Bahrain - Data Protection Overview
The introduction of a standalone legislation on personal data protection is recent, after relevant provisions were found in different legislations. This article covers the enactment of the Personal Data Protection Law No. (30) of 2018 ('the Law'), which came into force on 1 August 2019.
The Law serves as the main piece of legislation with respect to data protection issues, and therefore this note will focus on the implications of the Law. It is worth noting that the Law recently entered into force, therefore many procedural and regulatory issues which are to be decided by the Data Protection Authority's ('the Authority') resolution(s) are yet to be issued. It should be noted that, as per Resolution No. 78 of 2019 (only available in Arabic here), published in the Official Gazette on 3 October 2019, the Ministry of Justice and Islamic Affairs shall exercise the duties of the Authority.
1. GOVERNING TEXTS
Data protection in the Kingdom of Bahrain is mainly governed by the Law which was published in the Official Gazette of 19 September 2018 and entered into force on 1 August 2019.
Prior to the enactment of the Law, Bahrain had certain provisions in other legislation which govern the concept of data protection. The aforementioned provisions remain enforceable, serve as supplementary provisions to the Law, and regulate the concept of data protection in specific sectors, including:
- the Central Bank of Bahrain and Financial Institutions Law 2006, which regulates data protection in the regulated financial activities sector;
- the Telecommunications Law 2002, which regulates data protection in the telecommunication sector; and
- the Labour Law 2012 ('the Labour Law'), which regulates data protection in employee-employer relationships.
The Ministry of Justice and Islamic Affairs has not issued any applicable guidelines.
1.3. Case law
2. SCOPE OF APPLICATION
The provisions of the Law apply to any natural person who normally resides in Bahrain or has a place of business in Bahrain, any legal person who has a place of business in Bahrain, and any natural or legal person who processes data using means available in Bahrain, unless the purpose of such data processing is only for transit through Bahrain.
The provisions of the Law apply to:
- every natural person who normally resides in or has a place of business in Bahrain;
- every legal person that has a place of business in Bahrain; and
- every natural or legal person who does not normally reside in Bahrain and has no place of business in Bahrain but processes data using means available in Bahrain, unless the purpose of using such means is merely to transfer data through Bahrain.
Accordingly, the Law is considered to have a scope of application that is limited to the jurisdiction of Bahrain and does not extend to persons that are not residents of Bahrain, domiciled in Bahrain, or to data processing using means that are not within the geographic scope of Bahrain (Article 2 of the Law).
The Law sets out the types of processing that fall within the scope of its application as follows:
- the processing of data using automatic means in whole or in part; and
- the processing of data that forms or is intended to form part of a file system by non-automatic means.
The following processing of data is expressly excluded from the scope of application of the Law:
- processing of data made by any individual for purposes not exceeding personal or family affairs; and
- processing of data done by the security services of Bahrain for the purposes of national security.
In addition, the Law specifies that the application of the provisions shall not, in any case, prejudice the requirements of confidentiality required in connection with the affairs of the Bahrain Defence Force.
3.1. Main regulator for data protection
The main regulatory authority for data protection in Bahrain is the Authority, which shall be established pursuant to Article 27 of the Law. In Bahrain, the duties of the Authority are currently being exercised by the Ministry of Justice and Islamic Affairs (see section 1.1 above).
3.2. Main powers, duties and responsibilities
The main duties and responsibilities of the Authority pursuant to the Law include:
- issuing decisions necessary for the implementation of the Law such as and without limitation, specifying:
- rules and procedures that data controllers must comply with in respect of data processing;
- technical and organisational standards that must be met by data controllers; and
- conditions for data record-keeping;
- authorising the transfer of data outside the Kingdom of Bahrain;
- assessing, approving, or denying any notifications or applications received for the commencement of data processing;
- maintaining a register for permits issued or notifications received for the commencement of data processing;
- receiving complaints regarding any violation of the provisions of the Law;
- educating the public and data controllers on their rights and obligations pursuant to the Law;
- monitoring compliance with the provisions of the Law;
- supervising and inspecting data controllers regarding the processing of personal data;
- supervising and inspecting the work of data protection officers ('DPO') in order to verify their compliance with the provisions of the Law;
- examining legislation relating to the protection of personal data and recommending amendments in accordance with internationally recognised standards;
- raising awareness with regards to data protection by organising educational training and promoting personal data protection culture; and
- representing the Kingdom of Bahrain in international conferences as the body responsible for the protection of personal data.
