Bahrain - Data Protection Overview
1. Governing Texts
This article provides an overview of the Personal Data Protection Law No. (30) of 2018 ('the Law'), which was published in the Official Gazette of 19 September 2018 and came into force on the 1 of August, 2019.
The Law is the main piece of legislation with respect to personal data protection in Bahrain. The Ministry of Justice and Islamic Affairs has been named the regulator in charge of data protection, i.e. as the Data Protection Authority ('the Authority'), pursuant to Resolution No. (78) of 2019 (only available in Arabic here). On 17 March, 2022, the Authority issued a total of 10 enforcement decisions with guidelines supplementing the provisions of the Law.
1.1. Key acts, regulations, directives, bills
Data protection in the Kingdom of Bahrain is mainly governed by the Law.
Prior to the enactment of the Law, Bahrain had a number of provisions on data protection in various legislations. These provisions remain enforceable so long as they do not conflict with the Law and the resolutions issued in accordance therewith. For example, sector-specific data protections provisions are found in:
- the Central Bank of Bahrain and Financial Institutions Law 2006, regulating data protection in the regulated financial activities sector;
- the Telecommunications Law 2002, regulating data protection by licensed telecommunications operators; and
- the Labour Law 2012 ('the Labour Law'), which regulates data protection in employee-employer relationships.
The Authority has not issued any applicable guidelines.
1.3. Case law
2. Scope of Application
2.1. Personal scope
The provisions of the Law apply to any natural person who normally resides in Bahrain or has a place of business in Bahrain, any legal person who has a place of business in Bahrain, and any natural or legal person who processes data using means available in Bahrain, unless the purpose of such data processing is only for transit through Bahrain.
2.2. Territorial scope
The Law seeks to safeguard the personal data of natural and legal residents of Bahrain, and subjects any person who processes data in Bahrain, regardless of their place of residence.
2.3. Material scope
The Law sets out the types of processing that fall within the scope of its application as follows:
- the automated processing of data, in whole or in part; and
- the processing of data that forms or is intended to form part of a file system by non-automatic means.
The following processing of data is expressly excluded from the scope of application of the Law:
- processing of data made by any individual for purposes not exceeding personal or family affairs; and
- processing of data by the security services of Bahrain for the purposes of national security.
In addition, the Law specifies that the application of the provisions shall not, in any case, prejudice the requirements of confidentiality required in connection with the affairs of the Bahrain Defence Force.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The regulation of data protection is entrusted to the Authority.
3.2. Main powers, duties and responsibilities
The main duties and responsibilities of the Authority pursuant to the Law include:
- issuing decisions and resolutions necessary for the implementation of the Law such as and without limitation, specifying:
- rules and procedures that data controllers must comply with in respect of data processing;
- technical and organisational standards that must be met by data controllers; and
- conditions for data record-keeping;
- authorising the transfer of data outside the Kingdom of Bahrain;
- assessing, approving, or denying any notifications or applications received for the commencement of data processing;
- maintaining a register for permits issued or notifications received for the commencement of data processing;
- receiving complaints regarding any violation of the provisions of the Law;
- educating the public and data controllers on their rights and obligations pursuant to the Law;
- monitoring compliance with the provisions of the Law;
- supervising and inspecting data controllers regarding the processing of personal data;
- supervising and inspecting the work of data protection officers ('DPO') in order to verify their compliance with the provisions of the Law;
- examining legislation relating to the protection of personal data and recommending amendments in accordance with internationally recognised standards;
- raising data protection awareness by organising educational training and promoting a personal data protection culture; and
- representing the Kingdom of Bahrain in international conferences as the personal data protection regulator.
4. Key Definitions
The key terms which were defined under Article 1 of the Law are the following:
Data controller: A person who, either alone or jointly or in common with other persons, determines the purposes and means of the processing of certain personal data. Where such purposes and means are established by law, the person responsible for the obligation to perform processing shall be the data controller.
Data processor: Any person, other than an employee of the data controller or data processor, who processes the data for and on behalf of the data controller.
