Law No. 30 of 2018 promulgating the Personal Data Protection Law (PDPL) was published on July 19, 2018 and came into force on August 1, 2019. Prior to the implementation of the PDPL, there was no single codified data protection law in force in Bahrain. Scattered provisions were instead isolated in different laws covering certain aspects of confidentiality and privacy, making the PDPL a much-needed development to bring the country’s legislation more in line with the General Data Protection Regulation. The PDPL is applicable both within Bahrain and extraterritorially.

The law establishes the Personal Data Protection Authority (PDPA), which has the power to carry out inspections and investigations into possible violations of the PDPL, issue orders to stop violations, fine violators and award compensation to data owners who have incurred damage as a result of violations of the PDPL. However, a formal PDPA has not yet been formed as of October 2019, and no implementing regulations of the PDPL had yet been published to date.

The terms personal data and data have been defined widely in the PDPL, and include any information or image in any form of an individual that can be directly or indirectly identifiable by any means. Sensitive data includes any data that reveals, directly or indirectly, an individual’s race, ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or sexual life and should be processed with more care as specified by Article 5 of the law. Processing is also broadly construed, and incudes any treatment of data by both automatic and non-automatic means, including the collection, organization, storage, modification, use or disclosure, publishing, making available to third parties, and destruction of such data.

Article 3 of PDPL requires that any personal data collected must be processed fairly, for a legitimate and clear purpose, and must not be subsequently processed for other purposes. It should be ensured that any data processed is at all times accurate and updated when necessary. Importantly, once the purpose for which the data was collected is fulfilled, it should not be stored in any identifiable form. Beyond this point, it must be converted into an anonymized, unencryptable format.

Consent of the data owner must be obtained before processing their data, and must be given clearly by individuals of full legal capacity and on their own free will after being fully informed about the purposes for processing their data. Some exceptions to this are:

  • processing the data to conclude a contract on behalf of a data owner;
  • fulfilling an obligation required by law or court order; or
  • protecting the vital interests of the data owner.

If a party seeks to transfer any personal data outside of Bahrain, they may only transfer such data to countries which are deemed by the PDPA to have sufficient data protection laws. A list of these countries has not yet been published. Some of the exceptions to this are when:

  • The data owner has given their consent;
  • The data is from a public register; or
  • Prior authorisation has been obtained from the PDPA.

The PDPL allows for criminal penalties and administrative fines in some circumstances, notably in cases including but not limited to:

  • Processing sensitive personal data in violation of the law;
  • Transferring personal data outside Bahrain to a country or region in violation of the law;
  • Processing personal data without notifying the PDPA;
  • Hindering or suspending the work of the PDPA’s inspectors or any investigation which the authority is going to make; or
  • Inspectors disclosing any data which they are allowed to have access to due to their job, or which they used for their own benefit or for the benefit of others unreasonably and in violation of the law.

Such acts may result in imprisonment of up to one year and/or a fine between BD1000 ($2650) and BD20,000 ($53,000), so it is imperative that parties ensure their data processing procedures and policies comply strictly with the PDPL.

(This article was published on Oxford Business Group The Report: Bahrain 2020 Edition)