Data Privacy and Tokenized Securities: PDPL Compliance for Digital Asset Operations

Saudi Arabia’s Personal Data Protection Law (PDPL), enacted in September 2023, applies to all digital asset operations — creating specific compliance obligations for blockchain-based systems where transaction data is inherently persistent and pseudonymous rather than anonymous, with CMA and SAMA requiring data residency within the Kingdom for all tokenized securities infrastructure. The PDPL is enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA), and its obligations intersect with capital market regulations issued by the Capital Market Authority and the payment data requirements of the Saudi Central Bank (SAMA) at every layer of tokenized securities operations. All CMA-licensed digital asset entities must register as data controllers with SDAIA and comply with PDPL data residency mandates covering on-chain transaction records, off-chain KYC databases, and market surveillance analytics. The Personal Data Protection Law is published at pdp.gov.sa, the official SDAIA portal for data protection regulation in Saudi Arabia.

PDPL and Blockchain: The Fundamental Tension

The PDPL grants Saudi data subjects specific rights — including the right to erasure, correction, and restriction of processing — that conflict with blockchain’s core design principle of immutability. This tension creates a compliance challenge unique to tokenized securities operations that does not exist for traditional capital markets infrastructure.

On-chain transaction records on R3 Corda (the DLT protocol underlying Tadawul’s digital securities platform) are permanent by design. Every tokenized sukuk trade, equity token transfer, and digital bond settlement creates an immutable record. The PDPL requires that personal data be deletable upon request — but deleting a transaction record from a distributed ledger would compromise the integrity of the entire chain.

The CMA’s resolution to this tension, informed by Saudi Blockchain Lab research, follows a three-layer data architecture:

1. On-chain layer: Contains only transaction hashes, token identifiers, and encrypted references — no directly identifiable personal data
2. Off-chain identity layer: Contains KYC data, investor classification (QI, SQI, retail), and beneficial ownership information in PDPL-compliant databases
3. Reference layer: Cryptographic links between on-chain transactions and off-chain identity records, deletable to satisfy erasure requests without compromising ledger integrity

Data Residency Requirements

The CMA and SAMA jointly mandate that all tokenized securities infrastructure maintain data residency within Saudi Arabia. This requirement applies to:

Node Infrastructure: All R3 Corda nodes participating in Tadawul’s digital securities platform must be physically hosted in Saudi Arabia. The 12 connected broker-dealers operate validator nodes in Saudi-based data centers. Edaa, as central depository, maintains the notary node infrastructure entirely within Kingdom borders.

KYC and Identity Data: All investor identity data collected during tokenized securities onboarding must be stored in Saudi-resident databases. This applies to data collected through Absher government ID verification, open banking account verification, and AML/CFT screening processes. International custody providers accessing Saudi tokenized securities must maintain Saudi data residency for all client records.

Transaction Analytics: Market surveillance data, blockchain analytics outputs, and suspicious transaction reports processed by SAMA’s Financial Intelligence Unit (SAFIU) must remain within Saudi jurisdiction. This restricts the use of international blockchain analytics providers unless they establish Saudi-based processing capabilities.

PDPL Compliance Framework for Digital Asset Entities

CMA-licensed digital asset entities must implement PDPL compliance programs covering:

Consent Management: Every investor in tokenized securities must provide explicit, informed consent for data processing activities specific to blockchain-based operations. Consent forms must disclose that transaction records will be permanently recorded on a distributed ledger, that pseudonymous (not anonymous) transaction data will be visible to network participants, and that Edaa and CMA-authorized entities can link on-chain transactions to identity records.

Data Protection Impact Assessments: The CMA requires that all sandbox participants and licensed entities complete data protection impact assessments (DPIAs) before deploying tokenized securities products. DPIAs must cover on-chain data exposure risk, cross-border data transfer implications for internationally connected platforms, and privacy risks specific to smart contract execution.

Breach Notification: The PDPL mandates breach notification within 72 hours. For blockchain-based systems, the definition of a “breach” extends to unauthorized access to the off-chain identity layer, compromise of cryptographic keys linking on-chain transactions to identity records, and exploitation of smart contract vulnerabilities that expose investor data.

