I. Introduction
Drawing inspiration from the European Union data protection laws, Bahrain's new data protection framework, the Personal Data Protection Law (PDPL), was enacted on 1 August 2019. To safeguard its residents' personal rights and data, this legislative initiative establishes a robust framework, encompasses a range of measures, and imposes obligations on organizations. This ensures that data is collected and utilized in a manner that prioritizes security and confidentiality.
As the data privacy landscape evolves in the Middle East, Bahrain’s PDPL sets a precedent, ensuring organizations comply with the evolving requirements of the law. This guide delves into the PDPL’s key provisions, obligations for businesses, data subject rights, non-compliance penalties, and how organizations can operationalize the PDPL to ensure swift compliance.
II. Who Needs to Comply with the PDPL
A. Material Scope
The PDPL applies to the processing of data:
- by total or partial automatic means, and
- processing by non-automatic means of data that form part of a filing system or are intended to form part of a filing system.
B. Territorial Scope
The PDPL applies to the following persons:
- Individuals who maintain a place of business or are habitual residents of the kingdom;
- All legal individuals who maintain a commercial place within the Kingdom;
- Any individual or entity that is neither a habitual resident nor maintains a business within the Kingdom, yet utilizes means located within the Kingdom to process data, unless those means are exclusively employed for the purpose of data transit across the territory of the Kingdom.
III. Definitions of Key Terms
1. Personal Data
Personal data relates to any information that can be used to directly or indirectly identify an individual. It includes an individual’s personal identification number and physical, physiological, intellectual, cultural, economic, or social identity details.
2. Sensitive Personal Data
Any personal information that directly or indirectly reveals an individual’s race, ethnic origin, political or philosophical opinions, religious beliefs, affiliation to a union, personal criminal record, or any information in relation to his health or sexual status.
IV. Data Subject Rights
The PDPL grants the following exercisable rights to individuals relating to their personal data:
Data subjects have the right to request the following information from the data controller:
- The data controller’s full name, professional details, address, and scope of activity
- The objectives underlying data processing
- When will their data be processed
- Any additional information necessary to ensure fair processing for the data subject
The data controller is expected to comply with this right within 15 working days of the request. In the case of a deficiency in the request, the data controller must inform the applicant within 10 days of receiving the request to fulfill the requirements.
If the data subject obtains the information through misuse, the data controller has the right to reject their request, but they must notify the data subject of their decision to either accept or reject the request within 10 days of receiving the request.
B. Right to rectification and deletion
The data subject has the right to request that inaccurate, incomplete, or outdated processed data be corrected or deleted by submitting a formal written application to the data controller.
Upon receiving such a request, the data controller must respond to the request free of cost within 10 working days from receipt of the request. One responded, the data controller must then, within 15 working days of responding to such a request, notify any third party to whom data has been passed on of the need to erase that specific data.
C. Right to object
The data subject can object to the use of their personal data for direct marketing purposes, processes that result in their data becoming publicly available, and any processing that has the potential to lead to substantial material or psychological damage.
Upon receiving such a request from the data subject, data controllers are expected to halt the processing of their data. The data controller must notify the data subject within 10 working days of receiving the request about whether it has been approved, the reasons and the extent of approval in case of partial approval, and the reasons for rejection in case the request has been rejected.
D. Right to not be subject to automated decision-making
In cases where the data subject’s performance, financial status, creditworthiness, behavior, or reliability are to be assessed through data processing, the data subject has the right to request the processing not be completely automated.
However, this right is not applicable when the decision is taken while entering into a performance contract with the data subject, as long as appropriate measures have been taken to protect their interests such as listening to the data subject’s perspective.
Additional rights
The Law also grants other rights to data subjects, including:
- The right to have their data stored in a manner that conceals their identity or to have their identity encrypted
- The right to not give any unauthorized party access to their data without their consent
- The right to revoke their processed data at any time through a formal written application to the data controller
V. Obligations for Organizations Under the PDPL
A. Lawful Basis Requirements
Organizations must ensure that personal data is:
- Processed in a fair and lawful manner;
- Personal data must be collected for distinct, clear, and legitimate purposes, and cannot be processed in a way that conflicts with those original purposes. However, processing data for historical, statistical, or scientific purposes is allowed, as long as it is not used to make decisions or take actions affecting any individual;
- Adequate, relevant and not excessive in nature;
- Accurate and kept up to date;
- Stored in a manner that does not disclose the data subject’s identity after the successful processing of data. In case that is not possible, the data subject’s identity must be encrypted.
B. Legitimate Purposes for Processing Besides Consent
The processing of personal data cannot take place without the data subject’s consent unless the processing requires:
- The implementation of a contract in which the data subject is a party;
- Processing personal data is permitted when necessary to take steps at the request of the data subject for the purpose of entering into a contract;
- The implementation of a legal or contractual obligation ordered by the court or prosecution;
- Protection of the data subject’s vital interests;
- The fulfillment of the data controller or third party’s legitimate interests to which the data has been disclosed, unless this contradicts the data subject’s rights and freedoms.
