of these Standard Contractual Clauses.

Clause (4) Interpretation

  1. Unless the context requires otherwise, the words and phrases used in these Clauses shall have the meanings assigned to them in Article (1) of the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443 AH and amended by Royal Decree No. (M/148) dated 5/9/1444 AH, Article (1) of the Implementing Regulation of the PDPL and Article (1) of the Regulation on the Transfer of Personal Data Outside the Kingdom.
  2. These Clauses must be read and interpreted in light of and in accordance with the provisions of the Law and Regulations referred to in paragraph (a) of this Article, and may not be interpreted in any other way that is inconsistent with the provisions of the Law and Regulations.

Clause (5) Conflict Clause

In the event of a conflict between these Clauses and any provision in any other agreement between the parties, these Clauses shall prevail.

Clause (6) Details of Transfers

The transfer(s), as well as the categories of Personal Data and the purposes of the transfers, are described in the Appendix.

Clause (7) Addition of New Parties

  1. Any Personal Data Importer or Personal Data Exporter who is not a party to these Standard Clauses may join these Standard Contractual Clauses by completing and signing Appendix (1), with the consent of the existing parties. The Joining Entity shall be either the Personal Data Importer or the Personal Data Exporter.
  2. Once Appendix (1) has been completed and signed, the Joining Entity shall be a party to these Clauses, and the newly Joined Entity shall, as of the date of joining, and assume the responsibilities depending on the nature of the Personal Data processing and transfer operations that occurred on or after the date of joining, and shall be entitled to exercise the rights and obligations corresponding to its role as defined in these Clauses.

Clause (8) Governing Law and Jurisdiction

These Standard Contractual Clauses shall be governed by the applicable laws of the Kingdom of Saudi Arabia. Any dispute arising from the application of the provisions of these Clauses shall fall under the jurisdiction of the Kingdom and be vested in its courts. The Personal Data Importer, under these Standard Contractual Clauses, agrees to submit to the jurisdiction of the Kingdom of Saudi Arabia.

Clause (9) Compliance with the Requests of the Competent Authority

  1. Each party agrees to comply with any requests from the Competent Authority in relation to these Standard Contractual Clauses or the processing of transferred Personal Data.
  2. The Personal Data Importer agrees and commits to cooperate with the Competent Authority and comply with all its requests and inquiries and provide the necessary documents and information to ensure compliance with the Standard Contractual Clauses.
  3. The Personal Data Importer agrees to abide by the measures adopted by the Competent Authority, including corrective measures and compensation.

Clause (10) Compensation

  1. If any dispute arises between the Personal Data Subject and a party regarding compliance with the Standard Contractual Clauses, that party shall use all necessary means to settle the dispute amicably with the Personal Data Subject, and all parties shall inform each other of the existence of such dispute to ensure that it is resolved in cooperation with each other.
  2. The Personal Data Subject may submit to the Competent Authority any complaint arising from the application of the provisions of these Standard Contractual Clauses, in accordance with the procedures for submitting complaints specified by the Law and Regulations.
  3. The Personal Data Subject has the right to claim before the competent court for compensation for material or moral damage in proportion to the magnitude of the damage arising from the application of these Standard Contractual Clauses.

Clause (11) Personal Data Security

  1. All parties shall take the necessary organizational, administrative, and technical measures that ensure to maintain the privacy of personal Data against any breach at all stages of processing, including personal data security during the transfer process. In assessing the appropriate level of security, the Parties shall take into account the current state of technology, implementation costs, and the nature of the Personal Data transferred, as well as the nature, scope, context, purposes, the risks involved in the processing of the Personal Data, and specifically consider the application of encryption or de-identification, including during Personal Data transfer, where the purpose of the data processing can be achieved in this way.
  2. The Personal Data Exporter shall assist the Personal Data Importer in fulfilling the necessary data security requirements, and in the event of any Personal Data breach in relation to the transferred Personal Data processed by The Personal Data Exporter under these Standard Contractual Clauses, The Personal Data Exporter shall notify the Personal Data Importer without delay after becoming aware of such breach and shall assist the Personal Data Importer in containing such breach.
  3. The Data Exporter ensures that persons authorized to process the transferred Personal Data are bound by confidentiality and nondisclosure under an appropriate legal obligation of confidentiality and non-disclosure.

Clause (12) Duration and Termination

  1. If, for any reason, the personal Data Importer is unable to fulfill its obligations under these Standard Contractual Clauses, it must inform The Personal Data Exporter within (24) hours from the time it becomes aware of this.
  2. In the event that the personal Data Importer violates these Standard
  3. Contractual Clauses or is unable to comply with them, the personal Data Exporter shall immediately cease the transfer of Personal Data to the Personal Data Importer until the Personal Data Importer ensures its return to compliance again, provided that the Personal Data Importer shall be given a period of (30) days, extendable for a similar maximum period, to prove its ability to comply with these Clauses, and if the period expires without achieving this, the two parties shall agree to terminate the contract, without any liability for the Personal Data Exporter or Controller, as the case may be.
  4. The Personal Data Exporter or Controller, as the case may be, shall ensure that all Personal Data previously transferred to the Personal Data Importer is fully destroyed before terminating the Standard Contractual Clauses under paragraph (b) above. It shall also ensure that any copies it has of such personal data are destroyed.
  5. The Personal Data Importer must document the destruction of the data, and this documentation must be provided to the Personal Data Exporter or controller upon request.
  6. The Personal Data Importer must continue to ensure - until the data is destroyed - that it complies with these Standard Contractual Clauses.

