Elaboration and Developing Privacy Policy Guideline — Seventh: Personal Data Storage, Retention Period, and Destruction says that controllers must inform individuals whether their personal data will be shared with third parties inside or outside the Kingdom, clearly identify those parties, describe the nature of those entities, and explain the reason and frequency of data disclosure.
Seventh: Personal Data Storage, Retention Period, and Destruction
Storage Location
1. The Controller shall clarify the means used to store Personal Data and its geographical locations, whether stored on servers at the Controller’s headquarters or on servers of an external entity, such as cloud computing service providers (whether inside or outside the Kingdom).
Retention Duration
2. The Controller shall clarify the time period to retain Personal Data and shall specify the retention period for each type of Personal Data in accordance with regulatory requirements. The Controller shall also clarify methods used to destroy Personal Data after its intended purpose is fulfilled, ensuring that it cannot be viewed or recovered.
Destruction Procedures
3. The Controller shall clarify necessary administrative, technical, and organizational means and measures that have been taken to protect Personal Data from incidents of leakage, damage, or illegal access, including, but not limited to, the use of data encryption, anonymization, and coding methods. The Level of security measures shall also depend on the sensitivity and amount of Personal Data collected.
Explanation of Seventh: Personal Data Storage, Retention Period, and Destruction
Where data is stored:
Elaboration and Developing Privacy Policy Guideline — Seventh: Personal Data Storage, Retention Period, and Destruction requires Controllers to disclose if data is stored internally or externally (e.g., cloud services), and whether the storage is inside or outside the Kingdom.
How long data is kept:
Elaboration and Developing Privacy Policy Guideline — Seventh: Personal Data Storage, Retention Period, and Destruction requires Controllers to specify how long personal data will be retained and to define retention periods by data type, in line with legal and regulatory obligations.
How data is deleted:
Elaboration and Developing Privacy Policy Guideline — Seventh: Personal Data Storage, Retention Period, and Destruction requires Controllers to describe the method of data destruction used once the purpose is fulfilled, ensuring it cannot be accessed or recovered.
How data is protected:
Elaboration and Developing Privacy Policy Guideline — Seventh: Personal Data Storage, Retention Period, and Destruction also requires that Controllers describe the administrative, technical, and organizational measures (such as encryption or anonymization) used to prevent data breaches. These must be proportional to the sensitivity and volume of personal data handled.
