Bahrain’s PDPL vs. GDPR

Article: 2

PDPL applies to the processing of data by total or partial automatic means, and the processing by non-automatic means of data that form part of a filing system or are intended to form part of a filing system.

Also, PDPL applies to the following persons:

• Every natural person who is habitually resident in Bahrain or maintains a place of business in Bahrain;
• Every legal person with a place of business in Bahrain;
• Every natural or legal person not habitually resident nor maintains a place of business in Bahrain, but processes data by using means situated in Bahrain, unless such means are used only for purposes of transit of data over Bahrain’s territory.

With respect to the last point, businesses must appoint a local representative in Bahrain to carry out their obligations and notify the Authority of that appointment. This provision indicates that PDPL has extraterritorial application scope just like GDPR.

Articles: 18

Under this right, the data controller is required to provide the following information to the data subject when requested.

• All the data being processed;
• Any information known or available to the data controller as to the source of the data, except where the confidentiality of the source is required by PDPL;
• The purpose of the processing;
• The names of the recipients of the data, or their categories; and
• When such data is the sole basis for undertaking a decision that would directly affect the data subject’s personal interests, the way in which the data will be used shall be communicated in a manner that is clear to the average person, without prejudice to intellectual property rights or legitimate trade secrets.

The data controller must comply with this right within a period not exceeding 15 working days of request. A data controller, within a period not exceeding 10 days from receipt of the request made may notify the applicant to complete any deficiency in his/her request.

The data controller can reject a request if the data subject misuses his/her right in obtaining information. In this case, the data controller needs to notify the applicant, within a period not exceeding fifteen working days of receipt of the request, of its reasoned decision to either accept or reject the request, depending on the circumstances.

Articles: 19, 20, 21

The data subjects have the right to object to the processing of their personal data under the following two cases:

• If the processing of that data for the specific purpose or in a manner that is causing unwarranted substantial damage, being material or moral, to the data subjects or others;
• Where there are reasonable grounds according to which, processing for the specific purpose or in a manner that is likely to cause unwarranted substantial damage, being material or moral, to the data subjects or others.

PDPL grants the data subjects the right to object to direct marketing which is aimed at a particular person using their personal data, such as behavioral targeting, and ads sent via text messaging (SMS) or email.

Under PDPL, data controllers should cease the processing upon receiving a request from the data subject to do so.

The data controller is required to notify the data subject, within ten working days of receipt of request with any of the following:

• If the request has been approved;
• If the request has been partly approved, the reasons thereof and the extent of approval; or
• Rejection of the request and reasons thereof.

No Article

PDPL does not provide a specific right to access, instead, it primarily focuses on the right to be notified of when the personal data is being processed.

Article: 23

Under PDPL, a data subject has the right to request to rectify, block or erase the personal data relating to him/her when the processing of such data is in breach of the provisions of PDPL, in particular, if the data is inaccurate, incomplete, outdated or if its processing is illegal.

Where the data controller has responded to a deletion/rectification/blocking request – wholly or partially, he must, within fifteen days from responding to such request, notify any third party, to whom the data have been disclosed, of the erasure that was made pursuant to the request, unless this proves impossible or unachievable.

The data controller is required to respond to the request, free of charge, within a period not exceeding ten working days of receipt of the request.

This right does not apply to public registers.

Article: 22

Under PDPL, if a decision is based solely on automated processing of personal data intended to assess the data subject regarding his/her performance at work, financial standing, credit-worthiness, reliability, or conduct, then the data subject has the right to request processing in a manner that is not solely automated.

This right shall not apply where the decision is taken in the course of entering into or performance of a contract with the data subject, provided that suitable measures to safeguard his/her legitimate interests have been taken, such as hearing the data subject’s view.

No Article

PDPL does not provide the right to data portability.

Article: 10(1)(5), 14

Under PDPL, the Data Protection Guardian (Data Protection Officer) should maintain a register of the processing, which the data controller is obliged to notify the Authority about under Article 14 of PDPL.

The data controller shall maintain the register if a Data Protection Guardian is not appointed. The register shall comprise at least, of the information prescribed under Article 14 of PDPL. The Data Protection Guardian shall provide the Authority with an updated version of the register once every month.

Articles: 12, 13

The data controller is prohibited from transferring personal data outside Bahrain unless the transfer is made to a country or region that provides sufficient protection to personal data. Those countries need to be listed by the Authority and published in the Official Gazette.

Data controllers can also transfer personal data to countries that are not determined to have an adequate level of protection of personal data where:

• The data subject has consented to the transfer;
• The data is from a public register;
• The transfer is necessary for:
  • The performance of a contract between the data subject and the data controller or taking steps, at the request of the data subject, with the purpose of entering into a contract;
  • The conclusion or performance of a contract entered into, in the interest of the data subject, between the data controller and a third party;
  • Protecting the vital interests of the data subject;
  • Complying with an obligation prescribed in PDPL, not being a contractual obligation, or complying with an order from a competent court, the Public Prosecution, the investigation Judge, or the Military Prosecution; or
  • Preparing or pursuing a legal claim or defense.

Articles: 8, 10(1)(4)

Under PDPL, the Data controller is required to implement appropriate technical and organizational measures to guarantee the protection of data against accidental or unauthorized destruction, accidental loss, as well as against alteration or disclosure of, access to, and any other unauthorized forms of processing.

Such measures shall ensure providing the appropriate level of security taking into account the latest technological security measures, the associated cost, the nature of the data to be processed, and the potential risks involved.

For data breaches, Data Protection Guardian is required to notify the authority.

Articles: 58

PDPL carries a range of criminal and civil penalties and administrative fines for violating certain provisions. A person can be liable to imprisonment for a term not exceeding one year, and/or a fine not less than BD 1000/- and not exceeding BD 20,000/- for the violation of specific provisions of PDPL.

The Authority can issue orders to stop violations, including emergency orders and fines. Data subjects can also seek civil compensation.