SlideShare a Scribd company logo

Bahrain-Personal-Data-Protection-Law.pdf

D
DaviesParker

Learn all about Bahrain Personal Data Protection Law

Law
1 of 17
Download to read offline
Bahrain's Personal Data Protection Law ('PDPL') © 2022 Tsaaro. All rights reserved. Insights into the Legislation
On July 12, 2018, Bahrain passed Law No. 30 of 2018 concerning Personal Data Protection ("PDPL"). The PDPL is Bahrain's primary data protection law. It came into effect on August 1st, 2019. The PDPL which is the second national law in the Gulf area to specifically address the right to personal data protection is modelled after the European Union's General Data Protection Regulations. This law aims at setting up requirements establishing procedures for entities involved in the processing of the personal data of individuals. This whitepaper seeks to analyse the legislation and evaluates it against other significant legal frameworks for data privacy and protection. Data protection awareness programs and training sessions are expected to become progressively prevalent in Bahraini firms which must adopt data governance mechanisms and data protection policies to ensure compliance with the law. Therefore, it is written to cater to a wide range of audiences, including senior and mid-level IT management, privacy officers, and compliance leaders, to assist them in understanding the salient features of this legislation. This will also help secondary audiences, including students and academicians in understanding the complexity of the legislation and its clauses. INTRODUCTION Overview Target Audience
The major piece of legislation in Bahrain governing the processing of personal data is the Personal Data Protection Law (PDPL). Different laws in Bahrain include a number of data privacy clauses before the PDPL was passed. As long as they do not contradict the Law or the resolutions issued in compliance with it, these clauses will remain valid. The Ministry of Justice and Islamic Affairs is designated as the Data Protection Authority to ensure compliance with the Law. Recently the Authority issued enforcement decisions with guidelines to further the Law's provisions. This along with the other features of PDPL shall be discussed in detail in this whitepaper. The PDPL is largely consistent with the EU GDPR's definition of personal data and sensitive personal data, however, the term 'data protection guardian' is a new nomenclature for privacy regimes. Further, PDPL introduces sector-specific categories for the processing of data. Consequently, compliance requirements for each will be strict. A range of administrative and criminal fines will be imposed for non- compliance with the PDPL. Considering this, the entities processing personal data would have to focus on complying with the provisions of the PDPL. Bird's Eye View Problem Statement INTRODUCTION
Scope & Application 01 Cross Border Data Transfers 05 Key Features of the Act 02 Comparison with the EU GDPR 08 Authorisation & Breach Notifications 06 Data Subject Rights 04 Grounds of Processing 03 Conclusion 09 Enforcement and Liability 07 STRUCTURE
Where the data processing activity is carried out by an individual for the sole purpose of ‘the individual’s personal or family affairs.’ Where processing operations are undertaken for public security. The provisions of the Law apply to any natural person who habitually resides in, or has a place of business in, or processes information by means available in the Kingdom of Bahrain. However, it does not apply to the processing activities involving the transit of data over the territory of Bahrain. Territorial Scope The Law safeguards the personal data of citizens and legal residents of the Kingdom of Bahrain. It applies to any person/controller who processes personal data in Bahrain, regardless of their place of residence. Material Scope The Law applies to any processing of data partially or fully automated or data non-automated processing of data structured in a manner wherein the personal data of individuals is readily accessible. Exemptions The PDPL will not be applicable under the following circumstances- SCOPE AND APPLICATION
Legitimate and fair processing of data must be a priority. Personal information must be collected with a clear, specific and legitimate purpose. Must ensure that the data collected meets the intended purpose, it should be adequate, relevant and not excessive. Notifying the data protection regulator and, in some cases, obtaining prior approval. Ensuring that the data protection supervisor is impartial and independent. The Data should not be transferred outside the country of Bahrain except under restricted circumstances. Data Quality Control The PDPL entail the following responsibilities to ensure Data Quality Control- Consent Under the PDPL, the consent obtained by the data subject must be freely given, written, explicit, clear, and specific to the processing operations undertaken by the entity. Further, the PDPL makes it clear that personal data can not be processed unless the consent of the data subject is obtained before processing such data, except where it falls within one of the five grounds for processing provided in Article 4 of the Law. KEY FEATURES OF THE ACT
Sensitive Personal Data The PDPL defines "sensitive personal data" as any personal data that contains a reference to ethnic or tribal origins of a person's religious, or political beliefs, philosophical opinions, information indicating a person's involvement in civic organisations or institutions, health data, or sexual status. Data Protection Guardians The PDPL has a provision for data protection guardians who are responsible for assisting the data controller in exercising his rights and performing his obligations as provided by the provisions of this Law. The data protection guardians are akin to data protection officers (DPO) under other legislations but the PDPL has adopted a different nomenclature for them. They liaison between the Authority and the Data Controller on the implementation of specific provisions related to the processing of personal data and ensure lawful processing. In case the data protection guardian identifies any violation, he must bring it to the data controller's attention to eliminate the causes of the violation.
