Gdnpr Bahrain: A New Privacy Law For The Kingdom

The Personal Data Protection Law (PDPL) is Bahrain's main data protection regulation. The PDPL came into force on 1 August 2019 and supersedes any law with contradictory provisions. The PDPL is similar to the EU's General Data Protection Regulation (GDPR) but has notable differences. The PDPL gives individuals rights over how their personal data is collected, processed and stored, and imposes new obligations on businesses over how they manage this data. The PDPL also establishes a new authority, the Personal Data Protection Authority (PDPA), which has the power to investigate alleged violations of the PDPL.

The Personal Data Protection Law (PDPL)

On July 12, 2018, Bahrain enacted Law No. 30 of 2018 with respect to the Personal Data Protection Law (PDPL). The PDPL is the main data protection regulation in Bahrain and came into force on August 1, 2019, superseding any laws with contradictory provisions. The PDPL defines personal data as any information in any form that can be used to identify an individual, either directly or indirectly. This includes, but is not limited to, an individual's name, identification number, passport number, and email address.

The PDPL outlines the rights and obligations of individuals and organizations regarding the collection, use, and protection of personal data. It establishes the Personal Data Protection Authority, an independent body responsible for overseeing and enforcing compliance with the law. The Authority is empowered to conduct investigations, issue fines, and order the cessation of activities that violate the PDPL.

The PDPL requires data controllers, who are responsible for determining the purposes and means of processing personal data, to obtain consent from individuals before processing their personal data. There are limited exceptions to this rule, such as when processing is necessary for the performance of a contract or to protect the vital interests of the data subject. The processing of sensitive personal data, which includes information about an individual's race, health, and religious beliefs, is subject to additional restrictions and requires explicit consent.

The PDPL also addresses the transfer of personal data outside of Bahrain, prohibiting such transfers unless the receiving country or territory provides an adequate level of protection for personal data. The Authority maintains a list of countries and territories that meet this standard.

To ensure compliance, the PDPL grants the Authority powers to request documents and information from data controllers and issue orders to stop violations. The PDPL carries a range of criminal penalties and administrative fines for violations, including imprisonment and substantial monetary fines.

The PDPL is designed to protect the privacy and personal data of individuals in Bahrain, promoting a safe and stable environment for both individuals and businesses.

The role of the Personal Data Protection Authority (PDPA)

The Personal Data Protection Authority (PDPA) is a public authority in Bahrain that is responsible for safeguarding individuals' personal data and protecting their privacy. The PDPA was established under the Personal Data Protection Law (PDPL), which came into force on August 1, 2019, to provide a legal framework for data protection. The PDPA has the following key roles and responsibilities:

• Informing and educating: The PDPA informs Data Controllers and the general public about their rights and obligations under the PDPL. It also organises training, educational programs, and awareness campaigns to promote a culture of personal data protection.
• Monitoring and oversight: The PDPA oversees compliance with the PDPL and inspects the activities of Data Controllers to ensure they adhere to the law. It encourages the development of systems and practices that safeguard personal data.
• Receiving notifications and granting authorisations: The PDPA receives and reviews notifications from Data Controllers regarding their data processing activities. It also grants prior authorisations for specific types of data processing, such as the processing of sensitive personal data or the transfer of data outside Bahrain.
• Accrediting Data Protection Guardians: The PDPA is responsible for accrediting and overseeing the work of Data Protection Guardians, who assist Data Controllers in complying with the PDPL.
• Complaint handling and investigation: The PDPA receives and investigates reports and complaints about potential breaches of the PDPL. It can initiate investigations on its own or based on requests from the Minister of Justice or serious complaints. The PDPA can also form internal or external committees to conduct investigations.
• International cooperation: The PDPA collaborates with counterpart authorities in other countries on matters of mutual interest, such as cross-border data transfers and international data protection standards.
• Policy formulation and representation: The PDPA studies and examines legislation related to personal data protection and recommends amendments to ensure compliance with international standards. It also represents Bahrain in international conferences as the competent body for data protection.
• Financial management: The PDPA has an independent budget and is responsible for managing its financial resources, which include state allocations, donations, grants, fees, and other amounts collected through its activities.
• Reporting and transparency: The PDPA submits periodic reports to the Minister of Justice, detailing its activities, achievements, challenges, and suggestions for maintaining data protection. It also prepares an annual report on its activities, which is published along with its audited financial statements.

The PDPA is headed by a Board of Directors, which sets the authority's policy and oversees its work. The Board consists of seven members, including a Chairman, and is responsible for issuing regulations, resolutions, and internal policies. The PDPA also has a Chief Executive, who manages the day-to-day operations and represents the authority before courts and third parties. The Chief Executive implements the Board's resolutions and is accountable to them.

Data protection officers (DPOs)

The main duties of DPOs include:

• Assisting data controllers in exercising their rights and fulfilling their obligations under the PDPL.
• Acting as a liaison between the PDPA and data controllers regarding compliance with the PDPL.
• Notifying the PDPA of any violations or shortcomings by data controllers that have not been rectified.
• Verifying that data controllers' processing of personal data complies with the PDPL.
• Maintaining records of data controllers' data processing activities and updating the PDPA with a copy of these records once a month.
• Conducting their duties in an independent and impartial manner.