Clause (13) Protection of Transferred Personal Data

The Personal Data Exporter and the Personal Data Importer shall process the transferred Personal Data according to the nature and purposes of the transfer and the appropriate template as follows:

Processor to Controller

1. Processing Instructions
  1. The Personal Data Exporter is obliged to process the transferred Personal Data only on the basis of written instructions from The Personal Data Importer as the Controller.
  2. The Personal Data Exporter shall immediately notify The Personal Data Importer if it is unable to comply with these instructions, or if it realizes that these instructions are contrary to the provisions of the Law and its Implementing Regulations or any other law in the Kingdom of Saudi Arabia.
  3. The Personal Data Importer shall not take an action or refrain from taking an action that would prevent the Personal Data Exporter from fulfilling its obligations under the Law and its Implementing Regulations or any other regulations in force in the Kingdom, including those regulations related to cooperation with the Competent Authority or any other regulatory body.
  4. After completion of the purpose of processing Personal Data specified in Appendix (2), the Personal Data Exporter shall destroy or return the transferred Personal Data as determined by the Data Importer.
2. Data Processing Security
  1. The Parties shall take the necessary organizational, administrative, and technical measures to safeguard the privacy of Data Subjects and the security of Personal Data at all stages of processing, including the security of data during their transfer, and to protect against any Personal Data breach. In assessing the level of appropriate security measures, the Parties shall take into account the current state of technology, implementation costs, and the nature of the Personal Data transferred, as well as the nature, scope, context, purpose or purposes of the data processing and the risks involved in the processing of Personal Data, and consider the application of encryption or de-identification, including during data transfer, to ensure that the purpose of processing Personal Data is fulfilled accordingly.
  2. The Personal Data Exporter shall support the Personal Data Importer in ensuring the security of the Personal Data required under paragraph (a) above, and in the event of any Personal Data breach with respect to the transferred Personal Data processed by the Personal Data Exporter under the Standard Contractual Clauses, the Personal Data Exporter shall notify the Personal Data Importer without delay within (24) hours of becoming aware thereof and the Personal Data Importer shall assist in containing such breach.
  3. The Personal Data Exporter ensures that the individuals authorized to process the transferred Personal Data are bound by the confidentiality and protection of the information or are bound by an appropriate legal obligation on the confidentiality and protection of the information.
3. Commitment to these Clauses
  1. The Personal Data Exporter is obliged to respond to all requests of the Personal Data Importer upon request, in order to enable the Personal Data Importer to demonstrate compliance with the provisions of the Standard Contractual Clauses and the Law and its Implementing Regulations.
  2. Each party shall be responsible for demonstrating to the Competent Authority, upon request, that all obligations under these Clauses have been fulfilled.
4. Rights of Personal Data Subjects
  1. All parties shall take all necessary actions and measures and cooperate to enable Personal Data Subjects to exercise their rights stipulated in the Law and Regulations.
  2. All statements made to the Personal Data Subject must be presented in a clear, legible, and accessible format.

Appendix 1 – Parties List

[Note: The data in this appendix is updated for all phases]

Information of Personal Data Exporter (s) Information of Personal Data Importer (s)
Name: Name:
The relevant Dubai Holding group entity as specified in the Agreement and the Data Protection Agreement. Customer(s) or the counterparty/ies to the data exporter as otherwise defined in the Agreement and the Data Protection Agreement.
Address: Address:
As specified in the Agreement and the Data Protection Agreement in the party clauses. As specified in the Agreement and the Data Protection Agreement in the party clauses.
Contact Information: Contact Information:
As specified in the Agreement and the Data Protection Agreement in the party clauses. As specified in the Agreement and the Data Protection Agreement in the party clauses.
Signature: Signature:
The parties agree that execution of the Agreement or the Data Protection Agreement, whichever later, shall constitute execution of these Clauses by both parties. The parties agree that execution of the Agreement or the Data Protection Agreement, whichever later, shall constitute execution of these Clauses by both parties.
Date: Date:
The parties agree that execution of the Agreement or the Data Protection Agreement, whichever later, shall constitute execution of these Clauses by both parties. The parties agree that execution of the Agreement or the Data Protection Agreement, whichever later, shall constitute execution of these Clauses by both parties.
Role [Controller/Processor]: Role [Controller/Processor]:
Processor. Controller.

Appendix 2 – Description of the Transfer of Personal Data

[Note: The data in this appendix is updated for all Phases]

Categories of Personal Data Subjects whose Personal Data Categories is transferred

As specified in the Data Protection Agreement.  
Categories of transferred Personal Data
As specified in the Data Protection Agreement.
Categories of transferred sensitive data - if any - and applicable restrictions and safeguards that take full account of the nature of the Personal Data and the risks involved, e.g., purpose limitation, access restrictions, record keeping of access to Personal Data, restrictions on subsequent transfers, or additional organizational, technical, and regulatory measures.

As specified in the Data Protection Agreement.  

Restrictions and safeguards for sensitive data are specified in Appendix 3 (if any). 

Purpose of Transfer
The Personal Data Exporter will transfer the Personal Data as part of its provision of the Services under the Agreement.
Retention Period/Criteria:
As per clause 13(1)(d) of this Standard Contractual Clauses.