Similarly, the processing of sensitive personal data is also not permissible without the data subject’s consent unless the processing is required for:
- The implementation of the data controller’s obligations;
- The protection of the data subject’s interests;
- The implementation of procedures related to claims of legal rights or the defense;
- Ensuring the provision of preventive healthcare, treatment, and medical diagnosis;
- Activities that are conducted within unions and non-profit organizations;
- Activities that are conducted by a public institution;
- Data related to one’s race or ethnicity to ensure the provision of equal opportunities and fair treatment to citizens.
C. Registration Requirements
The personal data that is recorded in registers and is open to the public must abide by the limits of necessity and be in accordance with the objective for which the registers were generated. A resolution highlighting the conditions that must be taken into account when creating registers will be passed by the Board.
D. Privacy Notice Requirements
The Data Controller is required to provide prior notice to the Authority regarding any processing operation, whether completely or partially automated, with the objective of fulfilling various purposes. The Data Controller is not expected to give prior notice in the following circumstances:
- The register that contains and is to be used to disclose information can be accessed by the general public or those with a legitimate interest,
- Processing is being conducted for activities related to associations and non-profit organizations,
- The employer processes data only to the extent of fulfilling his rights and responsibilities, safeguarding employee rights, and organizing his matters,
- The Data Protection Guardian has already been appointed.
The Board will pass a resolution detailing the rules and procedures to be followed for submission of the notification. It must contain the following information:
- The Data Controller and Data Processor’s names and addresses,
- The reasons for the processing, A description highlighting the different sets of data subjects and data recipients,
- Any suggested transfer of data to a country outside of Bahrain,
- A general description that permits the Authority to carry out an initial assessment regarding the suitability of existing security measures according to Article (8) of this Law.
E. Security Requirements
To protect the data from accidental loss, unauthorized alteration, disclosure, destruction, or access, data controllers are required to implement appropriate technical and organizational measures. According to the PDPL, it is the responsibility of the Authority’s Board of Directors to communicate the terms and conditions that the technical and organizational measures must fulfill. They must also specify the different activities to be carried out for the processing of personal data. Data controllers are responsible for ensuring that the data processors comply with the organizational and technical measures when processing the data.
F. Data Breach Requirements
The data controller is expected to devise specific processes to notify the Personal Data Protection Authority of any violation or breach of data within 72 hours of its date of discovery. This requirement must be fulfilled only in the case of a personal data breach that affects the rights of data subjects.
G. Data Protection Officer Requirements
Under the PDPL, Data Protection Guardian is responsible for the following:
- Assisting the data controller in abiding by the rights and obligations stated in the PDPL;
- Liaising between the Authority and the data controller to help the controller’s implementation of specific provisions related to data processing;
- Ensuring that the data is processed according to the PDPL. If potential violations are detected, they must be communicated to the data controller to ensure its mitigation and rectification;
- Informing the Authority of any violations of data if the data controller has not mitigated or rectified the matter within 10 days of being informed;
- Recording and maintaining all processing of operations in a register. The data controller must maintain this register if a data protection guardian is not appointed. The register will contain all the information required per the provisions of the PDPL. The register will be updated and communicated to the Authority at least once a month.
The Authority is required to create a register titled “Data Protection Guardians Register” in order to appoint an individual as the data protection guardian, they must be registered in it. The Board will pass a resolution prescribing the data protection guardian’s duties, specifically the conditions related to who is to be recorded under the register, the procedures of recording, duration, and its renewal.
H. Record of Processing Activities
The Data Protection Office must maintain a register for the processing of data and the Data Controller is required to inform the Authority about this in accordance with Article 14 of the PDPL. Every month, the Data Protection Officer is supposed to provide an updated version of the register to the Authority. In case a Data Protection Officer has not been appointed, it is then the Data Controller’s responsibility to maintain the register.
I. Third-Party Processing Requirements
In situations where a third-party entity is entrusted with the processing of personal data, specific requirements must be fulfilled:
- The data subject must agree to the processing of their data by a third-party;
- The data controller must create a contract highlighting the terms and conditions of the processing, provide provisions to enable third parties to comply with the PDPL and sufficient guarantees that ensure the security and confidentiality of the data;
- Third-party processors must implement appropriate technical and organizational measures such as encryption, access controls, and regular security audits to prevent unauthorized processing of data;
- The data subjects must be able to exercise the rights granted to them by the PDPL, including the right to be informed, the right to rectification and deletion, the right to object, and the right not to be subject to automated decision-making;
- If personal data is transferred to a third-party located outside of Bahrain, the PDPL’s provisions on internal data transfers must be complied with, such as ensuring that the receiving country provides adequate protection of personal data.