As the Law is still in the implementation phase, a decree is yet to be issued to specify the duties and powers vested in the administrative body of the Authority.
4. KEY DEFINITIONS
The key terms which were defined under Article 1 of the Law are the following:
Data controller: A person who, either alone or jointly or in common with other persons, determines the purposes and means of the processing of certain personal data. Where such purposes and means are established by law, the person responsible for the obligation to perform processing shall be the data controller.
Personal data: Any information, in any form, of an identified or identifiable individual, whether directly or indirectly, particularly through their personal identification number, or one or more of their formal, physiological, intellectual, cultural, economic, or social identity. In order to determine whether an individual is capable of being identifiable or not, all means used by or available to the data controller or any other person shall be taken into consideration.
Sensitive data: Sensitive personal data refers to any personal information that directly or indirectly discloses the individual's ethnic or racial origin, political, or philosophical opinions, religious beliefs, trade union affiliation, criminal record, or any data relating to their health or sexual status.
Data subject: Individual or person who is the subject of the data.
Processing: Any process or set of processes carried out on personal data through automatic or non-automatic means, including the collection, recording, organisation, classification, storage, adaptation or alteration, retrieval, use or disclosure of such data by transmission, dissemination or otherwise making available, combination, blocking, erasure, or destruction of the information or data.
5. LEGAL BASES
Generally, processing personal data is prohibited without the written consent of the data subject unless the processing meets one of the legal requirements for processing listed below:
- necessary for the implementation of a contract to which the data subject is a party;
- occurs at the request of the data subject with a view to concluding a contract;
- necessary for the implementation of a duty prescribed by the Law, contrary to a contractual obligation, or an order issued by a competent court or the Public Prosecution;
- necessary for protecting the vital interests of the data subject; and/or
- necessary for the legitimate interests of the data manager or any third party to whom the data is disclosed, unless this conflicts with the fundamental rights and freedoms of the data subject.
Please see section 5 above,.
Please see section 5 above,.
Please see section 5 above,.
Please see section 5 above,.
The Law does not provide any further details.
It is worth noting that the terms 'legitimate interests' and 'fundamental rights and freedoms' are not defined and there are no precedents or guidance issued by the Authority, as to date, in relation to the interpretation of the aforementioned terms.
In the context of employment, the Labour Law stipulates that employers are required to maintain a record with data of their employees. Such data include name, age, housing number, marital status, place of residence and nationality, job, profession, wages, qualifications, and experience. The aforementioned data must be maintained by the employer for at least two years after the expiry of the employment relationship. The right of employers to maintain and process the data of their employees in this instance stems from the obligation stipulated under the Labour Law rather than the legal basis for lawful processing under the Law (Article 68 Labour Law).
The Law states that certain data quality controls shall be applied to processing of data. The principles of data quality controls that are stipulated under the Law are the following:
- personal data shall be processed fairly and legally;
- the data shall be collected for a legitimate, specific, and clear purpose, not to be altered subsequently, and that no subsequent processing is in a manner inconsistent with the purpose for which it was collected. Excluded from this principle is processing data for historical, statistical, or scientific research, provided that it is not to support any decision or action regarding a specific individual;
- the processing shall be adequate, relevant, and not excessive given the purpose of collection or subsequent processing;
- the data shall be correct and accurate, and subject to updates when necessary; and
- the data shall not remain in a form that allows the data subject to be identified after the completion of the purpose for collection or for which subsequent processing is performed. Data that are stored for longer periods for historical, statistical, or scientific purposes shall be kept in an anonymised format by putting them in a form that does not enable such data to be related to the owner. Furthermore, it shall be ensured that it is not possible to decode the identity of the owners of the data (Article 3 of the Law).