Personal data: Any information, in any form, of an identified or identifiable individual, whether directly or indirectly, particularly through their personal identification number, or one or more of their formal, physiological, intellectual, cultural, economic, or social identity. In order to determine whether an individual is capable of being identifiable or not, all means used by or available to the data controller or any other person shall be taken into consideration.
Sensitive data: Sensitive personal data refers to any personal information that directly or indirectly discloses the individual's ethnic or racial origin, political, or philosophical opinions, religious beliefs, trade union affiliation, criminal record, or any data relating to their health or sexual status.
Health data: There is no definition of 'health data' under the Law.
Biometric data: There is no definition of 'biometric data' under the Law
Pseudonymisation: There is no definition of 'pseudonymisation' under the Law.
Data subject: Individual or person who is the subject of the data.
Processing: Any process or set of processes carried out on personal data through automatic or non-automatic means, including the collection, recording, organisation, classification, storage, adaptation or alteration, retrieval, use or disclosure of such data by transmission, dissemination or otherwise making available, combining, blocking, erasing, or destroying the information or data.
5. Legal Bases
Generally, processing personal data is prohibited without the written consent of the data subject unless the processing:
- is necessary for the implementation of a contract to which the data subject is a party;
- occurs at the request of the data subject with a view to concluding a contract;
- is necessary for the enforcement of a legal obligation, or an order issued by a competent court or the Public Prosecution ('Public Prosecution');
- is necessary to protect the vital interests of the data subject; and/or
- is necessary for the legitimate interests of the data manager or any third party to whom the data is disclosed, unless this conflicts with the fundamental rights and freedoms of the data subject.
Please see section on legal bases above.
5.2. Contract with the data subject
Please see section on legal bases above.
5.3. Legal obligations
Please see section on legal bases above.
5.4. Interests of the data subject
Please see section on legal bases above.
5.5. Public interest
The Law does not provide any further details.
5.6. Legitimate interests of the data controller
It is worth noting that the terms 'legitimate interests' and 'fundamental rights and freedoms' are not defined and there are no precedents or guidance issued by the Authority, as to date, in relation to the interpretation of the aforementioned terms.
5.7. Legal bases in other instances
In the context of employment, the Labour Law stipulates that employers are required to maintain a record with data of their employees. Such data include name, age, housing number, marital status, place of residence and nationality, job, profession, wages, qualifications, and experience. The aforementioned data must be maintained by the employer for at least two years after the expiry of the employment relationship. The right of employers to maintain and process the data of their employees in this instance stems from the obligation stipulated under the Labour Law rather than the legal basis for lawful processing under the Law (Article 68 of the Labour Law).
The Law states that certain data quality controls shall be applied to the processing of data. The principles of data quality controls that are stipulated under the Law are as follows:
- personal data shall be processed fairly and legally;
- the data shall be collected for a legitimate, specific, and clear purpose, not to be subsequently altered, and that no subsequent processing is in a manner inconsistent with the purpose for which it was collected. Excluded from this principle is processing data for historical, statistical, or scientific research, provided that it is not to support any decision or action regarding a specific individual;
- the processing shall be adequate, relevant, and not excessive given the purpose of collection or subsequent processing;
- the data shall be correct and accurate, and subject to updates when necessary; and
- the data shall not remain in a form that allows the data subject to be identified after the completion of the purpose for collection or for which subsequent processing is performed. Data stored for longer periods for historical, statistical, or scientific purposes shall be kept in an anonymised format, i.e. putting them in a form that does not enable such data to be related to the owner. Furthermore, it shall be ensured that it is not possible to decode the identity of the owners of the data (Article 3 of the Law).
7. Controller and Processor Obligations
The Law imposes further responsibilities and obligations on data controllers including:
- ensuring the safety of processing by applying adequate levels of security and technical measures to avoid the unintended destruction, unauthorised access, alteration, loss of data, and protecting data from other forms of processing;
- ensuring that the data processor is applying adequate safeguards to data, and verifying that the data processor conducts processing in accordance with the data processing agreement entered into by the data controller and the data processor;
- maintaining the confidentiality of personal data. Data controllers are prohibited at all times from disclosing any data without the consent of the data subject or pursuant to an order of the court or the Public Prosecutor;
- complying with the provisions of the Law in connection with data processing;
- disclosing their identity to the data subjects, as well as the intended purpose of processing of the data subject's data. In particular, the data controller must inform the data subject if their data is intended to be used for direct marketing purposes, while the data subjects shall have the right to object, and update the data subject with the status of any data processing application; and
- receiving applications from the data subject to correct, block, erase, or withdraw their processed data.
