September 2023

1. Governing Texts

This article provides an overview of the Personal Data Protection Law No. (30) of 2018 ('the Law'), which came into force on  August 1, 2019.

The Law is the main piece of legislation with respect to personal data protection in Bahrain.  The Ministry of Justice and Islamic Affairs has been named the regulator in charge of data protection as the Data Protection Authority ('the Authority') pursuant to Resolution No. (78) of 2019.  On March 17, 2022, the Authority issued a total of 10 enforcement decisions with guidelines supplementing the provisions of the Law.

1.1. Key acts, regulations, directives, bills

Data protection in the Kingdom of Bahrain is mainly governed by the Law which was published in the Official Gazette of September 19, 2018, and entered into force on August 1, 2019.

Prior to the enactment of the Law, Bahrain had a number of provisions on data protection in various legislations.  These provisions remain enforceable so long as they do not conflict with the Law and the resolutions issued in accordance therewith.  For example, sector-specific data protection provisions are found in:

• the Central Bank of Bahrain and Financial Institutions Law 2006, regulating data protection in the regulated financial activities sector;
• the Telecommunications Law 2002, regulating data protection by licensed telecommunications operators; and
• the Labor Law 2012 ('the Labor Law'), which regulates data protection in employee-employer relationships.

1.2. Guidelines

The Authority has not yet issued guidelines.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The provisions of the Law apply to any natural person who normally resides in Bahrain or has a place of business in Bahrain, any legal person who has a place of business in Bahrain, and any natural or legal person who processes data using means available in Bahrain unless the purpose of such data processing is only for transit through Bahrain.

2.2. Territorial scope

The Law seeks to safeguard the personal data of natural and legal residents of Bahrain, and subject any person who processes data in Bahrain, regardless of their place of residence.

2.3. Material scope

The Law sets out the types of processing that fall within the scope of its application as follows:

• the automated processing of data whole or in part; and
• the processing of data that forms or is intended to form part of a file system by non-automatic means.

The following processing of data is expressly excluded from the scope of application of the Law:

• processing of data made by any individual for purposes not exceeding personal or family affairs; and
• processing of data by the security services of Bahrain for the purposes of national security.

In addition, the Law specifies that the application of the provisions shall not, in any case, prejudice the requirements of confidentiality required in connection with the affairs of the Bahrain Defense Force.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The regulation of data protection is entrusted to the Authority.

3.2. Main powers, duties and responsibilities

The main duties and responsibilities of the Authority pursuant to the Law include:

• issuing decisions and resolutions necessary for the implementation of the Law such as and without limitation, specifying:
  • rules and procedures that data controllers must comply with in respect of data processing;
  • technical and organizational standards that must be met by data controllers; and
  • conditions for data record-keeping;
• authorizing the transfer of data outside the Kingdom of Bahrain;
• assessing, approving, or denying any notifications or applications received for the commencement of data processing;
• maintaining a register for permits issued or notifications received for the commencement of data processing;
• receiving complaints regarding any violation of the provisions of the Law;
• educating the public and data controllers on their rights and obligations pursuant to the Law;
• monitoring compliance with the provisions of the Law;
• supervising and inspecting data controllers regarding the processing of personal data;
• supervising and inspecting the work of data protection officers ('DPO') in order to verify their compliance with the provisions of the Law;
• examining legislation relating to the protection of personal data and recommending amendments in accordance with internationally recognized standards;
• raising data protection awareness by organizing educational training and promoting a personal data protection culture; and
• representing the Kingdom of Bahrain in international conferences as the personal data protection regulator.

4. Key Definitions

The key terms which were defined under Article 1 of the Law are the following:

Data controller: A person who, either alone or jointly or in common with other persons, determines the purposes and means of the processing of certain personal data. Where such purposes and means are established by law, the person responsible for the obligation to perform processing shall be the data controller.

Data processor: Any person, other than an employee of the data controller or data processor, who processes the data for and on behalf of the data controller.

Personal data: Any information, in any form, of an identified or identifiable individual, whether directly or indirectly, particularly through their personal identification number, or one or more of their formal, physiological, intellectual, cultural, economic, or social identity. In order to determine whether an individual is capable of being identifiable or not, all means used by or available to the data controller or any other person shall be taken into consideration.

Sensitive data: Sensitive personal data refers to any personal information that directly or indirectly discloses the individual's ethnic or racial origin, political, or philosophical opinions, religious beliefs, trade union affiliation, criminal record, or any data relating to their health or sexual status.

Health data: Not defined under the Law.

Biometric data: Not defined under the Law.