7. CONTROLLER AND PROCESSOR OBLIGATIONS
The Law imposes further responsibilities and obligations on data controllers including:
- ensuring the safety of processing by applying adequate levels of security and technical measures to avoid the unintended destruction, unauthorised access, alteration, loss of data, and protecting data from other forms of processing;
- ensuring that the data processor is applying adequate safeguards to data, and verifying that the data processor conducts processing in accordance with the data processing agreement entered into by the data controller and the data processor;
- maintaining the confidentiality of personal data. Data controllers are prohibited at all times from disclosing any data without the consent of the data subject or pursuant to an order of the court or the Public Prosecutor;
- complying with the provisions of the Law in connection with data processing;
- disclosing their identity to the data subjects, as well as the intended purpose of processing of the data subject's data. In particular, the data controller must inform the data subject if their data is intended to be used for direct marketing purposes, while the data subjects shall have the right to object, and update the data subject with the status of any data processing application; and
- receiving applications from the data subject to correct, block, erase, or withdraw their processed data.
The data processor is required to process data in accordance with the terms of the written agreement between the data controller and the data processor and shall only process data in accordance with the instructions of the data controller. The same duties and obligations that are applicable to data controllers with respect to confidentiality and data security are applicable to data processors.
The data controller is required to notify the Authority before the commencement of data processing which is automated in whole or in part, and the notifications received will be entered into the register of notifications and permits, which is maintained by the Authority.
The Authority will issue a decision to specify the procedures and regulations in connection with the notice, nonetheless, the notice shall contain the following information:
- the name and address of the data controller and the data processor;
- the purpose of processing;
- a data description and statement of the categories of data subjects and recipients of the data or their categories;
- any data transfers intended to be carried out to a country or territory outside the Kingdom of Bahrain; and
- a statement that enables the Authority to assess in principle the appropriateness of the measures available to meet the safety requirements (outlined in section 6 below).
The data controller may be exempt from the notification requirement in the following circumstances:
- where the sole purpose of data processing is to maintain a record in accordance with the Law in order to provide information to the public, whether access to the information is available to the public as a whole or limited to concerned parties;
- processing of data in the context of the activities of various associations, trade unions, and other non-profit organisations;
- where an employer is processing the data of their employees within the limits necessary to carry out its functions related to the employment, organising the employees' employment affairs, or exercise the rights outlined under the Labour Law with respect to data processing data and protecting the rights of the employees; and
- in cases where a DPO is appointed (as explained in section 10 below).
The Authority may contact the data controller within ten days of receipt of the notification in order to request the data controller to address any shortfalls in the information contained in the notice. Such a shortfall is required to be remedied within 15 days from the date of the request, and the data controller is required to stop data processing until the shortfall is addressed.
Any notification that was not completed after receiving the request outlined above may be struck off from the Authority's register following a reasoned decision issued by the Authority. The aforementioned decision will be notified to the data controller upon its issuance.
A permit from the Authority is required for data processing under the following circumstances:
- automatic processing of sensitive personal data in the case where neither the data subject nor their guardian is legally able to give consent;
- automatic processing of biometric data used for identification;
- automatic processing of genetic data, except for processing done by doctors and specialists in a licensed medical facility and necessary for medicine and healthcare-related purposes;
- automatic processing involving the linking of personal data files of two or more data controllers handled by them for different purposes; and
- processing of data which is an optical recording and may be used for monitoring purposes.
The Authority shall issue a decision outlining the requirements that should be complied with in order to obtain a permit to process data for any of the abovementioned forms of data processing. The Authority will contact the data controller within 30 days of receiving the permit application. Failure to receive any response from the Authority will constitute an implicit rejection.
It is worth noting that the abovementioned notification requirements are applicable to automated processing of data only.