Consent Consent obtained by an individual has to be freely given, written, explicit, clear, and specific to the processing of certain data granted by a person with full legal capacity. Contract Where it is necessary for the execution of a contract to which the data subject is a party or processing occurs at the request of the data subject to conclude a contract. Legal Obligation Where it is necessary for the enforcement of a legal obligation or an order issued by a competent court or the Public Prosecution. Vital Interests Where it is necessary to protect the vital interests of the data subject. Legitimate Interests Where it is necessary for the legitimate interests of the data controller or any third party to whom the data is disclosed unless this conflicts with the fundamental rights and freedoms of the data subject. GROUNDS FOR PROCESSING
On the rights of data subjects, the PDPL states everything that data controllers must do during the data processing operations, where they carry out automated processing, such as establishing clear rules outlining processes to allow the data subject to deny such processing, clarifying the purpose of the processing as well as how decisions are made, and informing the data subject of the decision's consequences. 01 02 03 04 05 01 06 Right to be Notified Upon Processing of Personal Data Right to Object to Direct Marketing Right to Object for Processing for Direct Marketing Purposes Right to Object to Processing causing Material/Moral Damage to Data Subject or Others Right to Object to Automated Processing Based Decisions Right to Lodge Complaints 07 Right to Request, Rectification, Blocking and Erasure of data DATA SUBJECT RIGHTS
Article 18: Right to be notified upon processing of personal data all the data being processed any information available to the data controller as to the source of the data, except where the confidentiality of the source is required by law the purpose of the processing the names of the recipients of the data or their categories. Timeline to respond- Notification to be issued within 15 days. The PDPL requires that data subjects must be notified upon processing of their personal data by the data controller. This should be free of charge. Further, the notification should entail information on- The data subjects must be informed by the data controller where any personal data may be processed by them for purposes of direct marketing. The data subjects have the right to submit objections concerning such processing. Article 19: Right to object to direct marketing Data controller must stop processing for purposes of direct marketing within 10 working days of receiving such request. Remedies for non-compliance by data controller: If the data controller does not accept the data subject’s request within the prescribed period, the data subject may file a complaint to the Authority. Timeline to respond- Request must be honoured within 10 days. Article 20: Right to object for processing for direct marketing purposes
Data controller must stop processing data where the processing causes unwarranted damage, whether material or moral, to the data subject or others. Timeline to respond- Request must be honoured within 10 days. Article 21: Right to object to processing which causes material or moral damage to the data subject Data subjects have the right not to be subject to a decision based solely on automated processing. These may include assessments of his performance at work, financial standing, creditworthiness, reliability, conduct etc. Article 22: Right to object to automated processing based decisions A data subject has the right to request for rectification, blocking and erasure of their personal data where such processing breaches the law. Timeline to respond- Request must be honoured within 10 days. Article 23: Right to request rectification, request, blocking and erasure of Data Anyone with a legitimate interest or ability is empowered to file a written complaint with the Authority if- any provision of the PDPL is violated, processing personal data in a manner which is inconsistent with the terms of this Law. Article 25: Right to lodge complaints
The Law prohibits data controllers from transferring personal data outside the Kingdom of Bahrain unless it is listed in the Adequacy List which is compiled and updated by the Personal Data Protection Authority (PDPA). Data transfer to any country not mentioned in the Adequacy List requires authorisation from the PDPA, which is determined on a case- by-case basis. Where transfers are made to third parties in a country not on the Adequacy List but under a contract, the law requires controllers to obtain authorisation from the PDPA and to provide a copy of the agreement. Additionally, the law sets out technical and organisational measures which include the privacy by design program, establishing privacy frameworks, Conducting a Vulnerability Assessment and Penetration Testing (VAPT), developing effective plans to address breaches and determining the competence of employees. CROSS BORDER DATA TRANSFERS consent of the data subject has been obtained, data is publicly available, where it is necessary for the performance/conclusion of the contract, vital interests of the data subject and complying with legal obligations Exemptions: Data controllers can also transfer personal data to countries that are not determined to have an adequate level of protection of personal data where-