Pseudonymization: Not defined under the Law.

Data subject: Individual or person who is the subject of the data.

Processing: Any process or set of processes carried out on personal data through automatic or non-automatic means, including the collection, recording, organization, classification, storage, adaptation or alteration, retrieval, use, or disclosure of such data by transmission, dissemination or otherwise making available, combination, blocking, erasure, or destruction of the information or data.

5. Legal Bases

Generally, processing personal data is prohibited without the written consent of the data subject unless the processing:

• is necessary for the implementation of a contract to which the data subject is a party;
• occurs at the request of the data subject with a view to concluding a contract;
• is necessary for the enforcement of a legal obligation, or an order issued by a competent court or the Public Prosecution;
• is necessary to protect the vital interests of the data subject; and/or
• is necessary for the legitimate interests of the data manager or any third party to whom the data is disclosed, unless this conflicts with the fundamental rights and freedoms of the data subject.

5.1. Consent

Please see section on legal bases above.

5.2. Contract with the data subject

Please see section on legal bases above.

5.3. Legal obligations

Please see section on legal bases above.

5.4. Interests of the data subject

Please see section on legal bases above.

5.5. Public interest

Please see section on legal bases above.

5.6. Legitimate interests of the data controller

The term 'legitimate interests' is not defined and there are no precedents or guidance issued by the Authority, as to date, in relation to the interpretation of the aforementioned terms.  The determination of legitimate interests shall be subject to the discretion of the Authority and ultimately the Bahraini courts.

5.7. Legal bases in other instances

In the context of employment, the Labor Law stipulates that employers are required to maintain a record with data of their employees. Such data includes name, age, housing number, marital status, place of residence and nationality, job, profession, wages, qualifications, and experience. The aforementioned data must be maintained by the employer for at least two years after the expiry of the employment relationship. The right of employers to maintain and process the data of their employees in this instance stems from the obligation stipulated under the Labor Law rather than the legal basis for lawful processing under the Law (Article 68 of the Labor Law).

6. Principles

The Law states that certain data quality controls shall be applied to the processing of data. The principles of data quality controls that are stipulated under the Law are as follows:

• personal data shall be processed fairly and legally;
• the data shall be collected for a legitimate, specific, and clear purpose, not to be altered subsequently, and that no subsequent processing is in a manner inconsistent with the purpose for which it was collected. Excluded from this principle is processing data for historical, statistical, or scientific research, provided that it is not to support any decision or action regarding a specific individual;
• the processing shall be adequate, relevant, and not excessive given the purpose of collection or subsequent processing;
• the data shall be correct and accurate, and subject to updates when necessary; and
• the data shall not remain in a form that allows the data subject to be identified after the completion of the purpose for collection or for which subsequent processing is performed. Data stored for longer periods for historical, statistical, or scientific purposes shall be kept in an anonymized format by putting them in a form that does not enable such data to be related to the owner. Furthermore, it shall be ensured that it is not possible to decode the identity of the owners of the data (Article 3 of the Law).

7. Controller and Processor Obligations

The Law imposes further responsibilities and obligations on data controllers including:

• ensuring the safety of processing by applying adequate levels of security and technical measures to avoid the unintended destruction, unauthorized access, alteration, and loss of data, and protecting data from other forms of processing;
• ensuring that the data processor is applying adequate safeguards to data, and verifying that the data processor conducts processing in accordance with the data processing agreement entered into by the data controller and the data processor;
• maintaining the confidentiality of personal data. Data controllers are prohibited at all times from disclosing any data without the consent of the data subject or pursuant to an order of the court or the Public Prosecutor;
• complying with the provisions of the Law in connection with data processing;
• disclosing their identity to the data subjects, as well as the intended purpose of processing the data subject's data. In particular, the data controller must inform the data subject if their data is intended to be used for direct marketing purposes, while the data subjects shall have the right to object, and update the data subject with the status of any data processing application; and
• receiving applications from the data subject to correct, block, erase, or withdraw their processed data.

Processor

The data processor is required to process data in accordance with the terms of the written agreement between the data controller and the data processor and shall only process data in accordance with the instructions of the data controller. The same duties and obligations that are applicable to data controllers with respect to confidentiality and data security are applicable to data processors.

7.1. Data processing notification

The data controller is required to notify the Authority before the commencement of data processing which is automated in whole or in part, and the notifications received will be entered into the register of notifications and permits, which is maintained by the Authority.