The Law sets a general prohibition on transferring personal data outside the Kingdom of Bahrain. However, there are exclusions to the general prohibition whereby the transfer of data outside Bahrain is allowed, these are as follows:
- the Authority shall issue a statement published in the Official Gazette containing a list of countries and territories to which data transfers are permissible. The Authority will issue such a list after taking into consideration territories which have applicable data protection legislation and regulations that are deemed satisfactory to an extent which ensures to the Authority the adequacy of the protection provided by the laws and regulations of the said territories; and
- the Authority may authorise the transfer of data on a case-by-case basis after assessing the circumstances surrounding the data transfer. The Authority will mainly consider the size and nature of the data and the purposes of the transfer thereof, and the data protection laws, regulations, or international conventions applicable in the territory to which data will be transferred. The authorisation will be subject to the discretion of the Authority, as the Authority may set specific conditions and time periods for such authorisation.
The Law imposes further responsibilities and obligations on data controllers including keeping records of data processing activities and providing the Authority with an updated copy of the records once a month (in the absence of a DPO).
The Law does not specifically address Data Protection Impact Assessments.
There is no requirement for the compulsory appointment of DPOs under the Law. The Law suggests that the Authority may issue a decision which requires certain categories of data controllers to appoint a DPO.
The main duties of DPOs revolve around the supervision of data controllers and ensuring that data processing is being conducted in compliance with the provisions of the Law. The Law outlines the duties and responsibilities of DPOs as follows:
- assisting data controllers in exercising their rights and duties in accordance with the Law;
- acting as an intermediary between the Authority and data controllers with respect to their compliance with the provisions of the Law, and notifying the Authority with any evidenced violations or shortfalls by data controllers that have not been rectified;
- verifying the data controller's compliance with the provisions of the Law regarding processing data and notifying data controllers to rectify any violations;
- keeping records of the data controller's data processing activities and updating the Authority with a copy of such records once a month; and
- conducting their duties in an independent and impartial manner.
DPOs are required to enrol in the Authority's Register of DPOs ('the Register') in order to be accredited to assume the role of DPOs. In addition, DPOs are required to renew their registration annually for a fee.
The Authority shall issue a decision regulating the work of DPOs and specify the conditions that must be met by those who are to be registered in the Register, registration procedures, the validity, the renewal period, as well as determining the costs of renewal fees.
The Law imposes an obligation on DPOs to notify the Authority of any violation or breach committed by the data controller, after the lapse of ten days from the date of the incident and to rectify the breach, if the data controller has not already done so.
Data subjects are entitled to request from the data controller the removal, erasure, or withdrawal of their data.
Furthermore, data shall not remain in a form that allows the data subject to be identified after the completion of the purpose for collection or for which subsequent processing is performed. Data that is stored for longer periods for historical, statistical, or scientific purposes shall be kept in an anonymised format by putting them in a form that does not enable such data to be related to the owner. Furthermore, it shall be ensured that it is not possible to decode the identity of the owners of the data (Article 3 of the Law).
There are no specific regulations governing the data of children/minors under the Law. However, the law requires that in instances where consent is required from a person who is not legally competent to give consent (such as minors or persons who lack legal capacity), the consent of their guardian or custodian be obtained.
Kindly note that the age of consent under the laws of the Kingdom of Bahrain is generally 21 years. In the context of commercial dealings, the age of consent is 18 years as per the specific provision provided under Article 10 of the Law of Commerce No. 7/1987.
The Law provides exceptions for processing sensitive personal data without obtaining the written consent of the data subjects, including where:
- the processing is required by the data controllers for their duties and the exercise of their legally prescribed rights in the field of labour relations that binds them to their employees;
- the processing is necessary to protect any person if the data subject, their custodian, guardian, or trustee is not legally able to give their consent, and is subject to obtaining prior permission from the Authority;
- the processed data was provided by the data subject to the public;
- the processing is necessary to initiate or defend any legal rights claim, including what is required in preparation for the matter; and/or
- the processing is necessary for the purposes of preventive medicine, medical diagnosis, provisions of health care, treatment, or management of health care services by a licensed medical practitioner or any person legally bound to maintain confidentiality.
