Overview
Personal Data Processing Activities Record Guideline – Third: Content Details of Personal Data Processing Activities Records sets out the minimum and extended content requirements that Controllers must document to demonstrate compliance with the Saudi Personal Data Protection Law and its Implementing Regulations.
The guideline explains what information must be captured for each personal data processing activity, how that information supports lawful processing, and when additional details are required due to higher-risk processing. It distinguishes between mandatory records, optional supporting information, and enhanced documentation required when an impact assessment is triggered.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Third: Content Details of Personal Data Processing Activities Records
The provided template for records of personal data processing activities assists entities in creating comprehensive and exhaustive records of their processing activities. This template facilitates detailed documentation of various information types and establishes meaningful connections between them. The template is structured as follows:
| 🟥 | Mandatory |
| 🟪 | Optional |
| 🟩 | Mandatory in cases requiring an impact assessment process |
| Field | Description |
|---|---|
| Controller Name | Specify the Controller name and relevant contact details. |
| Personal Data Protection Officer Details | Fill in the details related to the personal data protection officer, in the cases requiring its appointment. |
| Processing Activity | Detailed identification of all personal data processing activities aligned with the Controller’s operations and activities. This includes categorizing datasets containing personal data and classifying internal activities that directly handle personal data. |
| Activity Description | A comprehensive description of each personal data processing activity that provides sufficient detail to understand the impact and associated risks of the activity. |
| Activity Start Date | Commencement date of the personal data processing activity. |
| Activity End Date | Date of data destruction and deletion of personal data processing activities records, as the case may be. |
| Business Unit | Name of the business unit responsible for processing activities. |
| Processing Purpose | Clearly and precisely identifying the purpose for processing personal data. For example, marketing or recruitment. |
| Legal Basis | The legal basis to justify the specified purpose of processing personal data. |
| Personal Data Subject Categories | Description of the personal data subject categories whose data is being processed. Examples include employees, clients, members. |
| Processed Personal Data Categories | Description of the personal data categories being processed. Examples include contact details, location, health data, credit data. |
| Personal Dataset Names | Specifying names for the personal datasets. |
| Personal Datasets Owner | Specifying the individual or individuals who own the personal datasets. |
| Personal Datasets Tool or Location | The tools containing the personal datasets being processed or their storage locations. |
| Personal Data Categories Retention Periods | The planned retention period for personal data and, where possible, specific retention periods for each category of personal data. |
| The Entities to which Personal Data Was or Will Be Disclosed | Any entity to which personal data has been or will be disclosed, including documentation of the date of disclosure, method of disclosure, and purpose of disclosure. |
| Categories of Entities to which Personal Data is Being Disclosed | Describing the entities to which personal data is being disclosed. For example, vendors or governmental entities. |
| Personal Data Processor | Specifying the entities or individuals responsible for processing personal data. |
| Obligations between the Controller and Processor | Specifying the agreed-upon obligations between the Controller and Processor. |
| Personal Data Transfer | Describing whether the personal data has been or will be transferred or disclosed to an entity outside the Kingdom, and describing data transfer activities outside the Kingdom, including the legal basis for the transfer and the recipient entities and countries to which the personal data is being transferred or disclosed. |
| Organizational, Administrative, and Technical Measures | Describing, where possible, the organizational, administrative, and technical measures implemented to ensure the security of personal data. For example, encryption, access controls, training, and awareness raising. |
| Obtaining Data Subject Consent | Describing the procedures in place to obtain data subjects’ consent for the processing activity and its purpose. |
| Data Subject Rights | The procedures in place to empower data subjects to exercise their rights as stipulated in the Law. |
| Record Update | Regular reviews of the records of personal data processing activities should be conducted to ensure the accuracy and currency of records. Record keeping is an ongoing process, and the documented information should reflect the current state of personal data processing activities. Records can be updated when planning or commencing new processing activities, considering new purposes, modifying existing information, changing the legal basis or purpose, or altering data subject or personal data categories. |
| Entity Responsible for Latest Update | Entity responsible for the latest update. |
| Sensitive Data | Personal data revealing racial or ethnic origin, religious, intellectual, or political belief, data relating to security or criminal convictions and offenses, biometric or genetic data for identification purposes, health data, and data indicating that one or both of an individual’s parents are unknown. |