The Authority will issue a decision to specify the procedures and regulations in connection with the notice, nonetheless, the notice shall contain the following information:

• the name and address of the data controller and the data processor;
• the purpose of processing;
• a data description and statement of the categories of data subjects and recipients of the data or their categories;
• any data transfers intended to be carried out to a country or territory outside the Kingdom of Bahrain; and
• a statement that enables the Authority to assess in principle the appropriateness of the measures available to meet the safety requirements (outlined in the section above on controller and processor obligations).

The data controller may be exempt from the notification requirement in the following circumstances:

• where the sole purpose of data processing is to maintain a record in accordance with the Law in order to provide information to the public, whether access to the information is available to the public as a whole or limited to concerned parties;
• processing of data in the context of the activities of various associations, trade unions, and other non-profit organizations;
• where an employer is processing the data of their employees within the limits necessary to carry out its functions related to the employment, organizing the employees' employment affairs, or exercise the rights outlined under the Labor Law with respect to data processing data and protecting the rights of the employees; and
• in cases where a Data Protection Officer ('DPO') is appointed (as explained in the section below on appointment of DPOs).

The Authority may contact the data controller within ten days of receipt of the notification in order to request the data controller to address any shortfalls in the information contained in the notice. Such a shortfall is required to be remedied within 15 days from the date of the request, and the data controller is required to stop data processing until the shortfall is addressed.

Any notification that was not completed after receiving the request outlined above may be struck off from the Authority's register following a reasoned decision issued by the Authority. The aforementioned decision will be notified to the data controller upon its issuance.

A permit from the Authority is required for data processing under the following circumstances:

• automated processing of sensitive personal data in the case where neither the data subject nor their guardian is legally able to give consent;
• automatic processing of biometric data used for identification;
• automatic processing of genetic data, except for processing done by doctors and specialists in a licensed medical facility and necessary for medicine and healthcare-related purposes;
• automatic processing involving the linking of personal data files of two or more data controllers handled by them for different purposes; and
• processing of data which is an optical recording and may be used for monitoring purposes.

The Authority shall issue a decision outlining the requirements that should be complied with in order to obtain a permit to process data for any of the abovementioned forms of data processing. The Authority will contact the data controller within 30 days of receiving the permit application. Failure to receive any response from the Authority will constitute an implicit rejection.

It is worth noting that the abovementioned notification requirements are applicable to automated processing of data only.

7.2. Data transfers

The Law sets a general prohibition on transferring personal data outside the Kingdom of Bahrain. However, there are exclusions to the general prohibition whereby the transfer of data outside Bahrain is allowed, these are as follows:

• the Authority shall issue a statement published in the Official Gazette containing a list of countries and territories to which data transfers are permissible. The Authority will issue such a list after taking into consideration territories that have applicable data protection legislation and regulations that are deemed satisfactory to an extent that ensures to the Authority the adequacy of the protection provided by the laws and regulations of the said territories; and
• the Authority may authorize the transfer of data on a case-by-case basis after assessing the circumstances surrounding the data transfer. The Authority will mainly consider the size and nature of the data and the purposes of the transfer thereof, and the data protection laws, regulations, or international conventions applicable in the territory to which data will be transferred. The authorization will be subject to the discretion of the Authority, as the Authority may set specific conditions and time periods for such authorization.

7.3. Data processing records

The Law imposes further responsibilities and obligations on data controllers including keeping records of data processing activities and providing the Authority with an updated copy of the records once a month (in the absence of a DPO).

7.4. Data protection impact assessment

The Law does not specifically address Data Protection Impact Assessments ('DPIA').

7.5. Data protection officer appointment

There is no requirement for the compulsory appointment of DPOs under the Law. The Law suggests that the Authority may issue a decision which requires certain categories of data controllers to appoint a DPO.

The main duties of DPOs revolve around the supervision of data controllers and ensuring that data processing is being conducted in compliance with the provisions of the Law. The Law outlines the duties and responsibilities of DPOs as follows:

• assisting data controllers in exercising their rights and duties in accordance with the Law;
• acting as an intermediary between the Authority and data controllers with respect to their compliance with the provisions of the Law, and notifying the Authority with any evidenced violations or shortfalls by data controllers that have not been rectified;
• verifying the data controller's compliance with the provisions of the Law regarding processing data and notifying data controllers to rectify any violations;
• keeping records of the data controller's data processing activities and updating the Authority with a copy of such records once a month; and
• conducting their duties in an independent and impartial manner.

DPOs are required to enroll in the Authority's Register of DPOs ('the Register') in order to be accredited to assume the role of DPOs. In addition, DPOs are required to renew their registration annually for a fee.

