Frequently Asked Questions

The Saudi Personal Data Protection Law (PDPL) was enacted by Royal Decree in September 2021 and officially entered into enforcement in September 2023 after a two-year transition period. Amendments were introduced in 2023 to align with global data protection best practices.

Under PDPL, organizations must: (1) Obtain explicit consent before collecting personal data; (2) Specify and limit the purpose of collection; (3) Implement appropriate security controls; (4) Honor data subject rights (access, correction, deletion, objection); (5) Report breaches within 72 hours to SDAIA; (6) Appoint a Data Protection Officer if processing large volumes; (7) Restrict cross-border data transfers.

Saudi Arabia's Personal Data Protection Law (PDPL), enforced by the Saudi Data and AI Authority (SDAIA), grants individuals a comprehensive set of rights over their personal data. For financial institutions—which process particularly sensitive categories such as financial records, national IDs, and biometric data—meeting these obligations requires both legal and technical readiness. **Key Data Subject Rights Under PDPL (Arts. 4–9):** - **Right to Access:** Individuals can request a copy of their personal data. Institutions must respond within a defined timeframe (typically 30 days). - **Right to Correction:** Inaccurate or incomplete data must be corrected upon request. - **Right to Erasure:** Data must be deleted when no longer necessary, subject to legal retention obligations (e.g., SAMA requires transaction records retained for 10 years). - **Right to Object:** Individuals may object to processing for direct marketing or profiling purposes. - **Right to Data Portability:** Emerging obligation requiring data to be provided in a structured, machine-readable format. **Technical Controls Required:** 1. **Data Discovery & Mapping:** Maintain an up-to-date Record of Processing Activities (RoPA) identifying where personal data resides across systems. 2. **Access Request Workflows:** Implement automated Subject Access Request (SAR) handling within your GRC or DPM platform to track requests, deadlines, and responses. 3. **Consent Management:** Deploy consent management platforms to record and honour withdrawal of consent in near real-time. 4. **Data Masking & Deletion Pipelines:** Build automated pseudonymisation and secure deletion workflows, ensuring deletion is propagated across backup systems. 5. **Audit Trails:** Maintain immutable logs of all data processing activities to demonstrate accountability to SDAIA during audits. Note: Regulatory retention requirements under SAMA CSF and AML/CFT rules may create legitimate grounds to decline erasure requests—document these exceptions explicitly in your privacy notices and internal policies.

Under Saudi Arabia's Personal Data Protection Law (PDPL) and its Executive Regulations, data breaches triggering notification obligations are those that result in — or are likely to result in — harm to data subjects. Here is a structured response framework for fintechs: **Step 1 — Breach Detection and Internal Escalation (0–24 hours):** Activate your Incident Response Plan (IRP). Assign a breach response lead (typically the DPO or CISO). Preserve evidence, isolate affected systems, and begin preliminary impact assessment: How many records affected? What categories of personal data? (financial details, national IDs, biometrics carry higher risk weighting.) **Step 2 — Regulatory Notification to SDAIA (Within 72 Hours):** Per PDPL Article 24 and the Executive Regulations, you must notify the Saudi Data & AI Authority (SDAIA) within 72 hours of becoming aware of a breach that poses risk of harm. Your notification must include: nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken or planned. **Step 3 — Data Subject Notification:** If the breach is likely to cause direct harm to individuals (identity theft, financial fraud risk, reputational damage), you must notify affected data subjects without undue delay. The notification should explain what happened, what data was exposed, and what steps individuals can take to protect themselves. **Step 4 — Documentation and Post-Incident Review:** PDPL requires maintaining a breach register documenting all incidents regardless of notification threshold. Conduct a post-incident review aligned with ISO 27001 Clause 10.1 and update your risk register and controls accordingly. **Key consideration for fintechs:** If your platform processes payment data, you also have parallel notification obligations under SAMA CSF Incident Management controls and potentially PCI-DSS breach notification requirements. Coordinate these notifications carefully to avoid conflicting communications.