| Linking of Files Aggregated from Different Sources | Linking or combining two or more personal datasets obtained from different Controllers, aggregated, or processed from the outset for different purposes or all of the above. |
| Personal Data Processing of Lacks Full or Partial Legal Capacity | For example, underage children and those who lack full or partial legal capacity. |
| Number of Personal Data Subjects Whose Data is Being Processed | Specifying the number of data subjects involved in the processing activity. |
| Large-scale Personal Data Processing | Describing the personal data processing activity involving a large number of data subjects, the volume and type of personal data, the geographical scope of processing, and the different groups of personal data subject categories. |
| Processing Frequency | Specifying the number of times processing occurs and whether it is done continuously, periodically, or at specific time intervals. |
| Data Processing Using Novel Technologies | Describing processing involving novel technological or organizational solutions that have not been fully tested or recognized, or that could lead to risks harming the rights and interests of data subjects. |
| Automated Processing of Personal Data | Describing any form of automated processing of personal data on which decision-making processes are based. |
| Personal Data Processing within a Product or Service | Describing the processing of data embedded in a provided product or service that is likely to cause significant harm to the privacy of data subjects. |
| Personal Data Processing within Any Product or Service Provided to the Public | Description of personal data processing within any product or service offered to the public, according to the nature of the Controller’s activities. |
| Personal Data Breach Incidents Related to the Record | Procedures for reporting any breaches related to the personal data specified in this record. |
| Impact Assessment Procedure Description | Description of the reasons for conducting an impact assessment and whether it is mandatory or optional, as the case may be. |
| Impact Assessment Findings | Findings of the impact assessment after the discovery of a personal data breach and the actions taken in this regard. |
| Latest Impact Assessment Date | Date of the last impact assessment. |
| Impact Assessment Reference | Impact assessment report reference. |
| Summary of Impact Assessment Findings | Summary of the last impact assessment report. |
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Mandatory Information Type
Controller Name
This field identifies the Controller responsible for the personal data processing activity. It ensures accountability by clearly linking each processing activity to the legal entity that determines the purposes and means of processing personal data, together with its official contact details.
Personal Data Protection Officer (DPO) Details
This field records the details of the Personal Data Protection Officer where appointment is required under the Law. It enables effective communication with the designated individual responsible for overseeing compliance, handling regulatory inquiries, and supporting Data Subject rights.
Processing Purpose
This field explains the specific and clearly defined purpose for which personal data is processed. It demonstrates compliance with purpose limitation requirements and ensures that processing activities are not excessive or unrelated to the stated objectives.
Legal Basis
This field documents the legal justification relied upon for processing personal data. It establishes that the processing activity is lawful under the Personal Data Protection Law and directly supports the stated processing purpose.
Personal Data Subject Categories
This field describes the categories of individuals whose personal data is processed. It helps determine the scope of the processing activity and assess potential risks based on the nature of the affected individuals.
Processed Personal Data Categories
This field identifies the categories of personal data being processed. It provides visibility into the sensitivity and nature of the data involved and supports assessment of applicable safeguards and compliance obligations.
Personal Data Categories Retention Periods
This field specifies how long personal data is retained and, where applicable, the retention period for each data category. It demonstrates compliance with storage limitation principles and supports lawful data deletion practices.
The Entities to which Personal Data Was or Will Be Disclosed
This field records any entity to which personal data has been or will be disclosed. It documents the disclosure date, method, and purpose, supporting transparency and accountability in disclosure activities.
Categories of Entities to which Personal Data is Being Disclosed
This field classifies the types of recipients receiving personal data, such as vendors or governmental entities. It enables a high-level understanding of disclosure patterns without listing individual recipients.
Personal Data Transfer
This field documents whether personal data is transferred or disclosed outside the Kingdom. It includes the legal basis for transfer, recipient entities, and destination countries, supporting compliance with cross-border transfer requirements.
Organizational, Administrative, and Technical Measures
This field describes the measures implemented to protect personal data. It demonstrates how security risks are mitigated through organizational controls, administrative procedures, and technical safeguards.
