Navigating Data Transfer: List of Whitelisted Countries
In an age where digital connection and global information exchange dominate our lives, protecting personal data has become a top priority for individuals, companies, and governments alike. Law No. 30 of 2018 promulgating the Personal Data Protection Law (the “PDPL”) is Bahrain’s principal statute on personal data protection. The PDPL is intended to safeguard people’s privacy and security by requiring the lawful processing of personal data.
This article delves into Bahrain’s intricate framework of data transfer regulations, concentrating on nations exempt from the express consent requirement for the transfer of data outside Bahrain. It will analyze the PDPL and the accompanying resolutions to offer clarification on the whitelisted countries as well as the processes for obtaining consent to transfer data for countries that are not on the list.
The PDPL protects several forms of personal data, including sensitive information like biometrics and health records. It establishes fundamental concepts such as openness, fairness, purpose restriction, data reduction, accuracy, storage limitation, and security.
The PDPL applies to Bahraini citizens or workers, locally created firms, and enterprises outside Bahrain that handle personal data “by means available in Bahrain.” Non-Bahraini enterprises that operate data centers or use third-party data processors in Bahrain will fall within the scope of the PDPL.
Resolution No. 42 of 2022 (the “Resolution”) sets out 83 countries as approved for the transfer of personal data outside Bahrain without the express consent of the data subject or the specific authorization of the Personal Data Protection Authority (the “PDPA”). The whitelist indicates that certain countries have satisfied the criteria of the PDPA and removed extra regulatory approval requirements for transmitting personal data from Bahrain.
Transferring personal data to a country that is not on the whitelist requires getting authorization from the PDPA. Nonetheless, the transfer must be subject to the condition that the data subject’s consent has been acquired or that there is a contractual or legal duty to transmit the data. This need also applies to transfers of personal data within a group and those that take place under the terms of a contract with a third party. When asking for permission to transfer to non-whitelist countries, data managers must provide a copy of the contract to the PDPA for approval.
The approved list of countries is as follows:
SR NO | COUNTRIES | SR NO | COUNTRIES |
1. | Andorra | 43. | Kingdom of Saudi Arabia |
2. | Argentina | 44. | Kuwait |
3. | Australia | 45. | Latvia |
4. | Austria | 46. | Liechtenstein |
5. | Belgium | 47. | Lithuania |
6. | Bolivia | 48. | Luxembourg |
7. | Brazil | 49. | Macau |
8. | Brunei | 50. | Malaysia |
9. | Bulgaria | 51. | Malta |
10. | Canada | 52. | Mexico |
11. | Chile | 53. | Monaco |
12. | China | 54. | Morrocco |
13. | Colombia | 55. | Netherlands |
14. | Croatia | 56. | New Zealand |
15. | Cyprus | 57. | Nigeria |
16. | Czech Republic | 58. | Norway |
17. | Denmark | 59. | Oman |
18. | Ecuador | 60. | Pakistan |
19. | Egypt | 61. | Paraguay |
20. | Estonia | 62. | Peru |
21. | Falkland Islands | 63. | Poland |
22. | Faroe Islands | 64. | Portugal |
23. | Finland | 65. | Romania |
24. | France | 66. | Russia |
25. | French Guiana | 67. | San Marino |
26. | Georgia | 68. | Singapore |
27. | Germany | 69. | Slovakia |
28. | Greece | 70. | Slovenia |
29. | Guernsey | 71. | South Korea |
30. | Guyana | 72. | Spain |
31. | Hong Kong | 73. | Suriname |
32. | Hungary | 74. | Sweden |
33. | Iceland | 75. | Switzerland |
34. | India | 76. | Thailand |
35. | Ireland | 77. | Ukraine |
36. | Isle of Man | 78. | United Arab Emirates |
37. | Israel | 79. | United Kingdom |
38. | Italy | 80. | United States of America |
39. | Japan | 81. | Uruguay |
40. | Jersey | 82. | Vatican |
41. | Jordan | 83. | Venezuela |
42. | Kazakhstan |
|
|
According to the Resolution, certain data controllers are entitled to transmit personal data to countries with insufficient data protection under specific situations. These conditions include the following:
Case-by-case authorization: The PDPA can provide authorization for data transfers on an individual basis while verifying that the data is sufficiently safeguarded.
Data Subject Consent: Data transfers are permitted if the data subject has explicitly consented to the transmission of their personal information.
Extracted from Public Register: Data from a public register established under the PDPL may be transmitted, subject to compliance with certain terms and restrictions for accessing the register.
Transfers are permitted for specified purposes: such as executing a contract between the data subject and the data controller.
If the transfer is necessary for:
- The performance of a contract with a third party to benefit the data subject.
- Safeguarding the data subject’s vital interests.
- Complying with PDPL requirements, not being a contractual commitment, or complying with competent authority directives (e.g. court, public prosecution, investigative judge or military prosecution).
- Preparing, executing, or defending legal claims.
Bahrain’s use of a whitelist for data transfers differs from the General Data Protection Regulation’s uniform approach to cross-border data flows. This adaption reflects Bahrain’s commitment to aligning global standards with its own legal setting while respecting the essential pillars of international data protection standards.