The data processor is required to process data in accordance with the terms of the written agreement between the data controller and the data processor and shall only process data in accordance with the instructions of the data controller. The same duties and obligations that are applicable to data controllers with respect to confidentiality and data security are applicable to data processors.
7.1. Data processing notification
The data controller is required to notify the Authority before the commencement of data processing which is automated in whole or in part, and the notifications received will be entered into the register of notifications and permits, which is maintained by the Authority.
The Authority has issued Order No. (44) of 2022 Regarding the rules and procedures for submitting notifications and prior authorization requests to the Personal Data Protection Authority and deciding upon it ('the Notifications Order') which specifies the procedures and regulations in connection with the notice, which can be found in the section on enforcement decisions, nonetheless, the notice shall contain the following information:
- the name and address of the data controller and the data processor;
- the purpose of processing;
- a data description and statement of the categories of data subjects and recipients of the data or their categories;
- any data transfers intended to be carried out to a country or territory outside the Kingdom of Bahrain; and
- a statement that enables the Authority to assess in principle the appropriateness of the measures available to meet the safety requirements (outlined in the section on principles).
In addition, by resolution of the Board, a simplified notification may be sufficient in situations where, due to the nature of the data processed, no infringement to data subjects' rights and freedoms occur and shall include the following (Article 14(3) of the Law):
- the purpose of the processing;
- the processed data or categories of processed data;
- the categories of data subjects affected by such processing and the data recipients or categories of recipients;
- the length of time during which the data may be stored; and
- information required to be included within the notification.
The data controller may be exempt from the notification requirement in the following circumstances:
- where the sole purpose of data processing is to maintain a record in accordance with the Law in order to provide information to the public, whether access to the information is available to the public as a whole or limited to concerned parties;
- processing of data in the context of the activities of various associations, trade unions, and other non-profit organisations;
- where an employer is processing the data of their employees within the limits necessary to carry out its functions related to the employment, organising the employees' employment affairs, or exercise the rights outlined under the Labour Law with respect to data processing data and protecting the rights of the employees; and
- in cases where a DPO is appointed (as explained in section below 9 on penalties).
The Authority may contact the data controller within ten days of receipt of the notification in order to request the data controller to address any shortfalls in the information contained in the notice. Such a shortfall is required to be remedied within 15 days from the date of the request, and the data controller is required to stop data processing until the shortfall is addressed.
Any notification that was not completed after receiving the request outlined above may be struck off from the Authority's register following a reasoned decision issued by the Authority. The aforementioned decision will be notified to the data controller upon its issuance.
A permit from the Authority is required for data processing under the following circumstances:
- automated processing of sensitive personal data in the case where neither the data subject nor their guardian is legally able to give consent;
- automatic processing of biometric data used for identification;
- automatic processing of genetic data, except for processing done by doctors and specialists in a licensed medical facility and necessary for medicine and healthcare-related purposes;
- automatic processing involving the linking of personal data files of two or more data controllers handled by them for different purposes; and
- processing of data which is an optical recording and may be used for monitoring purposes.
The Authority has issued a decision outlining the requirements that should be complied with in order to obtain a permit to process data for any of the abovementioned forms of data processing, which can be found in the section on enforcement decisions. The Authority will contact the data controller within 30 days of receiving the permit application. Failure to receive any response from the Authority will constitute an implicit rejection.
It is worth noting that the abovementioned notification requirements are applicable to automated processing of data only.
