Overview
Personal Data Processing Activities Record Guideline – First: Personal Data Processing Activities Records Requirements define the mandatory obligations imposed on Controllers under the Saudi Personal Data Protection Law (PDPL) for maintaining records of personal data processing activities.
This section sets out the obligation to maintain records, how long they must be retained, the form in which they must be kept, and the obligation to make them available to the Competent Authority (SDAIA) upon request, in accordance with PDPL and its Implementing Regulations.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
First: Personal Data Processing Activities Records Requirements
Pursuant to Article (31) of the Law, a Controller shall maintain records of personal data processing activities in accordance with the nature of its activities to be made available upon request by the competent authority without prejudice to the provisions of Article (18) of the Law regarding data destruction.
Furthermore, as stipulated in Article (33) of the Regulations, when preparing records of personal data processing activities, a Controller shall:
- Maintain the records of personal data processing activities for a period of five years following the cessation of each processing activity.
- Ensure that the records of personal data processing activities are maintained in written form.
- Ensure the accuracy and up to date of the records of personal data processing activities.
- Make the records of personal data processing activities available to the competent authority upon request.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