The Saudi Personal Data Protection Law (PDPL) grants individuals a set of enforceable rights over their personal data, and fintechs — given the volume of sensitive financial and identity data they process — must establish robust, documented processes to handle these requests effectively. **Key Data Subject Rights under PDPL:** - **Right to Access:** Individuals can request a copy of their personal data and information about how it is being processed. - **Right to Correction:** Inaccurate or incomplete data must be corrected upon request. - **Right to Erasure:** Data subjects can request deletion of their data when it is no longer needed or consent is withdrawn (subject to legal retention obligations). - **Right to Data Portability:** Where applicable, data must be provided in a structured, machine-readable format. - **Right to Object:** Individuals can object to certain types of processing, including direct marketing. **Operational Requirements:** 1. Establish a dedicated intake channel (e.g., a privacy portal or email) clearly communicated in your privacy notice. 2. Define an internal SLA — PDPL requires responses within 30 days, with the possibility of a single extension. 3. Implement an identity verification step before disclosing any personal data. 4. Maintain a request log for audit purposes — ZATCA and the National Data Management Office (NDMO) may audit your compliance posture. 5. Train customer service and security teams on how to recognize and escalate DSRs. **Intersection with Financial Regulations:** Note that some erasure requests may conflict with SAMA's mandatory record retention requirements (typically 10 years). Fintechs must balance PDPL obligations with SAMA CSF and AML record-keeping rules, documenting the legal basis for retention overrides.

Saudi fintechs operating mobile applications that collect and process customer financial data face specific obligations under the Personal Data Protection Law (PDPL) and its Implementing Regulations. Here is a practical compliance breakdown: **1. Lawful Basis for Processing**: Under PDPL Article 6, processing personal financial data requires a valid legal basis — typically explicit consent or contractual necessity. Consent must be granular, informed, and freely withdrawable. Pre-ticked boxes or bundled consent are non-compliant. **2. Privacy Notice Requirements**: PDPL Article 11 mandates a clear, accessible privacy notice within the app, disclosed at the point of data collection. It must specify: categories of data collected, processing purposes, retention periods, and data subject rights. **3. Sensitive Financial Data Handling**: Financial data — including transaction history, credit scores, and account details — may be classified as sensitive under PDPL. Apply enhanced controls including encryption at rest and in transit, strict access controls, and audit logging per ISO 27001 Annex A.8 controls. **4. Data Minimization**: Collect only data strictly necessary for the stated service purpose. Avoid collecting excessive device permissions (e.g., contacts, location) without demonstrable necessity, as SAMA also scrutinizes this under its Open Banking Framework. **5. Data Subject Rights**: PDPL grants customers rights to access, correct, and request deletion of their personal data. Fintechs must operationalize these rights within the app UI and back-end systems, with responses delivered within regulatory timeframes (30 days under PDPL Article 15). **6. Data Breach Notification**: Per PDPL Article 27, notify the Saudi Data and Artificial Intelligence Authority (SDAIA) within 72 hours of discovering a breach affecting personal data, and notify affected individuals without undue delay. **7. DPO Appointment**: Fintechs processing data at scale should appoint a Data Protection Officer (DPO) to oversee compliance, liaise with SDAIA, and maintain the Records of Processing Activities (RoPA).

The Saudi Personal Data Protection Law (PDPL), enforced by the Saudi Data & AI Authority (SDAIA), grants individuals a defined set of rights over their personal data. For fintechs processing customer data—including KYC information, transaction histories, and behavioral analytics—building robust request-handling processes is both a legal necessity and a competitive trust signal. **Rights Granted Under PDPL:** 1. **Right to Access (Article 4):** Individuals may request confirmation of whether their data is being processed and obtain a copy. Fintechs must respond within a reasonable timeframe (SDAIA guidance suggests 30 days). 2. **Right to Correction (Article 14):** Customers may request correction of inaccurate or incomplete personal data. This is particularly relevant for KYC records and credit-related information. 3. **Right to Erasure (Article 15):** Data subjects may request deletion of their data when the processing purpose is fulfilled or consent is withdrawn—subject to regulatory retention obligations under SAMA and FATF anti-money laundering rules. 4. **Right to Data Portability:** Individuals may request transfer of their data in a structured, readable format. 5. **Right to Object:** Data subjects may object to processing for direct marketing or automated decision-making purposes. **Practical Implementation for Fintechs:** - Establish a dedicated Data Subject Request (DSR) intake channel (web form or in-app) - Assign ownership to a Data Protection Officer (DPO) or privacy lead - Build a response workflow with internal SLAs aligned to PDPL timelines - Document all requests, decisions, and outcomes in a DSR log - Map tension points where PDPL erasure rights conflict with SAMA/AML data retention mandates, and document your legal basis for retention Failure to respond to DSRs may attract regulatory scrutiny from SDAIA, including potential fines.