7.2. Data transfers
The Law sets a general prohibition on transferring personal data outside the Kingdom of Bahrain. However, there are exclusions to the general prohibition whereby the transfer of data outside Bahrain is allowed, these are as follows:
- the Authority shall issue a statement published in the Official Gazette containing a list of countries and territories to which data transfers are permissible. The Authority will issue such a list after taking into consideration territories which have applicable data protection legislation and regulations that are deemed satisfactory to an extent which ensures to the Authority the adequacy of the protection provided by the laws and regulations of the said territories; and
- the Authority may authorise the transfer of data on a case-by-case basis after assessing the circumstances surrounding the data transfer. The Authority will mainly consider the size and nature of the data and the purposes of the transfer thereof, and the data protection laws, regulations, or international conventions applicable in the territory to which data will be transferred. The authorisation will be subject to the discretion of the Authority, as the Authority may set specific conditions and time periods for such authorisation.
7.3. Data processing records
The Law imposes further responsibilities and obligations on data controllers including keeping records of data processing activities and providing the Authority with an updated copy of the records once a month (in the absence of a DPO).
7.4. Data protection impact assessment
The Law does not specifically address Data Protection Impact Assessments ('DPIAs'). However, the Law provides that controllers are required to implement appropriate technical and organisational measures to guarantee protection of data against accidental or unauthorised destruction, accidental loss, as well as against alteration or disclosure of, access to and any other unauthorised forms of processing (Article 8 of the Law).
In this regard, Article 3 of the Authority's Order No. (43) of 2022 Regarding the conditions to be met in the technical and organisational measures that guarantee protection of personal data ('the Technical and Organisational Measures Order') addresses DPIAs and provides that a controller may conduct a DPIA, taking into account the nature, scope, context and purposes of the processing, and high risks of processing on the rights and freedoms of natural persons (Article 3(1) of the Technical and Organisational Measures Order). Furthermore, Article 3(2) of the same states that controllers should conduct DPIAs in the following cases:
- cases stipulated in Article 22(1) of the Law, or a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- when processing on a large scale of special categories of data or of personal data relating instituting and pursuing of criminal proceedings, and related judgements referred to Article 7 of the Law; or
- when processing amounts to a systematic monitoring of a publicly accessible area on a large scale.
With regard to the contents of a DPIA, Article 3(4) of the Technical and Organisational Measures Order notes that as a minimum, a DPIA should include:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the order taking into account the rights and legitimate interests of data subjects and other persons concerned.
Additionally, Article 3(5) of the Technical and Organisational Measures Order further states that where appropriate, the controller should seek the views of data subjects or their legal representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
7.5. Data protection officer appointment
There is no requirement for the compulsory appointment of DPOs under the Law. The Law suggests that the Authority may issue a decision which requires certain categories of data controllers to appoint a DPO, referred to as 'data protection guardian'.
The Authority has issued Order No. (46) of 2022 Regarding Data Protection Guardians ('the Guardians Order') which notes that the controller may appoint an 'external' or 'internal' DPO and must notify the Authority of the appointment within three working days of doing so (Article 2 of the Guardians Order).
The main duties of DPOs revolve around the supervision of data controllers and ensuring that data processing is being conducted in compliance with the provisions of the Law. The Law outlines the duties and responsibilities of DPOs as follows:
- assisting data controllers in exercising their rights and duties in accordance with the Law;
- acting as an intermediary between the Authority and data controllers with respect to their compliance with the provisions of the Law, and notifying the Authority with any evidenced violations or shortfalls by data controllers that have not been rectified;
- verifying the data controller's compliance with the provisions of the Law regarding processing data and notifying data controllers to rectify any violations;
- keeping records of the data controller's data processing activities and updating the Authority with a copy of such records once a month; and
- conducting their duties in an independent and impartial manner.
Enrolment in Register of DPOs
DPOs are required to enrol in the Authority's Register of DPOs ('the Register') in order to be accredited to assume the role of DPOs. In addition, DPOs are required to renew their registration annually for a fee. In this regard, Order No. (47) of 2022 Determining the fees of enrolment and renewal in the Data Protection Guardians register and cases of waiver and refund ('the Fees Order') specifies the fees attached to enrollment to the Register as well as subsequent renewal of enrollments as follows:
- for a natural person acting as an external DPO = BD 300 (approx. €825);
- for a legal entity acting as an external DPO = BD 500 (approx. €1,340); and
- for an internal DPO = BD 100 (approx. €275).
