Navigating Data Transfer: List of Whitelisted Countries

In an age where digital connection and global information exchange dominate our lives, protecting personal data has become a top priority for individuals, companies, and governments alike. Law No. 30 of 2018 promulgating the Personal Data Protection Law (the “PDPL”) is Bahrain’s principal statute on personal data protection. The PDPL is intended to safeguard people’s privacy and security by requiring the lawful processing of personal data.

This article delves into Bahrain’s intricate framework of data transfer regulations, concentrating on nations exempt from the express consent requirement for the transfer of data outside Bahrain. It will analyze the PDPL and the accompanying resolutions to offer clarification on the whitelisted countries as well as the processes for obtaining consent to transfer data for countries that are not on the list.

The PDPL protects several forms of personal data, including sensitive information like biometrics and health records. It establishes fundamental concepts such as openness, fairness, purpose restriction, data reduction, accuracy, storage limitation, and security.

The PDPL applies to Bahraini citizens or workers, locally created firms, and enterprises outside Bahrain that handle personal data “by means available in Bahrain.” Non-Bahraini enterprises that operate data centers or use third-party data processors in Bahrain will fall within the scope of the PDPL.

Resolution No. 42 of 2022 (the “Resolution”) sets out 83 countries as approved for the transfer of personal data outside Bahrain without the express consent of the data subject or the specific authorization of the Personal Data Protection Authority (the “PDPA”). The whitelist indicates that certain countries have satisfied the criteria of the PDPA and removed extra regulatory approval requirements for transmitting personal data from Bahrain.

Transferring personal data to a country that is not on the whitelist requires getting authorization from the PDPA. Nonetheless, the transfer must be subject to the condition that the data subject’s consent has been acquired or that there is a contractual or legal duty to transmit the data. This need also applies to transfers of personal data within a group and those that take place under the terms of a contract with a third party. When asking for permission to transfer to non-whitelist countries, data managers must provide a copy of the contract to the PDPA for approval.

The approved list of countries is as follows:

SR NO

COUNTRIES

SR NO

COUNTRIES

1.

Andorra

43.

Kingdom of Saudi Arabia

2.

Argentina

44.

Kuwait

3.

Australia

45.

Latvia

4.

Austria

46.

Liechtenstein

5.

Belgium

47.

Lithuania

6.

Bolivia

48.

Luxembourg

7.

Brazil

49.

Macau

8.

Brunei

50.

Malaysia

9.

Bulgaria

51.

Malta

10.

Canada

52.

Mexico

11.

Chile

53.

Monaco

12.

China

54.

Morrocco

13.

Colombia

55.

Netherlands

14.

Croatia

56.

New Zealand

15.

Cyprus

57.

Nigeria

16.

Czech Republic

58.

Norway

17.

Denmark

59.

Oman

18.

Ecuador

60.

Pakistan

19.

Egypt

61.

Paraguay

20.

Estonia

62.

Peru

21.

Falkland Islands

63.

Poland

22.

Faroe Islands

64.

Portugal

23.

Finland

65.

Romania

24.

France

66.

Russia

25.

French Guiana

67.

San Marino

26.

Georgia

68.

Singapore

27.

Germany

69.

Slovakia

28.

Greece

70.

Slovenia

29.

Guernsey

71.

South Korea

30.

Guyana

72.

Spain

31.

Hong Kong

73.

         Suriname

32.

Hungary

74.

Sweden

33.

Iceland

75.

Switzerland

34.

India

76.

Thailand

35.

Ireland

77.

Ukraine

36.

Isle of Man

78.

United Arab Emirates

37.

Israel

79.

United Kingdom

38.

Italy

80.

United States of America

39.

Japan

81.

Uruguay

40.

Jersey

82.

Vatican

41.

Jordan

83.

Venezuela

42.

Kazakhstan

 

 

 

According to the Resolution, certain data controllers are entitled to transmit personal data to countries with insufficient data protection under specific situations. These conditions include the following:

Case-by-case authorization: The PDPA can provide authorization for data transfers on an individual basis while verifying that the data is sufficiently safeguarded.

Data Subject Consent: Data transfers are permitted if the data subject has explicitly consented to the transmission of their personal information.

Extracted from Public Register: Data from a public register established under the PDPL may be transmitted, subject to compliance with certain terms and restrictions for accessing the register.

Transfers are permitted for specified purposes: such as executing a contract between the data subject and the data controller.

If the transfer is necessary for:

  • The performance of a contract with a third party to benefit the data subject.
  • Safeguarding the data subject’s vital interests.
  • Complying with PDPL requirements, not being a contractual commitment, or complying with competent authority directives (e.g. court, public prosecution, investigative judge or military prosecution).
  • Preparing, executing, or defending legal claims.

Bahrain’s use of a whitelist for data transfers differs from the General Data Protection Regulation’s uniform approach to cross-border data flows. This adaption reflects Bahrain’s commitment to aligning global standards with its own legal setting while respecting the essential pillars of international data protection standards. 

Recommended Posts