J. Cross-Border Data Transfer Requirements
Data controllers are prohibited from transferring personal data of Bahrainians outside the Kingdom except for in the following cases:
- The transfer to a country or territory is listed in an up-to-date record maintained by the Authority, which contains all the countries and territories that provide appropriate legislative and regulatory protection for such data. This record must be published in the Official Gazette;
- The transfer occurs following the Authority’s express authorization on a case-to-case basis, provided the data will have adequate protection. The adequacy of such protection will be evaluated based on circumstances surrounding the data transfer, which include:
- The nature of the data to be transferred, as well as the purpose and duration of processing;
- The country of origin of the data, its final destination, and available measures in these countries to protect the data;
- Relevant international agreements and regulations are in place in the country or territory where the data is to be transferred.
Any provided authorization will be conditional within a specified timeframe.
Exception
However, the data controller may transfer personal data outside the Kingdom to another country that does not have an adequate level of protection in the following circumstances:
- The data subject has consented to the transfer;
- The data to be transferred is obtained from a register compiled per the law to provide information to the public, whether available to the public or limited to a specific person. In such cases, access to such data will be under strict stipulated conditions;
- The transfer is necessary for:
- The performance of a contract between the data subject and data controller or taking steps with the purpose of entering a contract;
- The conclusion or performance of a contract;
- Protecting the vital interests of the data subject;
- Complying with a legal obligation, not being a contractual obligation, or an order from a competent court, the Public Prosecution, the investigation judge, or military prosecution;
- Preparing or pursuing a legal claim or defense.
VI. Regulatory Authority
The Personal Data Protection Authority (Authority) shall oversee the regulation of the PDPL. In case of violations of the PDPL, the Authority has the power to investigate on its own, as a response to a complaint, or if the minister has requested it. The Authority can then issue an order to halt violations and impose emergency orders and fines. If an individual has incurred damage as a result of violations of the PDPL while their data was being processed by the data controller and data protection officer, they are eligible for civil compensation.
VII. Penalties for Non-Compliance
Any individual or business that fails to ensure PDPL compliance will be subject to a sentence of imprisonment for a maximum of one year or a fine ranging from BD 1000 to BD 20,000 or both. These penalties can be imposed on a person who commits the following:
- Processes personal data without informing the authority beforehand or without the consent of the data subject;
- Transfers data outside of Bahrain without the authority’s permission or the data subject’s consent;
- Provides inaccurate information to the authority or data subjects;
- Blocks any information that the authority must be given access to;
- Creates hindrances in the authority’s inspection and investigation procedures;
- Shares any information with the authority for their personal gains.
It’s important to note that if a corporate legal person commits the above-mentioned offenses, the fine can be doubled compared to the amount imposed on a natural person.
VIII. How Can an Organization Operationalize the PDPL
Organizations can operationalize Bahrain’s Personal Data Protection Law (PDPL) by:
- Clearly defining personal data protection policies and procedures in compliance with PDPL’s provisions;
- Developing clear and accessible understandable privacy notices that comply with PDPL’s requirements;
- Classifying data, ensuring data minimization, honoring data subject rights and requests and engaging in periodic monitoring of privacy controls;
- Obtaining explicit consent from users before processing their personal data;
- Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
- Train employees who handle the consumers’ data on the organization's policies and procedures, as well as the PDPL requirements.
IX. Key Facts
- Personal data relates to any information which can be used to directly or indirectly identify an individual.
- The Data Protection Authority ensures all concerned individuals and organizations abide by the rules stated in the PDPL.
- Under the PDPL, data subjects possess a range of exercisable rights, including the right to be informed, the right to access, the right to rectification and deletion, the right to object, the right to data portability, and the right not to be subject to automated decision-making.
- The PDPL does not permit the transfer of personal data outside Bahrain except when the data is to be transferred to a country that provides sufficient protection for personal data.
X. How Securiti Can Help
The growing need to comply with global personal data protection laws such as the Bahrain PDPL has made the automation of organizations’ data privacy operations absolutely necessary. Securiti supports enterprises in their journey towards compliance with the Bahrain PDPL through AI-driven PI data discovery, DSR automation, documented accountability, enhanced visibility into data processing activities, and AI-driven process automation.
Embracing automation is the way forward. Securiti’s comprehensive PrivacyOps platform offers a reliable and streamlined approach to data privacy management, enabling your organization to comply with various articles of the Bahrain PDPL easily.
With our PrivacyOps platform, customize the data subject rights requests portal for seamless customer care, automate data subject request handling, secure data access fulfillment, automate rectification and erasure request processing, engage in continuous monitoring and tracking, and much more!
Frequently Asked Questions (FAQs) about Bahrain PDPL