Overview
Elaboration and Developing Privacy Policy Guideline — Seventh: Personal Data Storage, Retention Period, and Destruction explains how Controllers must inform Data Subjects about where Personal Data is stored, how long it is retained, and how it is destroyed after fulfilling its purpose.
It also addresses the security measures used to protect Personal Data during storage and throughout its lifecycle.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Seventh: Personal Data Storage, Retention Period, and Destruction
- The Controller shall clarify the means used to store Personal Data and its geographical locations, whether stored on servers at the Controller's headquarters or on servers of an external entity, such as cloud computing service providers (whether inside or outside the Kingdom).
- The Controller shall clarify the time period to retain Personal Data and shall specify the retention period for each type of Personal Data in accordance with regulatory requirements. The Controller shall also clarify methods used to destroy Personal Data after its intended purpose is fulfilled, ensuring that it cannot be viewed or recovered.
- The Controller shall clarify necessary administrative, technical, and organizational means and measures that have been taken to protect Personal Data from incidents of leakage, damage, or illegal access, including, but not limited to, the use of data encryption, anonymization, and coding methods. The Level of security measures shall also depend on the sensitivity and amount of Personal Data collected.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
1. Personal Data Storage and Location
2. Retention Period and Data Destruction
This provision requires the Controller to clarify the time period for retaining Personal Data and to specify the retention period for each type of Personal Data in accordance with regulatory requirements.
It also requires the Controller to clarify the methods used to destroy Personal Data after the purpose for which it was collected has been fulfilled, ensuring that the data cannot be viewed or recovered.
3. Security Measures for Stored Data
This provision requires the Controller to clarify the administrative, technical, and organizational measures taken to protect Personal Data from leakage, damage, or illegal access. These measures may include the use of encryption, anonymization, and coding methods.
The provision also clarifies that the level of security measures must depend on the sensitivity and the amount of Personal Data collected.