BREACH NOTIFICATION Sensitive personal data, Linkage between personal data files of two or more data controllers (for different purposes), Means of visual recording, used for surveillance purposes. Article 15: Prior Authorisation The PDPL prohibits the processing of a few operations without obtaining the Authority’s prior written authorisation. These operations include automated processing of- Notification of Data Breach For the longest, the PDPL did not have a provision on the data protection officer's responsibility to notify the Authority regarding any data breach. However, recently Minister of Justice, Islamic Affairs and Waqf released its Ministerial Resolution on data breach notification. As per the Ministerial Resolution no. 44 of 2022, the data controllers in the event of a data breach shall inform the Authority within a period of 72 hours from the date of discovery of such data breach incident. Further, if the data breach affects the rights of data subjects, then, in that case, the data controllers would be under an obligation to notify them of such a breach.
Anyone who suffers damage resulting from the processing of their data may seek compensation from the data controller or DPO if such processing breaches the provisions of the Law. In case of any violation of authorisation, the Authority may order the party committing the violation to immediately or within a specified period, stop their conduct, on failure to comply the Authority may withdraw the authorisation granted. processes sensitive personal data without obtaining consent; unlawfully transferring data outside the Kingdom of Bahrain; processes data without notifying the Authority; processes data without obtaining prior authorisation of Authority; Provides the Authority or data subjects with false information; Prevents Authority from any information or data that is required; Disrupting the work of the Authority's inspections or investigations; Discloses information with them for their benefit. Civil Liability Criminal Liability The Law suggests that a sentence of imprisonment not exceeding one year and/or a fine of not less than BD 1,000 and not more than BD 20,000, may be imposed for committing any of the following- If the liability is on a corporate legal person, the fine may be increased up to twice the fine prescribed to a natural person. ENFORCEMENT & LIABILITY
Sl. No. Basis of Comparison EU GDPR PDPL 1. Scope / Applicability The GDPR applies to organisations that have a presence in the EU or if the data of EU residents is processed irrespective of the company’s location. The PDPL applies to any entity processing the personal data of data subjects in the Kingdom of Bahrain, including the processing by entities outside the Kingdom processing personal data of individuals residing in the Kingdom. This includes all the controllers and processors. 2. Data Subject Rights right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object The rights vested with data subjects under the EU GDPR are: right to access, right to object, right to be notified upon processing of Personal Data, right to request rectification, blocking and erasure of data, right to lodge complaints The rights vested with data subjects under the PDPL are: 3. Legal basis of processing data consent contract legal obligation vital interests public task legitimate interests Principles governing the legal basis of processing personal data under the EU GDPR are: consent contract legal obligation vital interests legitimate interests Principles governing the legal basis of processing personal data under the PDPL are: 4. Penalties The penalty under GDPR is defined, and fines and penalties imposed under Article 83 are flexible and scale with the firm. The administrative fines are determined up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The penalty under PDPL is defined, and fines and penalties are imposed under Article 55. Infringers of the PDPL may be fined up to BD 2000/- (approximately 5300 USD) by the Competent Authority. If any of the offences specified in Article (58) of this Law are committed in the name of a legal person, actions are taken by such competent authority. Comparison: GDPR vs PDPL
evaluate if their business operations fall under the scope of the legislation in advance. discover the type of personal data being collected, from whom, and for what purposes it is being processed. The BDPL intends to increase Bahrain's attractiveness to international companies by establishing a clear framework for handling personal data. This legislation is heavily impacted by the country's intentions to become a data centre hub, with tech giants now proposing to operate as data centres and rapidly expanding into the telecoms sector. Companies operating in Bahrain should- With this law in place, systems are required to guarantee that organisations can meet their commitments while also respecting the new rights granted to data subjects. CONCLUSION References http://www.pdp.gov.bh/en/assets/pdf/regulations.pdf http://www.pdp.gov.bh/en/assets/pdf/executivedecisions/eng/the_be _met_in_the_technical.pdf
Tsaaro Amsterdam Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719 Akarsh Singh (CEO & Co-Founder, Tsaaro) Akarsh is a fellow in Information Privacy by IAPP, the highest certification in the field of privacy. His expertise lies in Data Privacy and Information Security Compliance. Tsaaro provides privacy and cybersecurity services to help organisations meet regulatory requirements while maintaining a robust security infrastructure. Our industry-standard privacy services include Privacy compliance, DPO-as-a-service, Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few, delivered by our expert privacy professionals recognised by IAPP. WHY TSAARO? CONTACT US You can assess risk with respect to personal data and strengthen your data security by contacting Tsaaro. EMAIL US info@tsaaro.com Krithi Shetty Data Protection Consultant, Tsaaro Anushka Siwach Data Protection Consultant, Tsaaro Poojan Bulani Data Protection Consultant, Tsaaro Tsaaro Bangalore Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer RingRoad, Bangalore- 560045 India P: +91-0522–3581 Tsaaro Gurugram Office Level 1, Building 10A, Cyber Hub, DLF Cyber City, Gurugram, Haryana 122002 India +91522–3581306