The Law imposes further responsibilities and obligations on data controllers including complying with the decisions of the Authority with respect to the rules and procedures of processing sensitive personal data.
The Law suggests that the data processor and the data controller shall be bound by a written contractual agreement. Such an agreement should state that the data processor shall only conduct data processing in accordance with the instructions of the data controller and shall bind the data processor with the same duties and obligations as the data controller with regards to data confidentiality and security.
The Law provides that the data controller and the DPO, where appointed, shall be held liable for any damage suffered by the data subjects in connection with the processing of their information, and the data processor will not be held personally liable towards the data subjects for such compensation. We are of the view that the Law has adopted this approach because data processors are most likely employed by the data controller and they are prohibited from conducting any processing beyond the scope of the data controller's instructions.
8. DATA SUBJECT RIGHTS
The Law grants data subjects the following rights:
- to be informed by the data controller when their data is being processed; and
- to be informed of the data controller's full name, scope of activity or profession, address, the purposes for which data is intended to be processed, and any other necessary information, depending on the circumstances of each case, in order to ensure fair processing for the data subject.
The Law does not explicitly provide for the right to access.
The Law provides data subjects with the right to correct their processed data at any time by sending a written application to the data controller.
The Law provides data subjects with the right to erase their personal data at any time by sending a written application to the data controller.
The Law grants data subjects the following rights:
- to object to the use of their personal data for direct marketing or making the data publicly available; and
- to object to processing causing material or psychological damage to the data subject or others.
The Law does not explicitly provide for the right to data portability.
Where data processing is used to assess the data subject's performance, financial position, creditworthiness, behaviour, or reliability, the Law provides that the data subject may request a different approach, so as not to render their assessment solely dependent on the automatic processing of data.
The Law also provides data subjects with the following rights:
- to have their data stored in a manner which does not make them identifiable, or having their identity encrypted if it is impossible to store their data in such manner;
- to have their data protected and not to disclose the data to any unauthorised party without their consent; and
- to have the right to block or withdraw their processed data at any time by sending written application to the data controller.
In terms of civil liability, the Law suggests that anyone who suffers damage resulting from the processing of their data may seek compensation from the data controller or DPO if such processing breaches the provisions of the Law.
With regards to criminal penalties, the Law suggests that a sentence of imprisonment not exceeding one year and a fine of not less than BD 1,000 (approx. €2,258) and not more than BD 20,000 (approx. €45,156), or either of these penalties may be imposed on any person who commits any of the following:
- processes personal or sensitive personal data without obtaining the consent of the data subject, or doing the same without notifying the Authority in advance;
- transferring data outside the Kingdom of Bahrain without obtaining the approval of the Authority or without the consent of the data subject;
- provides the Authority or data subjects with false information which contradicts the records maintained regarding processing data;
- blocks any information or data that is required to be submitted to the Authority or prevents the Authority from accessing such data;
- disrupting the work of the Authority's inspections or investigations; or
- discloses any information available to him by virtue of their work for their personal benefit.
Please note that if the committer of any of the above is a corporate legal person, the fine may be increased up to twice the fine prescribed to a natural person.
Without prejudice to the penalties provided for under the Law, the Penal Code, 1976 ('the Penal Code') states that, 'A punishment of imprisonment for a period not exceeding one year or a fine not exceeding BD 100 (approx. €226) shall be inflicted on a person who divulges a secret entrusted thereto in their official capacity, trade, profession, or art in conditions other than those prescribed by the law or uses it for his personal benefit or for the benefit of another person unless the person concerned with the secret allows the divulgence or use thereof.'.
Please note that before the enforcement of the Law, the abovementioned punishment provided under the Penal Code shall apply to any person who discloses personal data to another party for processing purposes, as we are of the view that such data qualifies as a secret.