Saudi Arabia's Personal Data Protection Law (PDPL), enforced by the Saudi Data & AI Authority (SDAIA), imposes clear obligations on fintech companies regarding data classification and protection. Under PDPL Articles 5 and 6, organizations must identify all personal data they process, establish a lawful basis for processing, and implement proportionate technical and organizational safeguards. A practical PDPL-compliant data protection framework for fintechs should include: **1. Data Inventory & Classification:** Map all personal data flows across your systems — KYC records, transaction data, biometric identifiers, and credit information fall under general personal data. Health or financial distress information may qualify as sensitive data requiring heightened protection under PDPL Article 23. **2. Technical Controls:** Encrypt personal data at rest and in transit (AES-256 and TLS 1.2+ minimum). Implement role-based access controls (RBAC) and data masking for non-production environments. Per NCA ECC Control 2-4, data classification labels must be enforced across storage and transmission systems. **3. Retention & Deletion:** PDPL Article 18 mandates that personal data not be retained beyond its stated purpose. Establish automated data lifecycle policies with documented retention schedules. **4. Data Subject Rights:** Build workflows to handle access, correction, and deletion requests within the PDPL-mandated timeframes (15 business days for most requests). Non-compliance can result in fines of up to SAR 5 million, reputational damage, and suspension of operations. Fintechs regulated by SAMA should also cross-reference SAMA's Customer Data Protection guidelines to ensure alignment across both regulatory regimes.

Under Saudi Arabia's Personal Data Protection Law (PDPL) and its Executive Regulations, every processing activity must rest on a clearly identified and documented lawful basis. For fintech companies, this is a foundational compliance obligation that directly affects product design, onboarding flows, and data governance frameworks. **The Six Lawful Bases Under PDPL:** 1. **Consent** – Freely given, specific, informed, and unambiguous. Consent must be withdrawable at any time without penalty, and pre-ticked boxes are not valid. 2. **Contractual Necessity** – Processing required to execute or fulfill a contract with the data subject (e.g., processing payment data to complete a transfer). 3. **Legal Obligation** – Processing mandated by Saudi law, such as AML/CFT reporting requirements under SAMA guidelines. 4. **Vital Interests** – Protecting the life or safety of the data subject or others. 5. **Public Interest** – Relevant to licensed fintech activities serving the public. 6. **Legitimate Interests** – Permitted only where the controller's interests do not override the individual's rights; requires a documented balancing test. **Practical Steps for Fintechs:** - Conduct a **data mapping exercise** to catalog all processing activities, data categories, and purposes. - Assign a lawful basis to each processing activity in your **Records of Processing Activities (RoPA)**. - Review customer consent forms and app onboarding flows to ensure consent language meets PDPL Article 5 requirements. - For sensitive data (financial history, biometrics), explicit consent is required unless a specific legal exemption applies. - Appoint a **Data Protection Officer (DPO)** if your processing is large-scale or involves sensitive categories. Regular review of your lawful bases is essential, especially as product features evolve or new data uses are introduced.

PDPL penalties include: fines up to SAR 5 million for violations of data subject rights or inadequate security controls; fines up to SAR 10 million for unauthorized cross-border data transfer; fines up to SAR 3 million for failure to notify of breaches. Repeat violations can result in doubled fines. Criminal prosecution may apply in cases of deliberate misuse.

Yes. PDPL applies to any entity that processes personal data of individuals residing in Saudi Arabia, regardless of whether the entity is based inside or outside the Kingdom. Foreign companies targeting Saudi consumers or processing data of Saudi residents must comply with PDPL requirements.