Recommended

UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in MalaysiaMSC Malaysia Cybercentre @ Bangsar South City
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationOlivier Vandeputte
 
Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationN N
 
China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdfDaviesParker
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 

Recommended

UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in MalaysiaMSC Malaysia Cybercentre @ Bangsar South City
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationOlivier Vandeputte
 
Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationN N
 
China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdfDaviesParker
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxssuser36d167
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Star II sme hotline 21.01.20
Star II sme hotline 21.01.20Star II sme hotline 21.01.20
Star II sme hotline 21.01.20Trilateral Research
 
CHINA PIP LAW ppt.pptx
CHINA PIP LAW ppt.pptxCHINA PIP LAW ppt.pptx
CHINA PIP LAW ppt.pptxfarewelldump
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)BenjaminShalevSalovi
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018ProColombia
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...Dr. Oliver Massmann
 
KSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdfKSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdfDaviesParker
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
GDPR
GDPRGDPR
GDPRGopi PD
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 
Annual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfAnnual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfDaviesParker
 
Report_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfReport_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfDaviesParker
 

More Related Content

Similar to Bahrain-Personal-Data-Protection-Law.pdf

A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxssuser36d167
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk- Mark - Fullbright
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
CHINA PIP LAW ppt.pptx
CHINA PIP LAW ppt.pptxCHINA PIP LAW ppt.pptx
CHINA PIP LAW ppt.pptxfarewelldump
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)BenjaminShalevSalovi
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018ProColombia
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...Dr. Oliver Massmann
 
KSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdfKSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdfDaviesParker
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 

Similar to Bahrain-Personal-Data-Protection-Law.pdf (20)

A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Star II sme hotline 21.01.20
Star II sme hotline 21.01.20Star II sme hotline 21.01.20
Star II sme hotline 21.01.20
 
CHINA PIP LAW ppt.pptx
CHINA PIP LAW ppt.pptxCHINA PIP LAW ppt.pptx
CHINA PIP LAW ppt.pptx
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
 
KSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdfKSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdf
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
GDPR
GDPRGDPR
GDPR
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 

More from DaviesParker

Annual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfAnnual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfDaviesParker
 
Report_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfReport_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfDaviesParker
 
Privacy as a Career
Privacy as a CareerPrivacy as a Career
Privacy as a CareerDaviesParker
 
Responsible-A.I-and-Privacy-Report.pdf
Responsible-A.I-and-Privacy-Report.pdfResponsible-A.I-and-Privacy-Report.pdf
Responsible-A.I-and-Privacy-Report.pdfDaviesParker
 
Privacy-in-the-Metaverse
Privacy-in-the-MetaversePrivacy-in-the-Metaverse
Privacy-in-the-MetaverseDaviesParker
 
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...DaviesParker
 
California-Privacy-Right-Act.pdf
California-Privacy-Right-Act.pdfCalifornia-Privacy-Right-Act.pdf
California-Privacy-Right-Act.pdfDaviesParker
 
A Guide for Businesses.pdf
A Guide for Businesses.pdfA Guide for Businesses.pdf
A Guide for Businesses.pdfDaviesParker
 
FISMA COMPLIANCE.pdf
FISMA COMPLIANCE.pdfFISMA COMPLIANCE.pdf
FISMA COMPLIANCE.pdfDaviesParker
 
