Saudi Arabia data protection for digital-asset operations
PDPL baseline controls combine with SAMA sector controls for payment and open-banking routes.
Privacy control stack
Data-protection framework
Saudi Arabia's general privacy baseline is the Personal Data Protection Law, the Implementing Regulation, and the transfer-outside-Kingdom regulation.
SAMA payment and open-banking rules add sector obligations. Payment licensees must align data and technology governance, outsourcing, cyber resilience, secure sharing, customer consent, and incident notification with SAMA requirements.
Data-heavy treasury, onboarding, sanctions-screening, KYC, open-banking, and cross-border servicing workflows should therefore test both the general PDPL basis and the sector-specific SAMA or CMA operating route.
Data-protection matrix
| Layer | Rule | Consequence |
|---|---|---|
| General personal data | PDPL. | Baseline controller, processor, data-subject, purpose, and lawful-processing controls. |
| Operational privacy layer | PDPL Implementing Regulation. | Detailed processing and compliance controls. |
| Transfer outside the Kingdom | PDPL transfer regulation. | Outbound KYC, sanctions, transaction, and support data need transfer analysis. |
| Payment-licensee data | SAMA payment rule stack. | SAMA data and technology governance obligations attach. |
| Open-banking consent | SAMA open-banking and payment rules. | Customer-authorized secure sharing with supervised entities. |
| Cyber / operational incident | SAMA payment rule stack. | Incident notification and operational-resilience controls. |
| Outsourcing | SAMA payment rule stack and PDPL. | Material outsourcing and data processing need control, contract, and approval handling. |