Annual renewal fees:
- for a natural person acting as an external DPO = BD 100 (approx. €275);
- for a legal entity acting as an external DPO = BD 150 (approx. €412); and
- for an internal DPO = BD 30 (approx. €82).
Furthermore, Article 5 of the Guardians Order specifies the following conditions attached to the enrollment of an external DPO:
For natural persons:
- to be fully competent;
- to be a holder of a Bachelor’s Degree in information technology ('IT') at least, or a holder of a professional certificate in information security, information security audit, cyber security, or has practical experience of no less than two years in any of the mentioned fields;
- to be of good reputation, and not have been finally convicted for a penalty of a breach of trust or a crime affecting their honor or integrity or if they have been convicted for a crime involving breach of professional ethics, unless they have been reinstated; and
- should not have been dismissed from work based on a disciplinary ruling or decision, or their license to practice their main profession revoked or suspended based on a disciplinary ruling or decision.
For a legal entity:
- licensed to work in the Kingdom of Bahrain;
- involved in providing legal, audit, IT, management consulting, accounting, or risk management services;
- that among its employees, at least three must meet the conditions stipulated for the registration of natural persons above; and
- other conditions determined by the Board of Directors.
On the other hand, for the enrollment of an Internal DPO, Article 9 of the Guardians Order provides additional conditions to those required for the enrollment of an external DPO noted below:
- to be among the employees of the controller, a subsidiary company, one of it branches, or within a regional or international group within the same ownership; and
- to have a permanent residence in the Kingdom of Bahrain.
To this end, procedures for enrollment to the Register may be found in Article 6 of the Guardians Order for external DPOs, and Article 10 of the same for internal DPOs.
The enrollment of the external or internal DPO in the Register will end in any of the following cases (Article 15 of the Guardians Order):
- the death of a natural person, or the cancellation of the enrollment in the commercial register for a legal person; or
- the expiration of the enrollment period without renewing it in accordance with the provisions of this Order.
7.6. Data breach notification
The Law imposes an obligation on DPOs to notify the Authority of any violation or breach committed by the data controller, after the lapse of ten days from the date of the incident and to rectify the breach, if the data controller has not already done so.
7.7. Data retention
Data subjects are entitled to request from the data controller the removal, erasure, or withdrawal of their data.
Furthermore, data shall not remain in a form that allows the data subject to be identified after the completion of the purpose for collection or for which subsequent processing is performed. Data that is stored for longer periods for historical, statistical, or scientific purposes shall be kept in an anonymised format by putting them in a form that does not enable such data to be related to the owner. Furthermore, it shall be ensured that it is not possible to decode the identity of the owners of the data (Article 3 of the Law).
7.8. Children's data
There are no specific regulations governing the data of children/minors under the Law. However, the law requires that in instances where consent is required from a person who is not legally competent to give consent (such as minors or persons who lack legal capacity), the consent of their guardian or custodian be obtained.
Kindly note that the age of consent under the laws of the Kingdom of Bahrain is generally 21 years. In the context of commercial dealings, the age of consent is 18 years as per the specific provision provided under Article 10 of the Law of Commerce No. 7/1987.
7.9. Special categories of personal data
The Law provides exceptions for processing sensitive personal data without obtaining the written consent of the data subjects, including where:
- the processing is required by the data controllers for their duties and the exercise of their legally prescribed rights in the field of labour relations that binds them to their employees;
- the processing is necessary to protect any person if the data subject, their custodian, guardian, or trustee is not legally able to give their consent, and is subject to obtaining prior permission from the Authority;
- the processed data was provided by the data subject to the public;
- the processing is necessary to initiate or defend any legal rights claim, including what is required in preparation for the matter; and/or
- the processing is necessary for the purposes of preventive medicine, medical diagnosis, provisions of health care, treatment, or management of health care services by a licensed medical practitioner or any person legally bound to maintain confidentiality.
The Law imposes further responsibilities and obligations on data controllers including complying with the decisions of the Authority with respect to the rules and procedures of processing sensitive personal data.
