Saudi Arabia: Published SDAIA Personal Data Processing Activities Records Guideline

On 3 September 2024, the Saudi Data and Artificial Intelligence Authority (SDAIA) published the Personal Data Processing Activities Records Guideline. In particular, the Guideline provides a framework for organisations to comply with the requirement to document personal data processing activities in compliance with the Personal Data Protection Law and its Implementing Regulations. It explains the legal obligations of data processors, including requirements for keeping records for five years, ensuring accuracy, and making them available to authorities upon request. In addition, the Guideline specifies the content needed, such as details of the data controller, data protection officer, purposes of processing, data categories, and security measures. Finally, the Guideline also includes a sample template for creating comprehensive records, detailing elements like processing purposes, legal bases, retention periods, data transfers, and data subject rights.