Q&A: Data Protection 2024 – Bahrain

 

  1. What legislation and agency govern data protection?

The Personal Data Protection Law No. 30 of 2018 (the “Law”) governs data protection in the Kingdom of Bahrain, whereby Article 27 of the Law establishes the Personal Data Protection Authority (the “Authority”).

  1. What rights do individuals in this jurisdiction have to request access to personal data relating to them? Are there any set time limits, procedures or administrative requirements?

Pursuant to Article 17 of the Law, individuals have the right to be informed of data concerning them upon their request, and the right to request the rectification of such data. These rights must be briefed to the individual upon the registration of their data.

Furthermore, Article 23 of the Law grants individuals the right to lodge a request to rectify, block or erase the personal data relating to them if the data is inaccurate, incomplete, outdated or if the data is in breach of the Law. In such circumstances, the response to the request must be within a period of 10 working days from the date of receipt of the request. Subsequently, any third party, to whom the data was disclosed, must be notified of the rectification, erasure or blockage within 15 days.

  1. What are the main principles those keeping personal data must comply with?

As stipulated under Article 3 of the Law, personal data that is processed must be in compliance with the following:

    • Fair and lawful processing of personal data.
    • Collected for specific, explicit and legitimate purposes and is not processed further in a way incompatible with the purpose for which it was originally collected.
    • Adequate, relevant and not excessive collection or further processing of personal data in relation to its purpose.
    • Accurate, correct and up to date.
    • Storage of personal data must permit the identification of the individual once the purpose of collection or further processing was achieved.
  1. How is personal data classed?

There are two classifications of data pursuant to the Law:

Personal Data:

Personal Data is defined as “any information in any form concerning an identified individual, or an individual who can, directly or indirectly, be identified by reference, in particular, to his or her personal identification number, or by reference to one or more factors specific to his or her physical, physiological, intellectual, cultural, economic, or social identity.  In determining whether an individual is identifiable, all the means that the data controller or any other person uses or may have access should be taken into consideration”.

Sensitive Personal Data:

Sensitive Personal Data is defined as “any personal information revealing –directly or indirectly- about an individual’s race, ethnical origin, political or philosophical opinions, religious beliefs, affiliation to union, personal criminal record, or any information in relation to his health or sexual status”.

Considering the above, the main difference between the classifications is the scope of the data, whereby personal data concerns general information regarding an individual and sensitive personal data is specific to an individual’s race, origin, religion, etc.

  1. What are the penalties for non-compliance?

In accordance with Article 55 of the Law, failure of the violating party to stop the unlawful act or to remove reasons or effects thereof, within the prescribed period stipulated in the Law, may result in the following resolutions issued by the Authority against the violating party:

    • Withdrawal of the authorization granted under Article 15 of the Law, regarding automatic processing approvals, if the unlawful act is with respect to such authorization.
    • Imposing a daily penalty to force the violating party to stop the unlawful act. The penalty will not exceed BHD 1,000 per day in the event of a first-time violation. However, the penalty may reach up to BHD 2,000 per day if there is a recurrence of the first violation within 3 years.
    • Imposing an administrative penalty which will not exceed BHD 20,000.

Any criminal offences will be referred to the Public Prosecution by the Authority.

  1. What are the rules around consent to use personal data in marketing?

As stipulated under Articles 19 and 20 of the Law, processing personal data for the purposes of direct marketing is permissible according to the Law. However, the individual whose personal data is collected or processed must be informed of the right to submit an objection to direct marketing. Such objection must be free of charge.

In such event, direct marketing must be ceased within 10 working days from the date of receipt of the request. The individual must also be notified, free of charge, within 10 working days if:

    • the request has been approved;
    • the request has been partially approved, along with the reasons thereof and the extent of approval; or
    • the request has been rejected, along with the reasons thereof.
  1. How does the law around data retention work? Are there any specific requirements on security and encryption?

Pursuant to Article 3 of the Law, personal data must not be retained in a form which permits identification of the individual whose data has been collected or further processed. Moreover, if the personal data is for the purpose of historical, statistical or scientific use, it must only be stored in an anonymous form whereby such personal data cannot be associated with the individual. If such anonymity is not possible, the identity of the individual must be encrypted.

Recommended Posts