2. On July 12, 2018, Bahrain passed Law No. 30 of 2018 concerning
Personal Data Protection ("PDPL"). The PDPL is Bahrain's primary data
protection law. It came into effect on August 1st, 2019. The PDPL which is
the second national law in the Gulf area to specifically address the right
to personal data protection is modelled after the European Union's
General Data Protection Regulations. This law aims at setting up
requirements establishing procedures for entities involved in the
processing of the personal data of individuals.
This whitepaper seeks to analyse the legislation and evaluates it against
other significant legal frameworks for data privacy and protection.
Data protection awareness programs and training sessions are
expected to become progressively prevalent in Bahraini firms which
must adopt data governance mechanisms and data protection policies
to ensure compliance with the law. Therefore, it is written to cater to a
wide range of audiences, including senior and mid-level IT
management, privacy officers, and compliance leaders, to assist them
in understanding the salient features of this legislation.
This will also help secondary audiences, including students and
academicians in understanding the complexity of the legislation and its
clauses.
INTRODUCTION
Overview
Target Audience
3. The major piece of legislation in Bahrain governing the processing of
personal data is the Personal Data Protection Law (PDPL). Different laws
in Bahrain include a number of data privacy clauses before the PDPL was
passed. As long as they do not contradict the Law or the resolutions
issued in compliance with it, these clauses will remain valid. The Ministry
of Justice and Islamic Affairs is designated as the Data Protection
Authority to ensure compliance with the Law. Recently the Authority
issued enforcement decisions with guidelines to further the Law's
provisions. This along with the other features of PDPL shall be discussed
in detail in this whitepaper.
The PDPL is largely consistent with the EU GDPR's definition of personal
data and sensitive personal data, however, the term 'data protection
guardian' is a new nomenclature for privacy regimes. Further, PDPL
introduces sector-specific categories for the processing of data.
Consequently, compliance requirements for each will be strict.
A range of administrative and criminal fines will be imposed for non-
compliance with the PDPL. Considering this, the entities processing
personal data would have to focus on complying with the provisions of
the PDPL.
Bird's Eye View
Problem Statement
INTRODUCTION
4. Scope &
Application
01
Cross Border
Data Transfers
05
Key Features
of the Act
02
Comparison with
the EU GDPR
08
Authorisation &
Breach Notifications
06
Data Subject
Rights
04
Grounds of
Processing
03
Conclusion
09
Enforcement and
Liability
07
STRUCTURE
5. Where the data processing activity is carried out by an individual for
the sole purpose of ‘the individual’s personal or family affairs.’
Where processing operations are undertaken for public security.
The provisions of the Law apply to any natural person who habitually
resides in, or has a place of business in, or processes information by
means available in the Kingdom of Bahrain. However, it does not apply
to the processing activities involving the transit of data over the territory
of Bahrain.
Territorial Scope
The Law safeguards the personal data of citizens and legal residents of
the Kingdom of Bahrain. It applies to any person/controller who
processes personal data in Bahrain, regardless of their place of
residence.
Material Scope
The Law applies to any processing of data partially or fully automated or
data non-automated processing of data structured in a manner wherein
the personal data of individuals is readily accessible.
Exemptions
The PDPL will not be applicable under the following circumstances-
SCOPE AND APPLICATION
6. Legitimate and fair processing of data must be a priority.
Personal information must be collected with a clear, specific and
legitimate purpose.
Must ensure that the data collected meets the intended purpose, it
should be adequate, relevant and not excessive.
Notifying the data protection regulator and, in some cases, obtaining
prior approval.
Ensuring that the data protection supervisor is impartial and
independent.
The Data should not be transferred outside the country of Bahrain
except under restricted circumstances.
Data Quality Control
The PDPL entail the following responsibilities to ensure Data Quality
Control-
Consent
Under the PDPL, the consent obtained by the data subject must be freely
given, written, explicit, clear, and specific to the processing operations
undertaken by the entity.
Further, the PDPL makes it clear that personal data can not be processed
unless the consent of the data subject is obtained before processing
such data, except where it falls within one of the five grounds for
processing provided in Article 4 of the Law.
KEY FEATURES OF
THE ACT
7. Sensitive Personal Data
The PDPL defines "sensitive personal data" as any personal data that
contains a reference to ethnic or tribal origins of a person's religious, or
political beliefs, philosophical opinions, information indicating a person's
involvement in civic organisations or institutions, health data, or sexual
status.
Data Protection Guardians
The PDPL has a provision for data protection guardians who are
responsible for assisting the data controller in exercising his rights and
performing his obligations as provided by the provisions of this Law.
The data protection guardians are akin to data protection officers (DPO)
under other legislations but the PDPL has adopted a different
nomenclature for them. They liaison between the Authority and the Data
Controller on the implementation of specific provisions related to the
processing of personal data and ensure lawful processing.
In case the data protection guardian identifies any violation, he must
bring it to the data controller's attention to eliminate the causes of the
violation.
8. Consent
Consent obtained by an individual has to be freely given,
written, explicit, clear, and specific to the processing of
certain data granted by a person with full legal capacity.