Record Update
This field explains how records are reviewed and updated to reflect current processing activities. It supports accuracy, currency, and ongoing compliance by documenting changes in purposes, legal bases, or processing scope.
Optional Information Type
Processing Activity
This field identifies and names the personal data processing activity. It supports structured documentation by distinguishing individual processing operations within the organization.
Activity Description
This field provides a detailed explanation of the processing activity. It enables understanding of how the activity operates and assists in assessing associated risks and compliance implications.
Activity Start Date
This field records when the processing activity commenced. It supports historical traceability and lifecycle management of processing activities.
Activity End Date
This field documents when the processing activity ends or when related records are destroyed. It supports compliance with retention and deletion requirements.
Business Unit
This field identifies the business unit responsible for the processing activity. It supports internal accountability and operational oversight.
Personal Dataset Names
This field specifies the names assigned to datasets containing personal data. It assists in data mapping and internal governance.
Personal Datasets Owner
This field identifies the individual or function responsible for managing the personal dataset. It supports ownership clarity and accountability.
Personal Datasets Tool / Location
This field documents the systems or locations where personal data is stored or processed. It supports security management and access control oversight.
Personal Data Processor
This field identifies any Processor involved in processing personal data on behalf of the Controller. It supports compliance with Controller-Processor obligations.
Obligations between the Controller and Processor
This field documents the agreed obligations governing the processing relationship. It demonstrates contractual compliance and allocation of responsibilities.
Obtaining Data Subject Consent
This field explains the procedures used to obtain consent where consent is relied upon as a legal basis. It supports evidence of valid consent practices.
Data Subject Rights
This field describes the procedures implemented to enable data subjects to exercise their rights as stipulated in the Law.
Entity Responsible for Latest Update
This field identifies the entity or function responsible for the most recent record update. It supports governance, version control, and accountability.
Mandatory in Cases Requiring an Impact Assessment Process
Sensitive Data
This field indicates whether the processing involves Sensitive Data, including data revealing racial or ethnic origin, religious, intellectual or political belief, security or criminal data, biometric or genetic data, health data, or data indicating unknown parentage. It supports identification of higher risk processing requiring enhanced safeguards.
Linking of Files Aggregated from Different Sources
This field documents whether personal data from multiple sources is linked or combined. It supports assessment of increased privacy risks arising from data aggregation.
Personal Data Processing of Lacks Full or Partial Legal Capacity
This field identifies processing involving individuals lacking full or partial legal capacity. It highlights heightened protection requirements.
Number of Personal Data Subjects Whose Data is Being Processed
This field records the number of Data Subjects affected by the processing activity. It supports assessment of scale and potential impact.
Large-scale Personal Data Processing
This field describes processing activities involving large volumes of data, wide geographic scope, or multiple Data Subject categories. It supports high-risk processing identification.
Processing Frequency
This field documents how often processing occurs, whether continuous, periodic, or event-based. It supports operational and risk assessment.
Data Processing Using Novel Technologies
This field describes processing involving new or untested technologies. It supports identification of emerging risks to Data Subject rights.
Automated Processing of Personal Data
This field records processing involving automated decision-making. It supports transparency and assessment of potential impacts on individuals.
Personal Data Processing within a Product or Service
This field explains processing embedded within a product or service that may cause significant privacy impact. It supports early risk identification.
Personal Data Processing within Any Product or Service Provided to the Public
This field describes personal data processing occurring within publicly offered products or services. It supports compliance assessment based on public exposure.
Personal Data Breach Incidents Related to the Record
This field documents any breach incidents associated with the processing activity. It supports incident management and accountability.
Impact Assessment Procedure Description
This field explains why an impact assessment was conducted and whether it was mandatory or optional. It supports procedural compliance.
Impact Assessment Findings
This field summarizes the outcomes of the impact assessment. It demonstrates risk identification and mitigation decisions.
Latest Impact Assessment Date
This field records the date of the most recent impact assessment. It supports ongoing review and compliance monitoring.
Impact Assessment Reference
This field provides a reference to the impact assessment report. It supports auditability and traceability.
Summary of Impact Assessment Findings
This field provides a concise summary of the latest assessment conclusions. It supports high-level understanding of risks and controls.