What Does A Data Protection Officer Do.pdf
What Does A Data Protection Officer Do.pdfWhat Does A Data Protection Officer Do.pdf
What Does A Data Protection Officer Do.pdfDaviesParker
 
External Network PT - Tsaaro
External Network PT - TsaaroExternal Network PT - Tsaaro
External Network PT - TsaaroDaviesParker
 

More from DaviesParker (12)

Annual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfAnnual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdf
 
Report_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfReport_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdf
 
Privacy as a Career
Privacy as a CareerPrivacy as a Career
Privacy as a Career
 
Responsible-A.I-and-Privacy-Report.pdf
Responsible-A.I-and-Privacy-Report.pdfResponsible-A.I-and-Privacy-Report.pdf
Responsible-A.I-and-Privacy-Report.pdf
 
Privacy-in-the-Metaverse
Privacy-in-the-MetaversePrivacy-in-the-Metaverse
Privacy-in-the-Metaverse
 
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
 
California-Privacy-Right-Act.pdf
California-Privacy-Right-Act.pdfCalifornia-Privacy-Right-Act.pdf
California-Privacy-Right-Act.pdf
 
A Guide for Businesses.pdf
A Guide for Businesses.pdfA Guide for Businesses.pdf
A Guide for Businesses.pdf
 
FISMA COMPLIANCE.pdf
FISMA COMPLIANCE.pdfFISMA COMPLIANCE.pdf
FISMA COMPLIANCE.pdf
 
What Does A Data Protection Officer Do.pdf
What Does A Data Protection Officer Do.pdfWhat Does A Data Protection Officer Do.pdf
What Does A Data Protection Officer Do.pdf
 
Sarvekshan.pdf
Sarvekshan.pdfSarvekshan.pdf
Sarvekshan.pdf
 
External Network PT - Tsaaro
External Network PT - TsaaroExternal Network PT - Tsaaro
External Network PT - Tsaaro
 

Recently uploaded

如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书Fs Las
 
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxConstitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxsrikarna235
 
An Analysis of the Essential Commodities Act, 1955
An Analysis of the Essential Commodities Act, 1955An Analysis of the Essential Commodities Act, 1955
An Analysis of the Essential Commodities Act, 1955Abheet Mangleek
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书FS LS
 
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一jr6r07mb
 
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书SD DS
 
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书SD DS
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSDr. Oliver Massmann
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaNafiaNazim
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionNilamPadekar1
 
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书Fir L
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书Fir sss
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementShubhiSharma858417
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书Fir sss
 
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书srst S
 
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxAn Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxKUHANARASARATNAM1
 
如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书 如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书Fir sss
 
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书SD DS
 
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书FS LS
 

Recently uploaded (20)

如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
 
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxConstitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
 
An Analysis of the Essential Commodities Act, 1955
An Analysis of the Essential Commodities Act, 1955An Analysis of the Essential Commodities Act, 1955
An Analysis of the Essential Commodities Act, 1955
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
 
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
 
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
 
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in India
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 sedition
 
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreement
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书
 
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Serviceyoung Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
 
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
 
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxAn Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
 
如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书 如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书
 