The Authority shall issue a decision regulating the work of DPOs and specify the conditions that must be met by those who are to be registered in the Register, registration procedures, the validity, the renewal period, as well as determining the costs of renewal fees.

7.6. Data breach notification

The Law imposes an obligation on DPOs to notify the Authority of any violation or breach committed by a data controller, after the lapse of ten days from the date of the incident and to rectify the breach, if a data controller has not already done so.

7.7. Data retention

Data subjects are entitled to request from the data controller the removal, erasure, or withdrawal of their data.

Furthermore, data shall not remain in a form that allows the data subject to be identified after the completion of the purpose for collection or for which subsequent processing is performed. Data that is stored for longer periods for historical, statistical, or scientific purposes shall be kept in an anonymized format by putting them in a form that does not enable such data to be related to the owner. Furthermore, it shall be ensured that it is not possible to decode the identity of the owners of the data (Article 3 of the Law).

7.8. Children's data

There are no specific regulations governing the data of children/minors under the Law. However, the law requires that in instances where consent is required from a person who is not legally competent to give consent (such as minors or persons who lack legal capacity), the consent of their guardian or custodian be obtained.

Kindly note that the age of consent under the laws of the Kingdom of Bahrain is generally 21 years. In the context of commercial dealings, the age of consent is 18 years as per the specific provision provided under Article 10 of the Law of Commerce No. 7/1987.

7.9. Special categories of personal data

The Law provides exceptions for processing sensitive personal data without obtaining the written consent of the data subjects, including where:

• the processing is required by the data controllers for their duties and the exercise of their legally prescribed rights in the field of labor relations that binds them to their employees;
• the processing is necessary to protect any person if the data subject, their custodian, guardian, or trustee is not legally able to give their consent, and is subject to obtaining prior permission from the Authority;
• the processed data was provided by the data subject to the public;
• the processing is necessary to initiate or defend any legal rights claim, including what is required in preparation for the matter; and/or
• the processing is necessary for the purposes of preventive medicine, medical diagnosis, provisions of health care, treatment, or management of health care services by a licensed medical practitioner or any person legally bound to maintain confidentiality.

The Law imposes further responsibilities and obligations on data controllers including complying with the decisions of the Authority with respect to the rules and procedures of processing sensitive personal data.

7.10. Controller and processor contracts

The Law suggests that the data processor and the data controller shall be bound by a written contractual agreement. Such an agreement should state that the data processor shall only conduct data processing in accordance with the instructions of the data controller and shall bind the data processor with the same duties and obligations as the data controller with regard to data confidentiality and security.

The Law provides that the data controller and the DPO, where appointed, shall be held liable for any damage suffered by the data subjects in connection with the processing of their information, and the data processor will not be held personally liable towards the data subjects for such compensation. We are of the view that the Law has adopted this approach because data processors are most likely employed by the data controller, and they are prohibited from conducting any processing beyond the scope of the data controller's instructions.

8. Data Subject Rights

8.1. Right to be informed

The Law grants data subjects the following rights:

• to be informed by the data controller when their data is being processed; and
• to be informed of the data controller's full name, scope of activity or profession, address, the purposes for which data is intended to be processed, and any other necessary information, depending on the circumstances of each case, in order to ensure fair processing for the data subject.

8.2. Right to access

The Law does not explicitly provide for the right to access.

8.3. Right to rectification

The Law provides data subjects with the right to correct their processed data at any time by sending a written application to the data controller.

8.4. Right to erasure

The Law provides data subjects with the right to erase their personal data at any time by sending a written application to the data controller.

8.5. Right to object/opt-out

The Law grants data subjects the following rights:

• to object to the use of their personal data for direct marketing or making the data publicly available; and
• to object to processing causing material or psychological damage to the data subject or others.

8.6. Right to data portability

The Law does not explicitly provide for the right to data portability.

8.7. Right not to be subject to automated decision-making

Where data processing is used to assess the data subject's performance, financial position, creditworthiness, behavior, or reliability, the Law provides that the data subject may request a different approach, so as not to render their assessment solely dependent on the automatic processing of data.

8.8. Other rights

The Law also provides data subjects with the following rights:

• to have their data stored in a manner which does not make them identifiable, or having their identity encrypted if it is impossible to store their data in such manner;
• to have their data protected and not to disclose the data to any unauthorized party without their consent; and
• to have the right to block or withdraw their processed data at any time by sending a written application to the data controller.

9. Penalties

In terms of civil liability, the Law suggests that anyone who suffers damage resulting from the processing of their data may seek compensation from the data controller or DPO if such processing breaches the provisions of the Law.

