Personal Data Processing Activities Record Guideline – Second: Contents of Personal Data Processing Activities Records says that when building your Records of Processing Activities (RoPA), you must include specific details that ensure full visibility of what personal data you handle, why, for how long, and with whom it is shared or transferred. The goal is to ensure traceability, accountability, and compliance with PDPL obligations, including security measures and international transfers.
RoPA must cover who, what, why, how long, who else, where it goes, and how it’s secured.
Second: Contents of Personal Data Processing Activities Records
Records of personal data processing activities shall, as a minimum, include
the following:
Controller’s Identity:
1. Controller’s name and relevant contact details.
DPO Contact Info:
2. Information of the Data Protection Officer (DPO), wherever the appointment
of a DPO is required.
DPO Contact Info:
3. Purposes of personal data processing.
Data & Subject Categories:
4. Description of the personal data categories being processed, and data
subjects categories.
Retention Period:
5. Retention period for personal data and, where possible, specific retention
periods for each category of personal data.
Recipients of Data:
6. Categories of recipient entities to whom the personal data has been or will
be disclosed.
Cross-Border Transfers:
7. Description of operations of personal data transfer outside the Kingdom,
including the legal basis for the transfer and the recipient entities.
Security Measures:
8. Description of the procedures and organizational, administrative, and
technical measures in place that ensure the security of personal data, where
possible.
Explanation of Second: Contents of Personal Data Processing Activities Records
Include controller contact details:
Personal Data Processing Activities Record Guideline – Second: Contents of Personal Data Processing Activities Records says to specify the full legal name and contact info of the data controller responsible for processing activities.
Where DPO is appointed:
Personal Data Processing Activities Record Guideline – Second: Contents of Personal Data Processing Activities Records also say to add the Data Protection Officer’s information if your entity is required to appoint one under the PDPL.
Why the data is processed:
Personal Data Processing Activities Record Guideline – Second: Contents of Personal Data Processing Activities Records also say to clearly state the reasons and business purposes for collecting and using personal data.
What data and whose data:
Personal Data Processing Activities Record Guideline – Second: Contents of Personal Data Processing Activities Records also say that to list the types of personal data (e.g., ID, contact, biometrics) and the categories of individuals affected (e.g., employees, customers, vendors).
How long data is kept:
Personal Data Processing Activities Record Guideline – Second: Contents of Personal Data Processing Activities Records also say to mention general retention timelines and, where feasible, specific retention periods by data category.
Entities data is shared with:
Personal Data Processing Activities Record Guideline – Second: Contents of Personal Data Processing Activities Records also say to indicate the external parties or internal departments with whom data is or will be disclosed.
Data moving outside the Kingdom:
Personal Data Processing Activities Record Guideline – Second: Contents of Personal Data Processing Activities Records also say to describe international data transfers, including the legal basis and identities of receiving entities.
Measures ensuring data protection:
Personal Data Processing Activities Record Guideline – Second: Contents of Personal Data Processing Activities Records also say to outline technical, organizational, and procedural controls used to safeguard the personal data, if applicable.