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
 
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
 

Bahrain-Personal-Data-Protection-Law.pdf

  • 1. Bahrain's Personal Data Protection Law ('PDPL') © 2022 Tsaaro. All rights reserved. Insights into the Legislation
  • 2. On July 12, 2018, Bahrain passed Law No. 30 of 2018 concerning Personal Data Protection ("PDPL"). The PDPL is Bahrain's primary data protection law. It came into effect on August 1st, 2019. The PDPL which is the second national law in the Gulf area to specifically address the right to personal data protection is modelled after the European Union's General Data Protection Regulations. This law aims at setting up requirements establishing procedures for entities involved in the processing of the personal data of individuals. This whitepaper seeks to analyse the legislation and evaluates it against other significant legal frameworks for data privacy and protection. Data protection awareness programs and training sessions are expected to become progressively prevalent in Bahraini firms which must adopt data governance mechanisms and data protection policies to ensure compliance with the law. Therefore, it is written to cater to a wide range of audiences, including senior and mid-level IT management, privacy officers, and compliance leaders, to assist them in understanding the salient features of this legislation. This will also help secondary audiences, including students and academicians in understanding the complexity of the legislation and its clauses. INTRODUCTION Overview Target Audience
  • 3. The major piece of legislation in Bahrain governing the processing of personal data is the Personal Data Protection Law (PDPL). Different laws in Bahrain include a number of data privacy clauses before the PDPL was passed. As long as they do not contradict the Law or the resolutions issued in compliance with it, these clauses will remain valid. The Ministry of Justice and Islamic Affairs is designated as the Data Protection Authority to ensure compliance with the Law. Recently the Authority issued enforcement decisions with guidelines to further the Law's provisions. This along with the other features of PDPL shall be discussed in detail in this whitepaper. The PDPL is largely consistent with the EU GDPR's definition of personal data and sensitive personal data, however, the term 'data protection guardian' is a new nomenclature for privacy regimes. Further, PDPL introduces sector-specific categories for the processing of data. Consequently, compliance requirements for each will be strict. A range of administrative and criminal fines will be imposed for non- compliance with the PDPL. Considering this, the entities processing personal data would have to focus on complying with the provisions of the PDPL. Bird's Eye View Problem Statement INTRODUCTION
  • 4. Scope & Application 01 Cross Border Data Transfers 05 Key Features of the Act 02 Comparison with the EU GDPR 08 Authorisation & Breach Notifications 06 Data Subject Rights 04 Grounds of Processing 03 Conclusion 09 Enforcement and Liability 07 STRUCTURE
  • 5. Where the data processing activity is carried out by an individual for the sole purpose of ‘the individual’s personal or family affairs.’ Where processing operations are undertaken for public security. The provisions of the Law apply to any natural person who habitually resides in, or has a place of business in, or processes information by means available in the Kingdom of Bahrain. However, it does not apply to the processing activities involving the transit of data over the territory of Bahrain. Territorial Scope The Law safeguards the personal data of citizens and legal residents of the Kingdom of Bahrain. It applies to any person/controller who processes personal data in Bahrain, regardless of their place of residence. Material Scope The Law applies to any processing of data partially or fully automated or data non-automated processing of data structured in a manner wherein the personal data of individuals is readily accessible. Exemptions The PDPL will not be applicable under the following circumstances- SCOPE AND APPLICATION
  • 6. Legitimate and fair processing of data must be a priority. Personal information must be collected with a clear, specific and legitimate purpose. Must ensure that the data collected meets the intended purpose, it should be adequate, relevant and not excessive. Notifying the data protection regulator and, in some cases, obtaining prior approval. Ensuring that the data protection supervisor is impartial and independent. The Data should not be transferred outside the country of Bahrain except under restricted circumstances. Data Quality Control The PDPL entail the following responsibilities to ensure Data Quality Control- Consent Under the PDPL, the consent obtained by the data subject must be freely given, written, explicit, clear, and specific to the processing operations undertaken by the entity. Further, the PDPL makes it clear that personal data can not be processed unless the consent of the data subject is obtained before processing such data, except where it falls within one of the five grounds for processing provided in Article 4 of the Law. KEY FEATURES OF THE ACT
  • 7. Sensitive Personal Data The PDPL defines "sensitive personal data" as any personal data that contains a reference to ethnic or tribal origins of a person's religious, or political beliefs, philosophical opinions, information indicating a person's involvement in civic organisations or institutions, health data, or sexual status. Data Protection Guardians The PDPL has a provision for data protection guardians who are responsible for assisting the data controller in exercising his rights and performing his obligations as provided by the provisions of this Law. The data protection guardians are akin to data protection officers (DPO) under other legislations but the PDPL has adopted a different nomenclature for them. They liaison between the Authority and the Data Controller on the implementation of specific provisions related to the processing of personal data and ensure lawful processing. In case the data protection guardian identifies any violation, he must bring it to the data controller's attention to eliminate the causes of the violation.