Data controllers may voluntarily appoint a DPO. However, the PDPA's Board of Directors may also issue a decision requiring specific categories of data controllers to appoint DPOs. In all instances, the data controller must notify the PDPA of such an appointment within three days of its occurrence.

The PDPA has issued guidelines regarding DPOs, including Resolution No. 46 of 2022 on Data Protection Guardians (known internationally as DPOs). This resolution states that controllers may appoint a qualified external or internal DPO, but it does not specify the circumstances in which appointing a DPO is mandatory. If a controller appoints a DPO, they must notify the PDPA within three working days. DPOs shall be listed on a register available on the PDPA's website, consisting of a list of external and internal DPOs.

Data subject rights

The Personal Data Protection Law (PDPL) is the main data protection regulation in Bahrain. It was enacted on July 12, 2018, and came into force on August 1, 2019. The PDPL provides individuals with rights relating to their personal data, which they can exercise.

Right to be Informed

Data subjects have the right to be informed about the collection and processing of their personal data. When collecting data directly from a data subject, the data controller must provide the following information:

• The data controller's full name, field of activity or profession, and address.
• The purposes for which the data is being collected.
• Any other information necessary to ensure fair processing, including:
• The names of data recipients or their categories.
• Whether replying to questions is mandatory and the possible consequences of not replying.
• The data subject's right to be notified of the complete data concerning them and to request its rectification.
• Whether the data will be used for direct marketing purposes.
• Any further information that enables the data subject to pursue their rights under the PDPL.

If data is collected from a source other than the data subject, the data controller must provide the above information within five days of commencing registration of the data.

Right of Access

Data subjects have the right to access their personal data and verify its accuracy. Data controllers are required to respond to access requests within 15 working days. The data controller must provide the following information:

• All data being processed.
• Any information known or available to the data controller about the source of the data, unless confidentiality is required by law.
• The purpose of the processing.
• The names of data recipients or their categories.
• When the data is the sole basis for a decision affecting the data subject's personal interests, the way in which the data will be used must be communicated clearly.

Right to Rectification

Data subjects have the right to request the rectification, blocking, or erasure of their personal data if its processing is in breach of the PDPL, particularly if the data is inaccurate, incomplete, outdated, or processed illegally. Data controllers must respond to rectification requests within 10 working days, free of charge. If the request is granted, the data controller must notify any third parties to whom the data has been disclosed within 15 days.

Right to Erasure

Data subjects have the right to request the erasure of their personal data if consent is withdrawn, there is no other legal ground for processing, or the data is no longer necessary for the original purpose. Requests must be responded to without undue delay and within one month of receipt.

Right to Restriction of Processing

The right to restriction of processing applies when a data subject contests the accuracy of the data, the processing is unlawful, or the data subject opposes erasure and requests restriction instead. The controller must inform data subjects before any restriction is lifted.

Right to Object/Opt-Out

Data subjects have the right to object to the processing of their personal data in certain cases, such as when it causes substantial damage or is likely to cause substantial damage to the data subject or others. They also have specific grounds for objecting to direct marketing and can withdraw their consent for data processing at any time. Data controllers must respond to objections within 10 working days.

Right to Data Portability

The PDPL does not explicitly mention the right to data portability.

Right Not to be Subject to Automated Decision-Making

Data subjects have the right not to be subject to automated decision-making, including profiling, that significantly affects them. This right does not apply when suitable measures have been taken to safeguard the data subject's legitimate interests, such as hearing their views.

Criminal penalties

The Personal Data Protection Law (PDPL) in Bahrain carries a range of criminal penalties and administrative fines for violating certain provisions. Criminal penalties include imprisonment of not more than one year and/or a fine between BHD 1,000 and BHD 20,000 for individuals who:

• Process sensitive personal data in violation of the PDPL
• Transfer personal data outside Bahrain to a country or region in violation of the PDPL
• Process personal data without notifying the Personal Data Protection Authority (the Authority)
• Fail to notify the Authority of any change made to the data of which they had previously notified the Authority
• Process certain personal data without prior authorisation from the Authority
• Submit false or misleading data to the Authority or the data subject
• Withhold data, information, records, or documents from the Authority that are necessary for the Authority to carry out its prescribed duties
• Cause obstruction or suspension of the work of the Authority's inspectors or any investigation carried out by the Authority
• Disclose any data or information which they are allowed to access due to their job, or use such data or information for their own benefit or for the benefit of others unreasonably and in violation of the PDPL

The PDPL also imposes criminal penalties of a fine ranging from BHD 3,000 to BHD 20,000 for violations of Paragraph 1 and 2 of Article 32 of the Law, which pertain to conflict of interest. In the event of a conviction, the court may order the confiscation of amounts resulting from the crime.

Additionally, individuals who unlawfully use the Authority's logo or an identical or similar sign or symbol may face imprisonment of up to one month and/or a fine of between BHD 100 and BHD 500.

The Law also stipulates criminal liability for legal persons, with penalties ranging from the lower to upper limits of double the amounts prescribed for fines if any of the crimes stipulated in Article 58 of the Law are committed under the name of a legal person, on its behalf, or for its benefit.

The PDPL grants the Authority the power to issue orders to stop violations, including emergency orders and fines. It also allows for civil compensation for individuals who have incurred damage arising from the processing of their personal data or from violations of the PDPL by a business's data protection officer.

Frequently asked questions