PDPL Article 31, says that controllers must maintain records of all personal data processing activities they carry out. These records help ensure accountability and transparency under the PDPL.
The Regulations will define how long these records must be kept, based on the nature of the processing activity. The records must be readily available if requested by the Competent Authority (e.g., SDAIA).
Saudi PDPL Article 31
Maintain Processing Records
Without prejudice to Article (18) herein, the Controller shall maintain records, for such a period as required under the Regulations, of the Personal Data Processing activities, based on the nature of the activity carried out by the Controller. Such records are to be available whenever requested by the Competent Authority. The records shall contain the following information at a minimum:
1-Contact details of the Controller.
2-The purpose of the Personal Data Processing.
3-Description of the categories of Personal Data Subjects.
4-Any other entity to which Personal Data has been, or will be, disclosed.
5-Whether the Personal Data has been or will be transferred outside the Kingdom ordisclosed to an entity outside the Kingdom.
6-The expected period for which Personal Data shall be retained.
Explanation of Saudi PDPL Article 31
Controllers must log their processing activities and retain records as required
Saudi PDPL Article 31 says, controllers are required to document all personal data processing activities, and keep that documentation available for audit or inspection by the authority. The record must include the items listed below.
| Field | Description |
|---|---|
| 1. Controller Details | Contact details of the entity responsible for data processing |
| 2. Purpose of Processing | Clear explanation of why the personal data is being processed |
| 3. Categories of Data Subjects | Description of who the data subjects are (e.g., customers, employees, vendors) |
| 4. Data Recipients | Any internal or external parties to whom the data is disclosed or shared |
| 5. Cross-Border Transfers | Whether data is or will be transferred or disclosed outside the Kingdom |
| 6. Retention Period | How long the personal data will be kept before being deleted or anonymized |