Contract
Where it is necessary for the execution of a contract to
which the data subject is a party or processing occurs at
the request of the data subject to conclude a contract.
Legal Obligation
Where it is necessary for the enforcement of a legal
obligation or an order issued by a competent court or
the Public Prosecution.
Vital Interests
Where it is necessary to protect the vital interests of the
data subject.
Legitimate Interests
Where it is necessary for the legitimate interests of the
data controller or any third party to whom the data is
disclosed unless this conflicts with the fundamental
rights and freedoms of the data subject.
GROUNDS FOR
PROCESSING
9. On the rights of data subjects, the PDPL states everything that data
controllers must do during the data processing operations, where they
carry out automated processing, such as establishing clear rules
outlining processes to allow the data subject to deny such processing,
clarifying the purpose of the processing as well as how decisions are
made, and informing the data subject of the decision's consequences.
01
02
03
04
05
01
06
Right to be Notified
Upon Processing of
Personal Data
Right to Object to
Direct Marketing
Right to Object for
Processing for Direct
Marketing Purposes
Right to Object to
Processing causing
Material/Moral
Damage to Data
Subject or Others
Right to Object to
Automated Processing
Based Decisions
Right to Lodge
Complaints
07
Right to Request,
Rectification, Blocking
and Erasure of data
DATA SUBJECT RIGHTS
10. Article 18: Right to be notified upon processing of
personal data
all the data being processed
any information available to the data controller as to the source of
the data, except where the confidentiality of the source is required
by law
the purpose of the processing
the names of the recipients of the data or their categories.
Timeline to respond- Notification to be issued within 15 days.
The PDPL requires that data subjects must be notified upon processing
of their personal data by the data controller. This should be free of
charge.
Further, the notification should entail information on-
The data subjects must be informed by the data controller where any
personal data may be processed by them for purposes of direct
marketing. The data subjects have the right to submit objections
concerning such processing.
Article 19: Right to object to direct marketing
Data controller must stop processing for purposes of direct
marketing within 10 working days of receiving such request.
Remedies for non-compliance by data controller: If the data
controller does not accept the data subject’s request within the
prescribed period, the data subject may file a complaint to the
Authority.
Timeline to respond- Request must be honoured within 10 days.
Article 20: Right to object for processing for direct
marketing purposes
11. Data controller must stop processing data where the processing
causes unwarranted damage, whether material or moral, to the data
subject or others.
Timeline to respond- Request must be honoured within 10 days.
Article 21: Right to object to processing which
causes material or moral damage to the data
subject
Data subjects have the right not to be subject to a decision based
solely on automated processing.
These may include assessments of his performance at work, financial
standing, creditworthiness, reliability, conduct etc.
Article 22: Right to object to automated processing
based decisions
A data subject has the right to request for rectification, blocking and
erasure of their personal data where such processing breaches the
law.
Timeline to respond- Request must be honoured within 10 days.
Article 23: Right to request rectification, request,
blocking and erasure of Data
Anyone with a legitimate interest or ability is empowered to file a
written complaint with the Authority if-
any provision of the PDPL is violated,
processing personal data in a manner which is inconsistent with the
terms of this Law.
Article 25: Right to lodge complaints
12. The Law prohibits data controllers from transferring personal data
outside the Kingdom of Bahrain unless it is listed in the Adequacy List
which is compiled and updated by the Personal Data Protection
Authority (PDPA).
Data transfer to any country not mentioned in the Adequacy List
requires authorisation from the PDPA, which is determined on a case-
by-case basis.
Where transfers are made to third parties in a country not on the
Adequacy List but under a contract, the law requires controllers to
obtain authorisation from the PDPA and to provide a copy of the
agreement.
Additionally, the law sets out technical and organisational measures
which include the privacy by design program, establishing privacy
frameworks, Conducting a Vulnerability Assessment and Penetration
Testing (VAPT), developing effective plans to address breaches and
determining the competence of employees.
CROSS BORDER
DATA TRANSFERS
consent of the data subject has been obtained,
data is publicly available,
where it is necessary for the performance/conclusion of the contract,
vital interests of the data subject and complying with legal obligations
Exemptions: Data controllers can also transfer personal data to
countries that are not determined to have an adequate level of
protection of personal data where-
13. BREACH NOTIFICATION
Sensitive personal data,
Linkage between personal data files of two or more data controllers
(for different purposes),
Means of visual recording, used for surveillance purposes.
Article 15: Prior Authorisation
The PDPL prohibits the processing of a few operations without obtaining
the Authority’s prior written authorisation. These operations include
automated processing of-
Notification of Data Breach
For the longest, the PDPL did not have a provision on the data protection
officer's responsibility to notify the Authority regarding any data breach.
However, recently Minister of Justice, Islamic Affairs and Waqf released
its Ministerial Resolution on data breach notification.
As per the Ministerial Resolution no. 44 of 2022, the data controllers in
the event of a data breach shall inform the Authority within a period of
72 hours from the date of discovery of such data breach incident.
Further, if the data breach affects the rights of data subjects, then, in
that case, the data controllers would be under an obligation to notify
them of such a breach.