  • 8. Consent Consent obtained by an individual has to be freely given, written, explicit, clear, and specific to the processing of certain data granted by a person with full legal capacity. Contract Where it is necessary for the execution of a contract to which the data subject is a party or processing occurs at the request of the data subject to conclude a contract. Legal Obligation Where it is necessary for the enforcement of a legal obligation or an order issued by a competent court or the Public Prosecution. Vital Interests Where it is necessary to protect the vital interests of the data subject. Legitimate Interests Where it is necessary for the legitimate interests of the data controller or any third party to whom the data is disclosed unless this conflicts with the fundamental rights and freedoms of the data subject. GROUNDS FOR PROCESSING
  • 9. On the rights of data subjects, the PDPL states everything that data controllers must do during the data processing operations, where they carry out automated processing, such as establishing clear rules outlining processes to allow the data subject to deny such processing, clarifying the purpose of the processing as well as how decisions are made, and informing the data subject of the decision's consequences. 01 02 03 04 05 01 06 Right to be Notified Upon Processing of Personal Data Right to Object to Direct Marketing Right to Object for Processing for Direct Marketing Purposes Right to Object to Processing causing Material/Moral Damage to Data Subject or Others Right to Object to Automated Processing Based Decisions Right to Lodge Complaints 07 Right to Request, Rectification, Blocking and Erasure of data DATA SUBJECT RIGHTS
  • 10. Article 18: Right to be notified upon processing of personal data all the data being processed any information available to the data controller as to the source of the data, except where the confidentiality of the source is required by law the purpose of the processing the names of the recipients of the data or their categories. Timeline to respond- Notification to be issued within 15 days. The PDPL requires that data subjects must be notified upon processing of their personal data by the data controller. This should be free of charge. Further, the notification should entail information on- The data subjects must be informed by the data controller where any personal data may be processed by them for purposes of direct marketing. The data subjects have the right to submit objections concerning such processing. Article 19: Right to object to direct marketing Data controller must stop processing for purposes of direct marketing within 10 working days of receiving such request. Remedies for non-compliance by data controller: If the data controller does not accept the data subject’s request within the prescribed period, the data subject may file a complaint to the Authority. Timeline to respond- Request must be honoured within 10 days. Article 20: Right to object for processing for direct marketing purposes
  • 11. Data controller must stop processing data where the processing causes unwarranted damage, whether material or moral, to the data subject or others. Timeline to respond- Request must be honoured within 10 days. Article 21: Right to object to processing which causes material or moral damage to the data subject Data subjects have the right not to be subject to a decision based solely on automated processing. These may include assessments of his performance at work, financial standing, creditworthiness, reliability, conduct etc. Article 22: Right to object to automated processing based decisions A data subject has the right to request for rectification, blocking and erasure of their personal data where such processing breaches the law. Timeline to respond- Request must be honoured within 10 days. Article 23: Right to request rectification, request, blocking and erasure of Data Anyone with a legitimate interest or ability is empowered to file a written complaint with the Authority if- any provision of the PDPL is violated, processing personal data in a manner which is inconsistent with the terms of this Law. Article 25: Right to lodge complaints
  • 12. The Law prohibits data controllers from transferring personal data outside the Kingdom of Bahrain unless it is listed in the Adequacy List which is compiled and updated by the Personal Data Protection Authority (PDPA). Data transfer to any country not mentioned in the Adequacy List requires authorisation from the PDPA, which is determined on a case- by-case basis. Where transfers are made to third parties in a country not on the Adequacy List but under a contract, the law requires controllers to obtain authorisation from the PDPA and to provide a copy of the agreement. Additionally, the law sets out technical and organisational measures which include the privacy by design program, establishing privacy frameworks, Conducting a Vulnerability Assessment and Penetration Testing (VAPT), developing effective plans to address breaches and determining the competence of employees. CROSS BORDER DATA TRANSFERS consent of the data subject has been obtained, data is publicly available, where it is necessary for the performance/conclusion of the contract, vital interests of the data subject and complying with legal obligations Exemptions: Data controllers can also transfer personal data to countries that are not determined to have an adequate level of protection of personal data where-