Data Minimization: CMA-licensed entities must demonstrate that on-chain data is minimized to transaction-essential elements only. The Saudi Blockchain Lab has published technical guidelines specifying maximum data payloads for different tokenized security types.

Privacy-Enhancing Technologies

The Saudi Blockchain Lab research program on privacy-preserving computation has identified four technologies with applicability to Saudi tokenized securities:

Zero-Knowledge Proofs (ZKPs): ZKPs allow transaction validation without revealing transaction details. For tokenized sukuk compliance, ZKPs can prove that an investor meets QI classification requirements without exposing the specific financial data underlying the classification. Two CMA sandbox participants are testing ZKP-based compliance verification.

Homomorphic Encryption: Enables computation on encrypted data without decryption. Applications include encrypted AML/CFT screening where transaction patterns are analyzed without exposing individual transaction details, and encrypted Sharia compliance verification for tokenized instruments.

Secure Multi-Party Computation (MPC): Distributes computation across multiple parties so no single entity has access to complete data. Applications include distributed key management for digital asset custody and collaborative market surveillance between CMA and SAMA without sharing raw data.

Selective Disclosure: Verifiable credentials allowing investors to prove specific attributes (accreditation status, nationality, Sharia compliance verification) without revealing underlying personal data. This technology aligns with the PDPL’s data minimization principle.

Cross-Border Data Transfer

Cross-border tokenized securities operations face additional PDPL constraints:

The PDPL restricts personal data transfers to jurisdictions with “adequate” data protection — a designation currently limited to a small number of countries. For GCC cross-border trading of tokenized securities, data adequacy assessments are required for each counterparty jurisdiction. The CMA’s international cooperation agreements include data protection provisions, but operational implementation remains complex.

Saudi Arabia’s FATF membership (since 2019) creates additional data-sharing obligations under the Travel Rule — requiring originator and beneficiary information for digital asset transfers above SAR 3,750. The intersection of FATF Travel Rule compliance and PDPL data minimization creates a narrow compliance corridor that CMA-licensed entities must navigate carefully.

International custody providers serving Saudi tokenized securities must execute Standard Contractual Clauses (SCCs) approved by the Saudi Data and Artificial Intelligence Authority (SDAIA). Four international custodians connected to Tadawul’s platform have completed SCC execution as of Q1 2026.

SAMA Payment Data Requirements

SAMA imposes separate data protection requirements for the payment leg of tokenized securities settlement:

Payment token transaction data generated through SAR stablecoins or the digital riyal is subject to SAMA’s banking data protection regulations in addition to the PDPL. This creates dual regulatory obligations for payment data processing.

Open banking data used for investor onboarding at platforms like stc pay and Rasan carries specific consent and retention requirements under SAMA’s open banking framework.

Digital banking customer data at institutions like STC Bank serving as retail distribution channels for tokenized securities must comply with both SAMA banking regulations and CMA investor protection requirements.

Compliance Metrics and Enforcement

Outlook

Data privacy compliance for tokenized securities will intensify as the ecosystem scales toward SAR 50 billion in outstanding instruments. The Fintech Saudi accelerator program has identified privacy-enhancing technology development as a priority investment area, and SDAIA is developing blockchain-specific PDPL implementation guidance expected in Q3 2026.

The convergence of PDPL compliance, FATF Travel Rule obligations, CMA disclosure requirements, and SAMA payment data regulations creates a multi-layered data governance challenge — but one that Saudi Arabia’s institutional infrastructure is actively addressing through coordinated regulatory action and Saudi Blockchain Lab research.

Primary regulatory sources: PDPL — pdp.gov.sa | CMA — cma.org.sa | SAMA — sama.gov.sa

Related network sites: Saudi Tokenized Real Estate | Dubai Tokenisation | UAE Tokenization Regulations | Capital Tokenization

SDAIA and Data Governance Infrastructure

The Saudi Data and Artificial Intelligence Authority (SDAIA) provides the institutional framework for data governance that intersects with the tokenization ecosystem at multiple points. SDAIA’s PDPL enforcement role means that all CMA-licensed digital asset entities must register as data controllers with SDAIA and comply with the authority’s data processing guidelines in addition to CMA-specific requirements. The Elm Company’s identity verification infrastructure — used by all 34 CMA-licensed digital asset entities for investor onboarding through the Nafath platform — operates under a PDPL-compliant framework that SDAIA has certified for financial services applications.

