KSAPDPL.COM

PDPL Compliance Services
PDPL Compliance in 4 Weeks
Start with PDPL Consulting
at HalaPrivacy.com

Table of Contents

← PDPL Compliance Ecosystem

PDPL Implementing Regulation Article 1 – Definitions
PDPL Implementing Regulation Article 2 – Personal or Family Use
PDPL Implementing Regulation Article 3 – General Provisions of Data Subject Rights (DSR)
PDPL Implementing Regulation Article 4 – Right to be Informed
PDPL Implementing Regulation Article 5 – Right of Access to Personal Data
PDPL Implementing Regulation Article 6 – Right to Request Access to Personal Data
PDPL Implementing Regulation Article 7 – Right to Request Correction of Personal Data
PDPL Implementing Regulation Article 8 – Right to Request Destruction of Personal Data
PDPL Implementing Regulation Article 9 – Anonymisation
PDPL Implementing Regulation Article 10 – Means of Communication
PDPL Implementing Regulation Article 11 – Consent
PDPL Implementing Regulation Article 12 – Consent withdrawal
PDPL Implementing Regulation Article 13 – Legal Guardian
PDPL Implementing Regulation Article 14 – Processing to Serve the Actual Interest of Data Subject
PDPL Implementing Regulation Article 15 – Collecting Data from Third Parties
Load More

PDPL Implementing Regulation Article 33 – Records of Personal Data Processing Activities (RoPA)

  • This article is verified from SDAIA
  • halaprivacy.com
  • Updated: December 23, 2025
ChatGPT
Gemini Gemini
Claude Claude
Perplexity Perplexity

Overview

PDPL Implementing Regulation Article 33 establishes the mandatory requirements for Controllers to maintain Records of Personal Data Processing activities (RoPA) under the Saudi PDPL. It specifies the retention period for these records, sets rules for accuracy and availability, and defines the essential minimum elements that every record must contain. It also confirms the obligation to make these records available to the Competent Authority (SDAIA) upon request and requires the Authority to issue official templates for Controllers to use.

This Article forms the operational foundation for accountability, transparency, and traceability of Personal Data Processing activities under the PDPL.

SDAIA's Official Text

The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.

Article 33: Records of Personal Data Processing Activities

  1. The Controller shall retain the record of Personal Data Processing activities during the period of the Processing, in addition to five years starting from the date of completion of the Personal Data Processing activity.

  2. Records of Personal Data Processing activities shall be written.

  3. Controller shall ensure that the records of Personal Data Processing activities are accurate and up to date.

  4. Controller shall provide access to the records of Personal Data Processing activities to the Competent Authority upon request.

  5. The record of Personal Data Processing activities shall include, at a minimum, the following:

    1. Controller’s name and relevant contact details.

    2. Information about the Data Protection Officer, where required in accordance with Article (32) of this Regulation.

    3. Purposes of the Personal Data Processing.

    4. Description of the categories of Personal Data being processed and the categories of Data Subjects.

    5. Retention periods for each category of Personal Data, where possible.

    6. Categories of recipients to whom the Personal Data is disclosed.

    7. Description of Personal Data Transfers outside the Kingdom, including the legal basis for the Transfers and the recipients of the Personal Data.

    8. Description of the procedures and the organizational, administrative, and technical measures in place that ensure the security of Personal Data, where possible.

  6. Competent Authority shall provide templates of records of Personal Data Processing activities.

Plain-Language Explanation

The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.

Article 33(1)

Record Retention Period

This provision requires the Controller to keep Records of Personal Data Processing throughout the Processing activity and for an additional five years after the Processing is completed.

Article 33(2)

Written Documentation

This provision requires all Records of Processing activities to be documented in written form, ensuring formal and verifiable accountability.

Article 33(3)

Accuracy and Updates

This provision requires the Controller to keep Records accurate and up to date, ensuring the information reflects current Processing activities.

Article 33(4)

Authority Access Requirement

This provision requires the Controller to provide the Competent Authority with access to the Records of Processing activities upon request.

Article 33(5)

Minimum Record Contents

This provision defines the mandatory minimum information that must be included in Records of Processing activities.

Article 33(5)(a)

Controller Details

This provision requires the record to include the Controller’s name and relevant contact information.

Article 33(5)(b)

DPO Information

This provision requires the record to contain information about the Data Protection Officer when the appointment is required under Article 32.

Article 33(5)(c)

Processing Purposes

This provision requires the record to specify the purposes for which Personal Data is being processed.

Article 33(5)(d)

Data and Subject Categories

This provision requires the record to include descriptions of the categories of Personal Data and the categories of Data Subjects involved.

Article 33(5)(e)

Retention Periods

This provision requires the record to indicate, where possible, the retention periods applicable to each category of Personal Data.

Article 33(5)(f)

Recipient Categories

This provision requires the record to list the categories of recipients to whom Personal Data is disclosed.

Article 33(5)(g)

Cross-Border Transfers

This provision requires the record to include descriptions of transfers outside the Kingdom, the legal basis for such transfers, and the identity of recipients.

Article 33(5)(h)

Security Measures

This provision requires the record to describe the organizational, administrative, and technical measures in place to secure Personal Data, where possible.

Article 33(6)

Standard Templates

This provision requires the Competent Authority to issue official templates for maintaining Records of Personal Data Processing activities.

Saudi Personal Data Protection Law Compliance Services (KSA PDPL)

KSA PDPL Compliance Implementation

Achieve PDPL Compliance in 4 weeks or less.

Data Protection Officer As A Service (DPOaaS)

Let us handle your daily PDPL Compliance Operations.

KSA PDPL Compliance Audit (External)

Audit your PDPL compliance obligations.

Scroll to Top