  • 13. BREACH NOTIFICATION Sensitive personal data, Linkage between personal data files of two or more data controllers (for different purposes), Means of visual recording, used for surveillance purposes. Article 15: Prior Authorisation The PDPL prohibits the processing of a few operations without obtaining the Authority’s prior written authorisation. These operations include automated processing of- Notification of Data Breach For the longest, the PDPL did not have a provision on the data protection officer's responsibility to notify the Authority regarding any data breach. However, recently Minister of Justice, Islamic Affairs and Waqf released its Ministerial Resolution on data breach notification. As per the Ministerial Resolution no. 44 of 2022, the data controllers in the event of a data breach shall inform the Authority within a period of 72 hours from the date of discovery of such data breach incident. Further, if the data breach affects the rights of data subjects, then, in that case, the data controllers would be under an obligation to notify them of such a breach.
  • 14. Anyone who suffers damage resulting from the processing of their data may seek compensation from the data controller or DPO if such processing breaches the provisions of the Law. In case of any violation of authorisation, the Authority may order the party committing the violation to immediately or within a specified period, stop their conduct, on failure to comply the Authority may withdraw the authorisation granted. processes sensitive personal data without obtaining consent; unlawfully transferring data outside the Kingdom of Bahrain; processes data without notifying the Authority; processes data without obtaining prior authorisation of Authority; Provides the Authority or data subjects with false information; Prevents Authority from any information or data that is required; Disrupting the work of the Authority's inspections or investigations; Discloses information with them for their benefit. Civil Liability Criminal Liability The Law suggests that a sentence of imprisonment not exceeding one year and/or a fine of not less than BD 1,000 and not more than BD 20,000, may be imposed for committing any of the following- If the liability is on a corporate legal person, the fine may be increased up to twice the fine prescribed to a natural person. ENFORCEMENT & LIABILITY
  • 15. Sl. No. Basis of Comparison EU GDPR PDPL 1. Scope / Applicability The GDPR applies to organisations that have a presence in the EU or if the data of EU residents is processed irrespective of the company’s location. The PDPL applies to any entity processing the personal data of data subjects in the Kingdom of Bahrain, including the processing by entities outside the Kingdom processing personal data of individuals residing in the Kingdom. This includes all the controllers and processors. 2. Data Subject Rights right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object The rights vested with data subjects under the EU GDPR are: right to access, right to object, right to be notified upon processing of Personal Data, right to request rectification, blocking and erasure of data, right to lodge complaints The rights vested with data subjects under the PDPL are: 3. Legal basis of processing data consent contract legal obligation vital interests public task legitimate interests Principles governing the legal basis of processing personal data under the EU GDPR are: consent contract legal obligation vital interests legitimate interests Principles governing the legal basis of processing personal data under the PDPL are: 4. Penalties The penalty under GDPR is defined, and fines and penalties imposed under Article 83 are flexible and scale with the firm. The administrative fines are determined up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The penalty under PDPL is defined, and fines and penalties are imposed under Article 55. Infringers of the PDPL may be fined up to BD 2000/- (approximately 5300 USD) by the Competent Authority. If any of the offences specified in Article (58) of this Law are committed in the name of a legal person, actions are taken by such competent authority. Comparison: GDPR vs PDPL
  • 16. evaluate if their business operations fall under the scope of the legislation in advance. discover the type of personal data being collected, from whom, and for what purposes it is being processed. The BDPL intends to increase Bahrain's attractiveness to international companies by establishing a clear framework for handling personal data. This legislation is heavily impacted by the country's intentions to become a data centre hub, with tech giants now proposing to operate as data centres and rapidly expanding into the telecoms sector. Companies operating in Bahrain should- With this law in place, systems are required to guarantee that organisations can meet their commitments while also respecting the new rights granted to data subjects. CONCLUSION References http://www.pdp.gov.bh/en/assets/pdf/regulations.pdf http://www.pdp.gov.bh/en/assets/pdf/executivedecisions/eng/the_be _met_in_the_technical.pdf
  • 17. Tsaaro Amsterdam Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719 Akarsh Singh (CEO & Co-Founder, Tsaaro) Akarsh is a fellow in Information Privacy by IAPP, the highest certification in the field of privacy. His expertise lies in Data Privacy and Information Security Compliance. Tsaaro provides privacy and cybersecurity services to help organisations meet regulatory requirements while maintaining a robust security infrastructure. Our industry-standard privacy services include Privacy compliance, DPO-as-a-service, Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few, delivered by our expert privacy professionals recognised by IAPP. WHY TSAARO? CONTACT US You can assess risk with respect to personal data and strengthen your data security by contacting Tsaaro. EMAIL US info@tsaaro.com Krithi Shetty Data Protection Consultant, Tsaaro Anushka Siwach Data Protection Consultant, Tsaaro Poojan Bulani Data Protection Consultant, Tsaaro Tsaaro Bangalore Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer RingRoad, Bangalore- 560045 India P: +91-0522–3581 Tsaaro Gurugram Office Level 1, Building 10A, Cyber Hub, DLF Cyber City, Gurugram, Haryana 122002 India +91522–3581306