Cross-border data transfers are one of the most operationally complex requirements under Saudi Arabia's Personal Data Protection Law (PDPL) and its Implementing Regulations, particularly for fintechs that rely on global cloud providers, payment processors, or overseas analytics platforms. **Legal Basis for Transfer (PDPL Article 29):** Transferring personal data outside the Kingdom is prohibited unless one of the following conditions is satisfied: - The transfer is necessary to fulfill a contractual obligation with the data subject - The transfer serves a vital interest of the data subject - The destination country provides an adequate level of data protection as determined by the Saudi Data & AI Authority (SDAIA) - A binding agreement exists that ensures equivalent protection standards - Explicit consent has been obtained from the data subject **Practical Controls for Fintechs:** 1. **Data Mapping & Flow Inventory:** Document all data flows that cross borders — including API calls to foreign services, backup replication to non-Saudi cloud regions, and third-party analytics tools. 2. **Transfer Impact Assessment (TIA):** Before initiating any cross-border transfer, conduct a TIA to assess the legal framework and security posture of the destination jurisdiction. 3. **Contractual Safeguards:** Implement Data Processing Agreements (DPAs) with international vendors containing clauses that mirror PDPL protections, including breach notification, sub-processor controls, and data deletion rights. 4. **Localization Strategy:** For sensitive financial data categories, consider data residency in Saudi-based cloud regions (e.g., AWS, Azure, or Google Cloud regions in KSA) to minimize transfer exposure. 5. **Consent Management:** Build granular consent mechanisms in your customer onboarding flows for any data that may be processed abroad. SDIA continues to publish guidance on adequacy decisions, so fintechs should monitor regulatory updates closely and integrate PDPL transfer compliance into their broader ISO 27001 and SAMA CSF programs.

Saudi PDPL (Royal Decree M/19, enforced July 2023) creates important obligations specifically around employee data processing — an area where HR, Legal, and Cybersecurity teams must align closely. **Legal bases for processing employee personal data under PDPL include:** (1) **Contractual necessity** — processing required to fulfill the employment contract (payroll, benefits, legal compliance); (2) **Legal obligation** — processing required by Saudi labor law, GOSI, HRDF, or regulatory reporting mandates; (3) **Legitimate interest** — security monitoring, fraud prevention, and business continuity activities, provided they are proportionate and documented; (4) **Explicit consent** — required for any processing that goes beyond contractual or legal necessity, particularly for sensitive categories such as biometrics, health data, or financial details beyond compensation. **Key practical implications for Security Teams:** Employee monitoring programs (endpoint DLP, email monitoring, access logs, CCTV in workplaces) must be disclosed in a transparent privacy notice and must have a documented legal basis. Covert surveillance without a legal basis is a PDPL violation. All employee data transfers outside KSA — including to global HR platforms, cloud tools, or parent company systems — require either an adequacy decision or appropriate safeguards per PDPL transfer rules. **For HR teams:** Update employment contracts and onboarding documentation to include PDPL-compliant privacy notices. Define and document your data retention schedules for ex-employee records. Employees have the right to access and correct their personal data. Align your HR data governance with ISO 27001 Annex A.6 (Human Resource Security) for a unified compliance posture. PDPL enforcement is overseen by SDAIA — fines reach SAR 5 million for violations.

The Saudi Personal Data Protection Law (PDPL) and its implementing regulations introduce meaningful obligations for fintech companies that deploy AI-driven or automated decision-making systems — such as credit scoring engines, fraud detection models, customer onboarding bots, or behavioral analytics platforms. **Key PDPL Obligations for Automated Processing:** **1. Lawful Basis for Processing:** Per PDPL Article 8, processing personal data through automated systems requires a valid legal basis — typically contractual necessity, legitimate interest, or explicit consent. For sensitive financial data, consent must be explicit and documented. **2. Transparency & Disclosure:** PDPL Article 11 mandates that individuals be informed about the existence of automated decision-making processes that significantly affect them, the logic involved, and the potential consequences. Your privacy notice must clearly describe AI-driven decision systems. **3. Right to Object & Human Review:** Individuals have the right to request human review of decisions made solely by automated systems, particularly when such decisions produce legal or similarly significant effects (e.g., loan denial, account suspension). Fintechs must establish a process to handle such requests within the regulatory timeframe. **4. Data Minimization:** Only the personal data strictly necessary for the AI model's purpose should be processed. Avoid feeding models with unnecessary sensitive attributes — a principle directly aligned with PDPL Article 14. **5. Data Retention & Deletion:** Define and enforce clear retention periods for data used in AI training and inference. Data should not be retained beyond its stated purpose per PDPL Article 18. **6. DPIA Requirement:** High-risk processing activities — including large-scale AI profiling of customers — require a Data Protection Impact Assessment (DPIA) before deployment. Document risks and mitigations thoroughly. **Intersection with SAMA CSF:** SAMA's customer data protection controls (Domain 3.5) complement PDPL requirements and expect financial institutions to implement technical safeguards around automated processing systems including access controls, audit logs, and explainability mechanisms. Fintechs should engage their Data Protection Officer (DPO) early in AI product design cycles to ensure privacy-by-design principles are embedded from the outset.