The Authority has issued Order No. (45) of 2022 Regarding the rules and procedures for processing sensitive personal data ('the Sensitive Personal Data Order') which adds further detail to the provisions of the Law and provides that controllers must comply with the following rules when processing any sensitive personal data:
- processing should be carried out within the permitted framework and scope of the data subject's consent, or within the scope of the authorisation issued by the Authority, and it is not permissible in any case to process sensitive personal data for any other purpose;
- implementing technical measures with a high level of security that ensures protection against illegal processing, breach of privacy, and prevents damage, loss, leakage and replication of data, taking into account the requirements that shall be met in the technical and organisational measures to ensure the protection of personal data stipulated in Order No. (43) of 2022; and
- not to keep the data for a period exceeding the period specified by the data subject upon giving his consent, or for the period specified in the authorisation issued by the Authority, or according to the periods stipulated in the rules and regulations to which the controller’s activity is subject to.
7.10. Controller and processor contracts
The Law suggests that the data processor and the data controller shall be bound by a written contractual agreement. Such an agreement should state that the data processor shall only conduct data processing in accordance with the instructions of the data controller and shall bind the data processor with the same duties and obligations as the data controller with regards to data confidentiality and security.
The Law provides that the data controller and the DPO, where appointed, shall be held liable for any damage suffered by the data subjects in connection with the processing of their information, and the data processor will not be held personally liable towards the data subjects for such compensation. We are of the view that the Law has adopted this approach because data processors are most likely employed by the data controller and they are prohibited from conducting any processing beyond the scope of the data controller's instructions.
8. Data Subject Rights
8.1. Right to be informed
The Law grants data subjects the following rights:
- to be informed by the data controller when their data is being processed; and
- to be informed of the data controller's full name, scope of activity or profession, address, the purposes for which data is intended to be processed, and any other necessary information, depending on the circumstances of each case, in order to ensure fair processing for the data subject.
8.2. Right to access
The Law does not explicitly provide for the right to access.
8.3. Right to rectification
The Law provides data subjects with the right to correct their processed data at any time by sending a written application to the data controller.
8.4. Right to erasure
The Law provides data subjects with the right to erase their personal data at any time by sending a written application to the data controller.
8.5. Right to object/opt-out
The Law grants data subjects the following rights:
- to object to the use of their personal data for direct marketing or making the data publicly available; and
- to object to processing causing material or psychological damage to the data subject or others.
8.6. Right to data portability
The Law does not explicitly provide for the right to data portability.
8.7. Right not to be subject to automated decision-making
Where data processing is used to assess the data subject's performance, financial position, creditworthiness, behaviour, or reliability, the Law provides that the data subject may request a different approach, so as not to render their assessment solely dependent on the automatic processing of data.
8.8. Other rights
The Law also provides data subjects with the following rights:
- to have their data stored in a manner which does not make them identifiable, or having their identity encrypted if it is impossible to store their data in such manner;
- to have their data protected and not to disclose the data to any unauthorised party without their consent; and
- to have the right to block or withdraw their processed data at any time by sending written application to the data controller.
In terms of civil liability, the Law suggests that anyone who suffers damage resulting from the processing of their data may seek compensation from the data controller or DPO if such processing breaches the provisions of the Law.
With regards to criminal penalties, the Law suggests that a sentence of imprisonment not exceeding one year and a fine of not less than BD 1,000 (approx. €2,258) and not more than BD 20,000 (approx. €45,156), or either of these penalties may be imposed on any person who commits any of the following:
- processes personal or sensitive personal data without obtaining the consent of the data subject, or doing the same without notifying the Authority in advance;
- transferring data outside the Kingdom of Bahrain without obtaining the approval of the Authority or without the consent of the data subject;
- provides the Authority or data subjects with false information which contradicts the records maintained regarding processing data;
- blocks any information or data that is required to be submitted to the Authority or prevents the Authority from accessing such data;
- disrupting the work of the Authority's inspections or investigations; or
- discloses any information available to him by virtue of their work for their personal benefit.
