Knowledge center

Introduction

In fulfillment of its mandate to raise awareness among entities subject to the provisions of the Personal Data Protection Law the “Law” and its Implementing Regulations, and to enable those entities to understand their obligations under Article (31) of the Law and Article (33) of the Implementing Regulations, the Saudi Data & AI Authority (SDAIA) has issued this Guideline to assist entities in preparing records of personal data processing activities.
This Guideline also provides a sample template for the records of personal data processing activities, designed to assist Controllers in complying with the Law’s provisions and Implementing Regulations when preparing their records of personal data processing activities. The terms and phrases used in this Guideline shall be construed in accordance with the definitions provided in the Law and its Implementing Regulations. This Guideline shall not be considered a binding legal document, nor shall it substitute consulting the Law and its Implementing Regulations, which shall constitute the regulatory reference for all matters related to the application of the Law’s provisions.

Objectives

This Guideline aims to:

1. Assist entities in implementing the provisions of the Law.
2. Encourage entities to adopt best practices for personal data protection.
3. Outline the essential elements to be considered when preparing records of personal data processing activities.
4. Protect the privacy of Data Subjects.

First: Personal Data Processing Activities Records Requirements

Pursuant to Article (31) of the Law, a Controller shall maintain records of personal data processing activities in accordance with the nature of its activities to be made available upon request by the competent authority without prejudice to the provisions of Article (18) of the Law regarding data destruction.
Furthermore, as stipulated in Article (33) of the Regulations, when preparing records of personal data processing activities, a Controller shall:

1. Maintain the records of personal data processing activities for a period of five years following the cessation of each processing activity.
2. Ensure that the records of personal data processing activities are maintained in written form.
3. Ensure the accuracy and up to date of the records of personal data processing activities.
4. Make the records of personal data processing activities available to the competent authority upon request.

Second: Contents of Personal Data Processing Activities Records

Records of personal data processing activities shall, as a minimum, include the following:

1. Controller's name and relevant contact details.
2. Information of the Data Protection Officer (DPO), wherever the appointment of a DPO is required.
3. Purposes of personal data processing.
4. Description of the personal data categories being processed, and data subjects categories.
5. Retention period for personal data and, where possible, specific retention periods for each category of personal data.
6. Categories of recipient entities to whom the personal data has been or will be disclosed.
7. Description of operations of personal data transfer outside the Kingdom, including the legal basis for the transfer and the recipient entities.
8. Description of the procedures and organizational, administrative, and technical measures in place that ensure the security of personal data, where possible.

Third: Content Details of Personal Data Processing Activities Records

The provided template for records of personal data processing activities assists entities in creating comprehensive and exhaustive records of their processing activities. This template facilitates detailed documentation of various information types and establishes meaningful connections between them. The template is structured as follows:

• For more details regarding the content details of personal data processing activities records, you may visit Personal Data Processing Activities Records Guideline