Saudi Arabia's Personal Data Protection Law (PDPL), enforced by the Saudi Data & AI Authority (SDAIA), places direct obligations on fintech companies to implement a structured data classification and protection framework. Non-compliance can result in fines of up to SAR 5 million for first offenses, with doubling for repeat violations. **Step 1 – Data Discovery and Classification:** Conduct a thorough data inventory mapping all personal data your platform collects, processes, or stores. Under PDPL Article 6, data must be classified at minimum into: General Personal Data, Sensitive Personal Data (including financial data, health records, biometric data, and national ID numbers), and data of minors. **Step 2 – Lawful Basis Determination:** For each data category, establish and document the lawful processing basis per PDPL Article 5 — consent, contractual necessity, legal obligation, or legitimate interest (the latter must be balanced against data subject rights). **Step 3 – Technical and Organizational Controls:** - Encrypt sensitive personal data at rest and in transit (AES-256 and TLS 1.2+ as baseline). - Implement role-based access controls (RBAC) with least-privilege principles. - Maintain detailed processing records (PDPL Article 12 requires Record of Processing Activities — ROPA). - Establish data retention and deletion schedules aligned to PDPL Article 18. **Step 4 – Breach Notification:** PDPL Article 19 requires notifying SDAIA within 72 hours of discovering a personal data breach that poses risk to data subjects. **Intersection with SAMA CSF:** For licensed fintechs, SAMA CSF Control 3.3.9 (Data and Information Protection) aligns closely with PDPL — a unified data protection policy satisfies both regulators simultaneously.

Saudi Arabia's Personal Data Protection Law (PDPL), enforced by the National Data Management Office (NDMO), establishes clear obligations around data minimization and retention — principles that fintech companies must embed into both their technical architecture and operational processes. Under PDPL Article 8, personal data must be collected only to the extent necessary for the declared purpose. Fintechs must avoid over-collection and ensure that data fields captured during onboarding, transactions, or KYC processes are strictly justified by a legitimate business or regulatory need. This requires conducting a Data Protection Impact Assessment (DPIA) for high-risk processing activities before deployment. For retention, PDPL Article 14 requires that personal data not be retained beyond the period necessary to fulfill the processing purpose. In the fintech context, this intersects with SAMA's AML/CFT retention requirements (typically 10 years for transaction records), creating a layered compliance obligation. CISOs and compliance officers must map retention schedules per data category and align them with both PDPL and applicable financial regulations. Practical implementation steps include: 1. Building a data inventory and classification framework identifying all personal data assets 2. Configuring automated data lifecycle policies in storage systems to trigger deletion or anonymization upon retention expiry 3. Reviewing API integrations and third-party data processors to ensure downstream data handling aligns with minimization principles 4. Documenting lawful retention justifications for each data category in your Record of Processing Activities (RoPA) 5. Establishing a periodic review cycle — at least annually — to reassess whether retained data remains necessary Non-compliance can result in fines up to SAR 5 million under PDPL, making proactive governance essential for Saudi fintechs.

The Saudi Personal Data Protection Law (PDPL) and its implementing regulations impose specific obligations on fintechs deploying AI systems or automated decision-making (ADM) tools that process personal data — an area of rapidly growing regulatory scrutiny. **Lawful Basis for AI Processing:** Under PDPL Article 7, any AI system processing personal data must have a clearly identified lawful basis — typically contractual necessity or explicit consent. For credit scoring, fraud detection, or behavioral profiling, consent must be granular, informed, and revocable. **Transparency Requirements:** PDPL Article 11 requires that individuals be informed when automated decisions are being made about them, the logic involved, and the potential consequences. Fintechs must provide clear, plain-language disclosures in their privacy notices — not buried in terms and conditions. **Right to Contest Automated Decisions:** While Saudi PDPL is still maturing in this area, SDAIA's implementing regulations signal alignment with international standards giving data subjects the right to request human review of decisions made solely by automated means — particularly for loan approvals, account restrictions, or KYC rejections. **Data Minimization & Purpose Limitation:** PDPL Articles 9 and 14 prohibit processing more data than necessary or using it for purposes beyond what was disclosed. AI models trained on customer behavioral data must be scoped and governed to prevent purpose creep. **Data Protection Impact Assessment (DPIA):** High-risk AI processing — such as biometric data, financial profiling, or large-scale behavioral analysis — requires a DPIA before deployment. This must include risk assessment, mitigation controls, and documentation retained for regulatory review. **SAMA Intersection:** SAMA's Open Banking Framework and Consumer Protection Principles further require fintechs to ensure algorithmic fairness and non-discrimination in financial product recommendations. Our platform provides PDPL-aligned DPIA templates and AI governance checklists tailored for Saudi fintech environments.