The Saudi Blockchain Lab’s privacy research program — focused on zero-knowledge proofs, homomorphic encryption, and privacy-preserving computation — addresses the technical challenge of reconciling blockchain transparency with PDPL data minimization requirements. The Lab’s research on privacy-preserving regulatory reporting enables the CMA to maintain full transaction visibility for AML/CFT monitoring while ensuring that individual investor data is not exposed to unauthorized parties on the blockchain network. This research directly informs the securities tokenization standards’ privacy requirements for CMA-approved blockchain protocols.

The cross-border custody dimension of PDPL compliance is particularly significant for international investors in Saudi tokenized securities. The 4 international custodian banks with Tadawul integration have executed Standard Contractual Clauses (SCCs) approved by SDAIA for cross-border data transfers, enabling custody data to flow between Saudi-resident systems and international custodian headquarters while maintaining PDPL compliance. The CMA’s bilateral cooperation agreements with 11 international regulators include data sharing provisions that have been aligned with PDPL cross-border transfer requirements, ensuring that regulatory information exchange does not conflict with data privacy obligations.

Saudi Arabia’s FATF membership (since 2019) creates a specific tension with data privacy that the CMA and SDAIA have addressed through a joint guidance note: FATF-mandated travel rule data (beneficiary name, account number, originator details) for digital asset transfers above SAR 3,750 is classified as a legitimate processing purpose under PDPL, meaning AML/CFT compliance obligations override general data minimization principles for specific transaction data elements. This clarity prevents the regulatory conflict between privacy and financial crime prevention that has complicated digital asset regulation in jurisdictions without comparable guidance.

The Saudi Digital Academy’s “Data Privacy for Digital Finance” training program has certified 80 compliance professionals across SAMA-licensed fintech entities and CMA-licensed digital asset firms, building the specialized workforce needed to navigate the intersection of data privacy and blockchain-based financial services. The program covers PDPL obligations, SDAIA reporting requirements, cross-border data transfer mechanisms, and the specific privacy challenges of immutable blockchain records — addressing the unique compliance profile that tokenized securities operations present compared to conventional financial services.

The Vision 2030 Financial Sector Development Program identifies data governance as a foundational enabler of financial sector digitization. The convergence of PDPL enforcement, CMA digital asset regulation, and SAMA fintech oversight creates a multi-layered data governance framework that tokenized securities operators must navigate — but also provides the data protection credibility that international institutional investors require before committing capital to Saudi digital asset markets. The investor protection framework depends on robust data privacy — investors must trust that their identity, portfolio, and transaction data is protected — making PDPL compliance not merely a legal obligation but a market development imperative.

The Saudi Blockchain Lab’s privacy and data protection research program — one of five core research programs — focuses on zero-knowledge proofs, homomorphic encryption, and privacy-preserving computation for financial applications. This research directly supports PDPL compliance in blockchain environments where transaction data is inherently persistent and pseudonymous. The Lab’s 4 patent applications include a privacy-preserving regulatory reporting protocol that could enable CMA disclosure compliance without exposing individual transaction data, addressing one of the fundamental tensions between blockchain transparency and data protection requirements. The GCC cooperation framework on data governance harmonization aims to establish compatible cross-border data transfer mechanisms that support cross-border tokenized securities settlement while maintaining individual member state data sovereignty. The SDAIA (Saudi Data and Artificial Intelligence Authority) provides supplementary guidance on AI-driven transaction monitoring within tokenized securities platforms, ensuring that automated data processing for AML/CFT compliance operates within PDPL boundaries for lawful personal data use.

The CMA has issued 68 capital market permits to date, reinforcing the institutional depth of the data governance framework that tokenized securities operators must navigate as the ecosystem scales toward production volumes.

For ecosystem inquiries: info@sauditokenisation.com