Please note that if the committer of any of the above is a corporate legal person, the fine may be increased up to twice the fine prescribed to a natural person.
Without prejudice to the penalties provided for under the Law, the Penal Code, 1976 ('the Penal Code') states that, 'A punishment of imprisonment for a period not exceeding one year or a fine not exceeding BD 100 (approx. €226) shall be inflicted on a person who divulges a secret entrusted thereto in their official capacity, trade, profession, or art in conditions other than those prescribed by the law or uses it for his personal benefit or for the benefit of another person unless the person concerned with the secret allows the divulgence or use thereof.'.
Please note that before the enforcement of the Law, the abovementioned punishment provided under the Penal Code shall apply to any person who discloses personal data to another party for processing purposes, as we are of the view that such data qualifies as a secret.
9.1 Enforcement decisions
On the 17 of March 2022, the Authority issued 10 enforcement decisions providing data protection guidelines in respect of:
- Order No. (42) of 2022 Regarding the transfer of personal data outside the Kingdom of Bahrain: the transfer of personal data outside of Bahrain requires approval of the Authority unless the transfer is made to any of the 83 jurisdictions that the Authority is satisfied with the level of data protection regulations and controls applied therein ('the Approved Jurisdictions).
- The Technical and Organisational Measures Order: the resolution provides the technical and organisational measures and guidelines required for the personal data processing methods including requirements of privacy by design, privacy framework, sufficient system security and firewalls, conducting regular vulnerability assessment and penetration testing, effective emergency and crisis control, and defined employee authority scopes and levels. The resolution also includes breach notification requirements and regular testing and employee training.
- The Notifications Order: where notification of data processing is required in accordance with the Law, the resolutions sets out the procedures for notifying the Authority, which include transparency, sufficient explanation of purpose, processing to be done on a strictly need-to-know basis, limited access to authorised personnel, and accessibility of data to data subjects.
- The Sensitive Personal Data Order: the processing of sensitive personal data is required to be on a limited basis in accordance with the permission of the Authority or the data subject; be done using highly reliable and secured technical means; and not stored for longer than the term stated in the permission of the Authority or data subject as applicable.
- The Guardians Order: data controllers may employ DPO's internally or appoint external DPO's. The Authority must be informed of any DPO appointment within three working days of the appointment and a list of DPO’s shall be published on the Authority's website. The resolution sets out the procedures and conditions for DPO enrolment and registration and includes disclosure requirements of conflict of interest or any matter that may give rise to independence concerns.
- The Fees Order: the resolution specifies the fees for DPO registration, ranging from BD 100 (approx. €270) for internal DPO's to BD 500 (approx. €1,340) for corporate external DPO's.
- Order No. (48) of 2022 Regarding the Data Subject’s rights: data subjects shall be informed of automated data processing decisions, and the rules and procedures therefor be made clearly and expressly so as to enable the data subject to submit any objections and be notified of the outcome. Where a websites' cookies wall blocks access without consent, such is not considered consent for the purposes of the Law. The resolution also entitles the data subject to withdraw consent and data managers must enable such withdrawal to be processed in reasonable time.
- Order No. (49) of 2022 With respect to rules and procedures governing submission of complaints regarding violations of the Personal Data Protection Law: any interested party may submit a complaint of a breach of the Law. There is a complaint form on the Authority's website and must be accompanied by any proof available of the breach. The party against whom the complaint is made must be notified of the complaint and allowed a chance to respond before the Authority reaches a decision.
- Order No. (50) of 2022 Determining the controls and safeguards for protecting the confidentiality of data concerning instituting and pursuing of criminal proceedings, and related judgements: these guidelines relate to processing of personal data relating to criminal proceedings. This data shall be protected from disclosure, transfer, publication, or in any way making available to any party other than those permitted by law. The protection extends to all levels of criminal proceedings and the issued judgments.
- Order No. (51) of 2022 Regarding the conditions to be met while creating registers accessible to the public: the requirements for creating data registries accessible to the public include facilitated accessibility, relevance to purpose, the consent of the data subject, and a means to enable the data subject to amend or delete their personal data in the public registry. The public registry must state the type, purpose and date of the last update of the data.