Saudi fintechs operating mobile applications that collect and process customer financial data carry significant obligations under the Personal Data Protection Law (PDPL) and its Executive Regulations, enforced by the Saudi Data & AI Authority (SDAIA). **Lawful Basis and Consent (PDPL Article 5–7):** Processing personal financial data requires a clear lawful basis — typically explicit, informed consent or contractual necessity. Consent must be granular: users should separately consent to data collection, processing, profiling, and marketing. Pre-ticked boxes or bundled consent clauses are non-compliant. **Transparency and Privacy Notices (PDPL Article 11):** Mobile apps must display a clear, accessible Arabic-language privacy notice disclosing: categories of data collected, processing purposes, retention periods, third-party sharing, and user rights. The notice must be presented before or at the point of data collection. **Data Subject Rights (PDPL Article 14–18):** Fintechs must operationalize user rights within the app or via a designated channel: the right to access, correct, delete (right to erasure subject to regulatory retention requirements), and withdraw consent. Response timelines must not exceed 30 days per PDPL Executive Regulations. **Data Minimization and Retention:** Only data strictly necessary for the stated purpose should be collected. Financial transaction data may have mandatory retention periods under SAMA regulations (typically 10 years), which can override the PDPL erasure right — fintechs must document this conflict resolution in their Records of Processing Activities (RoPA). **Security Controls:** PDPL Article 19 requires appropriate technical and organizational safeguards. For financial apps, this includes end-to-end encryption, certificate pinning, secure API authentication (OAuth 2.0/FAPI), and regular DAST/SAST testing of the mobile codebase. Fintechs should appoint a Data Protection Officer (DPO) if processing is large-scale or involves sensitive financial profiles, and register processing activities with SDAIA as required.

The Saudi Personal Data Protection Law (PDPL), enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA), imposes clear obligations on organizations when a personal data breach occurs. This is especially critical for banks and fintechs that process large volumes of sensitive financial and personal data. **Notification Obligations Under PDPL:** Article 23 of the PDPL requires that organizations notify SDAIA of any personal data breach that could result in harm to data subjects. The notification must be submitted **without undue delay** — in practice, regulators expect notification within 72 hours of becoming aware, aligning with international best practices. If the breach poses a high risk to individuals (e.g., exposure of financial account numbers, national ID data, or biometrics), **data subjects must also be individually notified** with clear information about the nature of the breach and protective steps they can take. **DPO Responsibilities Upon Breach:** 1. **Contain**: Immediately isolate affected systems and revoke compromised credentials. 2. **Assess**: Determine the scope — which data categories, how many individuals, and what risk level. 3. **Document**: Record the breach in the internal data breach register with timeline, cause, and impact details. 4. **Notify SDAIA**: Submit a formal breach notification via the SDAIA portal including: nature of breach, categories/volume of data, likely consequences, and remediation measures taken. 5. **Notify Subjects**: Where required, issue clear communications — avoid vague language that may increase legal exposure. 6. **Coordinate with SAMA**: For financial institutions, simultaneously notify SAMA per CSF Control 3.4.2 (Cybersecurity Incident Management), as dual regulatory reporting is mandatory. 7. **Post-Incident Review**: Conduct a root cause analysis within 30 days and update DPIAs and security controls accordingly. Failure to comply with PDPL breach notification obligations can result in fines up to SAR 5 million, with repeated violations attracting doubled penalties.

