Fintech compliance teams have, understandably, organised their data protection efforts around the Personal Data Protection Law (PDPL). But for many fintechs in the Kingdom, the PDPL is the floor not the ceiling. A second, less-discussed layer of obligations sits above it, administered by the Communications, Space and Technology Commission (CST), and it is regularly missed.
The PDPL is the baseline
The PDPL and its Implementing Regulations are the baseline data protection framework in Saudi Arabia, and they apply to fintech companies as they do to any other controller or processor handling personal data. Most fintechs have, sensibly, built their privacy programmes around this regime. The issue is that the PDPL is sector-agnostic. It does not, on its own, capture the technological, digital infrastructure and information security obligations that the Kingdom’s communications and IT regulator imposes on a defined population of providers, a population that increasingly includes fintech businesses.
Are you a CST “Service Provider”?
The starting point is a single threshold question under the Telecommunication and Information Technology Act: does the fintech provide telecommunications, information technology or related services, including digital content platforms, to the public? If the answer is yes, the CST regime is engaged, and a parallel set of obligations applies on top of the PDPL. If no, the PDPL continues to apply on its own. In our experience, fintechs offering customer-facing digital platforms, app-based services, embedded financial products or technology-enabled service layers should treat this question with care and document the analysis. Self-assessing oneself out of scope without a defensible record is not a strategy.
What the CST layer actually requires
The CST framework operates through two complementary instruments: the General Principles for Personal Data Protection (RC04) and the Procedures of Launching Services or Products Based on Customers’ Personal Data (CST Procedures). Together, they impose obligations of two distinct kinds.
Standing obligations
Every in-scope Service Provider must establish and resource an independent function with clear roles and responsibilities for the protection of customer personal data. It must develop and maintain a comprehensive privacy programme, covering policies, procedures, documentation, implementation and enforcement, and submit that programme to the CST for approval, with periodic reporting on its effectiveness. Cross-border processing requires the CST’s prior written approval, which is a meaningfully higher bar than the PDPL’s transfer regime alone.
Transactional obligations
Where the Service Provider intends to share personal data, or to launch or modify a product or service that relies on the processing of personal data, a specific launch pathway is triggered. The Service Provider must first verify whether a Privacy Impact Assessment (PIA) is required. If not, the verification must be submitted to the CST at least five business days before launch. If yes, the PIA itself must be submitted at least twenty-one business days before launch, and the launch may not proceed until the CST has reviewed it and where additional information is requested, has expressly accepted that information. A narrow carve-out applies to processing within the Service Provider’s own systems for the sole purpose of delivering services to a specific customer; it does not displace the standing obligations.
Why this matters in practice
The practical consequence is straightforward. A fintech that has built a high-quality PDPL compliance programme can still be materially non-compliant with the CST layer, most often by failing to obtain prior approval for its privacy programme, by processing personal data outside the Kingdom without CST written approval, or by launching a new product or feature that relies on personal data without working through the CST Procedures launch pathway. None of these gaps are theoretical. Each is identifiable in a typical fintech operating model.
If your fintech is a CST Service Provider, your PDPL programme is necessary but not sufficient. The CST framework adds an independent function, a regulator-approved privacy programme, prior written approval for cross-border processing, and a defined pre-launch pathway for new and modified products. The flowchart overleaf maps the regime end-to-end. Part II will examine the parallel obligations imposed by SAMA, and how the SAMA, CST and PDPL regimes interact.
What to do now
- Run, and document, the Service Provider threshold analysis.
- Confirm whether your privacy programme has been approved by the CST and whether your reporting cadence is current.
- Identify every cross-border processing flow and confirm CST written approval is in place.