14. Anyone who suffers damage resulting from the processing of their
data may seek compensation from the data controller or DPO if such
processing breaches the provisions of the Law.
In case of any violation of authorisation, the Authority may order the
party committing the violation to immediately or within a specified
period, stop their conduct, on failure to comply the Authority may
withdraw the authorisation granted.
processes sensitive personal data without obtaining consent;
unlawfully transferring data outside the Kingdom of Bahrain;
processes data without notifying the Authority;
processes data without obtaining prior authorisation of Authority;
Provides the Authority or data subjects with false information;
Prevents Authority from any information or data that is required;
Disrupting the work of the Authority's inspections or investigations;
Discloses information with them for their benefit.
Civil Liability
Criminal Liability
The Law suggests that a sentence of imprisonment not exceeding one
year and/or a fine of not less than BD 1,000 and not more than BD
20,000, may be imposed for committing any of the following-
If the liability is on a corporate legal person, the fine may be increased up
to twice the fine prescribed to a natural person.
ENFORCEMENT &
LIABILITY
15. Sl.
No.
Basis of
Comparison
EU GDPR PDPL
1. Scope / Applicability The GDPR applies to organisations
that have a presence in the EU or if
the data of EU residents is
processed irrespective of the
company’s location.
The PDPL applies to any entity
processing the personal data of data
subjects in the Kingdom of Bahrain,
including the processing by entities
outside the Kingdom processing
personal data of individuals residing in
the Kingdom. This includes all the
controllers and processors.
2. Data Subject Rights
right of access,
right to rectification,
right to erasure,
right to restriction of processing,
right to data portability,
right to object
The rights vested with data subjects
under the EU GDPR are:
right to access,
right to object,
right to be notified upon processing
of Personal Data,
right to request rectification,
blocking and erasure of data,
right to lodge complaints
The rights vested with data subjects
under the PDPL are:
3. Legal basis of processing
data
consent
contract
legal obligation
vital interests
public task
legitimate interests
Principles governing the legal basis
of processing personal data under
the EU GDPR are:
consent
contract
legal obligation
vital interests
legitimate interests
Principles governing the legal basis of
processing personal data under the
PDPL are:
4. Penalties The penalty under GDPR is defined,
and fines and penalties imposed
under Article 83 are flexible and
scale with the firm. The
administrative fines are determined
up to 20 000 000 EUR, or in the case
of an undertaking, up to 4 % of the
total worldwide annual turnover of
the preceding financial year,
whichever is higher.
The penalty under PDPL is defined, and
fines and penalties are imposed under
Article 55. Infringers of the PDPL may
be fined up to BD 2000/-
(approximately 5300 USD) by the
Competent Authority. If any of the
offences specified in Article (58) of this
Law are committed in the name of a
legal person, actions are taken by such
competent authority.
Comparison: GDPR vs PDPL
16. evaluate if their business operations fall under the scope of the
legislation in advance.
discover the type of personal data being collected, from whom, and
for what purposes it is being processed.
The BDPL intends to increase Bahrain's attractiveness to international
companies by establishing a clear framework for handling personal data.
This legislation is heavily impacted by the country's intentions to become
a data centre hub, with tech giants now proposing to operate as data
centres and rapidly expanding into the telecoms sector.
Companies operating in Bahrain should-
With this law in place, systems are required to guarantee that
organisations can meet their commitments while also respecting the new
rights granted to data subjects.
CONCLUSION
References
http://www.pdp.gov.bh/en/assets/pdf/regulations.pdf
http://www.pdp.gov.bh/en/assets/pdf/executivedecisions/eng/the_be
_met_in_the_technical.pdf
17. Tsaaro Amsterdam Office
Regus Schiphol Rijk
Beech Avenue 54-62,
Het Poortgebouw,
Amsterdam, 1119 PW,
Netherlands
P: +31-686053719
Akarsh Singh
(CEO & Co-Founder, Tsaaro)
Akarsh is a fellow in Information Privacy
by IAPP, the highest certification in the
field of privacy. His expertise lies in Data
Privacy and Information Security
Compliance.
Tsaaro provides privacy and cybersecurity services to help organisations meet regulatory
requirements while maintaining a robust security infrastructure.
Our industry-standard privacy services include Privacy compliance, DPO-as-a-service,
Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few,
delivered by our expert privacy professionals recognised by IAPP.
WHY TSAARO?
CONTACT US
You can assess risk with respect to
personal data and strengthen your
data security by contacting Tsaaro.
EMAIL US
info@tsaaro.com
Krithi Shetty
Data Protection Consultant, Tsaaro
Anushka Siwach
Data Protection Consultant, Tsaaro
Poojan Bulani
Data Protection Consultant, Tsaaro
Tsaaro Bangalore Office
Manyata Embassy Business Park,
Ground Floor, E1 Block,
Beech Building, Outer RingRoad,
Bangalore- 560045
India
P: +91-0522–3581
Tsaaro Gurugram Office
Level 1, Building 10A,
Cyber Hub, DLF Cyber City,
Gurugram, Haryana 122002
India
+91522–3581306