Using AI for credit scoring in Saudi Arabia creates a complex intersection of PDPL obligations, SAMA CSF data governance requirements, and emerging AI ethics considerations. Here is what fintech compliance teams must address: (1) **Legal Basis for Processing** — Under PDPL Article 5, processing personal financial data for credit scoring must rest on a valid legal basis, typically contractual necessity or legitimate interest. Where sensitive inferences are drawn (e.g., financial vulnerability), explicit consent may be required. (2) **Transparency and Notification** — PDPL Articles 11-12 require individuals to be informed about automated decision-making processes affecting them, including credit decisions. Privacy notices must explicitly disclose AI-based scoring and the data inputs used. (3) **Data Minimization** — Only data directly relevant to creditworthiness assessment should be collected and processed. Behavioral or social data inputs must be legally justified and proportionate per PDPL principles. (4) **Right to Explanation** — While PDPL does not yet mandate a full 'right to explanation' equivalent to GDPR Article 22, SAMA CSF Control 3.3.7 on data governance expects institutions to maintain explainability of automated decisions affecting customers. (5) **Retention Limits** — Financial data used in scoring models must be retained only for the period necessary, with documented retention schedules reviewed annually. (6) **Cross-Border Transfers** — If AI models are trained or hosted outside Saudi Arabia, PDPL Article 29 transfer controls apply. Ensure adequate protection measures are contractually enforced with overseas processors. Engage your Data Protection Officer early in AI model design to embed privacy-by-design principles from inception.

Saudi fintech companies operate at the intersection of two major regulatory regimes — the Personal Data Protection Law (PDPL) and SAMA CSF — each with distinct but complementary breach response obligations. Building a unified response plan is both a compliance necessity and an operational best practice. **PDPL Obligations (SDAIA Oversight):** Under PDPL Article 24, data controllers must notify the Saudi Data and Artificial Intelligence Authority (SDAIA) of any personal data breach that harms or is likely to harm data subjects, within a timeframe specified by the Implementing Regulations (currently expected within 72 hours of discovery for high-risk breaches). Affected individuals must also be notified when there is a direct risk to their rights or interests. **SAMA CSF Obligations:** SAMA CSF Control 3.5.4 requires documented incident response procedures, including breach detection, containment, eradication, recovery, and post-incident review. Incidents impacting customer data or system availability must be reported to SAMA within defined timeframes — critical incidents typically within 24 hours. **Building a Unified Response Plan:** 1. **Classify breach severity upfront**: Define thresholds for when PDPL notification, SAMA reporting, and customer communication are triggered. 2. **Establish a response team**: Include Legal, DPO, CISO, Operations, and Communications roles with clear RACI assignments. 3. **Maintain evidence logs**: Preserve forensic evidence, access logs, and communication records throughout the incident lifecycle. 4. **Test regularly**: Conduct tabletop exercises at least twice yearly simulating data breach scenarios. 5. **Coordinate notifications**: Use pre-approved notification templates for SDAIA, SAMA, and affected customers to avoid delays under pressure. A synchronized response plan not only ensures regulatory compliance but significantly reduces financial and reputational exposure in the event of a breach.

Saudi fintech companies face a dual compliance obligation when a data breach occurs: satisfying the Personal Data Protection Law (PDPL) administered by the Saudi Data and AI Authority (SDAIA), and meeting SAMA CSF incident reporting requirements. Aligning both is critical to avoid regulatory penalties and reputational damage. **PDPL Obligations (Articles 25–27):** Upon discovering a personal data breach, organizations must notify SDAIA without undue delay — interpretive guidance suggests within 72 hours of awareness — if the breach poses a risk to data subjects' rights. If high risk is confirmed, affected individuals must also be notified with clear, plain-language communication describing the nature of the breach, data categories impacted, and steps taken. **SAMA CSF Obligations (Control 3.6 — Cyber Security Incident Management):** SAMA requires financial institutions to report cybersecurity incidents to SAMA within specific timeframes based on severity. Critical incidents must be reported immediately (within 2 hours of detection), with a full post-incident report due within 72 hours. Fintechs must maintain an incident log and evidence chain throughout. **Practical Alignment Steps:** 1. Build a unified Incident Response Plan (IRP) that maps PDPL and SAMA notification triggers to the same detection-to-report workflow. 2. Establish a data breach triage process that simultaneously evaluates personal data exposure (PDPL) and operational/financial system impact (SAMA). 3. Designate a Data Protection Officer (DPO) and CISO with clear ownership over regulatory notifications. 4. Conduct tabletop exercises simulating breach scenarios covering both regulators. 5. Maintain pre-approved notification templates for SDAIA, SAMA, and affected customers to accelerate response times. Proactive alignment reduces the risk of conflicting timelines and ensures regulatory trust is maintained across both frameworks.