With regards to criminal penalties, the Law suggests that a sentence of imprisonment not exceeding one year and a fine of not less than BD 1,000 (approx. $2,652) and not more than BD 20,000 (approx. $53,054), or either of these penalties may be imposed on any person who commits any of the following:

• processes personal or sensitive personal data without obtaining the consent of the data subject, or doing the same without notifying the Authority in advance;
• transferring data outside the Kingdom of Bahrain without obtaining the approval of the Authority or without the consent of the data subject;
• provides the Authority or data subjects with false information which contradicts the records maintained regarding processing data;
• blocks any information or data that is required to be submitted to the Authority or prevents the Authority from accessing such data;
• disrupting the work of the Authority's inspections or investigations; or
• discloses any information available to him by virtue of their work for their personal benefit.

Please note that if the committer of any of the above is a corporate legal person, the fine may be increased up to twice the fine prescribed to a natural person.

Without prejudice to the penalties provided for under the Law, the Penal Code, 1976 ('the Penal Code') states that, 'A punishment of imprisonment for a period not exceeding one year or a fine not exceeding BD 100 (approx. $265) shall be inflicted on a person who divulges a secret entrusted thereto in their official capacity, trade, profession, or art in conditions other than those prescribed by the law or uses it for his personal benefit or for the benefit of another person unless the person concerned with the secret allows the divulgence or use thereof.'

Please note that before the enforcement of the Law, the abovementioned punishment provided under the Penal Code shall apply to any person who discloses personal data to another party for processing purposes, as we are of the view that such data qualifies as a secret.

9.1 Enforcement decisions

On March 17, 2022, the Authority issued 10 enforcement decisions providing data protection guidelines in respect of:

• Transfer of personal data outside of Bahrain: the transfer of personal data outside of Bahrain requires approval of the Authority unless the transfer is made to any of the 83 jurisdictions that the Authority is satisfied with the level of data protection regulations and controls applied therein ('the Approved Jurisdictions');
• Technical and organizational measures: the resolution provides the technical and organizational measures and guidelines required for the personal data processing methods including requirements of privacy by design, privacy framework, sufficient system security and firewalls, conducting regular vulnerability assessment and penetration testing, effective emergency and crisis control, and defined employee authority scopes and levels.  The resolution also includes breach notification requirements and regular testing and employee training;
• Notification procedures: where notification of data processing is required in accordance with the Law, the resolutions set out the procedures for notifying the Authority, which include transparency, sufficient explanation of purpose, processing to be done on a strictly need-to-know basis, limited access to authorized personnel, and accessibility of data to data subjects;
• Processing of sensitive personal data: the processing of sensitive personal data is required to be on a limited basis in accordance with the permission of the Authority or the data subject; be done using highly reliable and secured technical means; and not stored for longer than the term stated in the permission of the Authority or data subject as applicable;
• Data Protection Officers (DPOs): data controllers may employ DPOs internally or appoint external DPOs.  The Authority must be informed of any DPO appointment within three working days of the appointment and a list of DPOs shall be published on the Authority's website.  The resolution sets out the procedures for DPO registration and includes disclosure requirements of conflict of interest or any matter that may give rise to independence concerns;
• DPO registration fees: the resolution specifies the fees for DPO registration, ranging from BD 100 (approx. $265) for internal DPOs to BD 500 (approx. $1,326) for corporate external DPOs;
• Rights of data subjects: data subjects shall be informed of automated data processing decisions, and the rules and procedures therefore be made clearly and expressly so as to enable the data subject to submit any objections and be notified of the outcome.  Where a website's cookies wall blocks access without consent, such is not considered consent for the purposes of the Law. The resolution also entitles the data subject to withdraw consent and data managers must enable such withdrawal to be processed in a reasonable time;
• Complaints procedures: any interested party may submit a complaint of a breach of the Law.  There is a complaint form on the Authority's website and must be accompanied by any proof available of the breach.  The party against whom the complaint is made must be notified of the complaint and allowed a chance to respond before the Authority reaches a decision;
• Data relating to criminal proceedings: these guidelines relate to the processing of personal data relating to criminal proceedings.  This data shall be protected from disclosure, transfer, publication, or in any way making available to any party other than those permitted by law.  The protection extends to all levels of criminal proceedings and the issued judgments; and
• Data registries accessible to the public: the requirements for creating data registries accessible to the public include facilitated accessibility, relevance to purpose, the consent of the data subject, and a means to enable the data subject to amend or delete their personal data in the public registry.  The public registry must state the type, purpose, and date of the last update of the data.