PDPL – Bahrain's data protection regime
The PDPL requires businesses in Bahrain, as well as providing rights to individuals (referred to as Data Subjects), to ensure that the personal data collected, processed and stored is done so in a fair and secure manner.
There are additional types of Personal Data that are subject to additional obligations imposed on businesses, this includes Personal Data directly or indirectly revealing an individual's racial or ethnic origin, political or philosophical opinions, religious beliefs, trade-union memberships, criminal records or any data on his or health or sexual status, as well as any data that reveals or infers any such information (Sensitive Personal Data).
What are the obligations upon businesses?
Under the PDPL, the processing of Personal Data is classed as any operation or set of operations performed in relation to the Personal Data, whether or not by automatic means, such as collection, recording, organisation, categorisation, storage, adaption or alteration, retrieval, use, disclosure by transmission, dissemination, transfer or otherwise making available, combination, blocking, erasure or destruction (Processing).
The PDPL applies to all persons (natural or legal) who determine the purposes and means of the Processing of Personal Data (a Data Manager) who:
- reside or have a place of business in Bahrain; or
- do not reside or have a place of business in Bahrain but who process Personal Data using means available in Bahrain in which case the Data Manager must appoint an authorised representative in Bahrain, unless the Data Manager's purpose is only to pass Personal Data through Bahrain.
Data Managers are only permitted to collect Personal Data for a purpose which is legitimate, specific and clear and to which they have received the consent of the Data Subject, such Processing must be conducted fairly and proportionately to the purpose for which it is collected. There are certain circumstances in which the consent of the Data Subject is not required, however, a Data Manager needs to review its policies and practices to see if it falls within these exceptions.
A Data Manager must notify the Personal Data Protection Authority (the Authority) prior to any Processing of Personal Data, unless the following apply:
- processing Personal Data with the sole purpose of maintaining a record required by the PDPL with the intention of making information available to the public, although access to the record may be limited;
- processing Personal Data of employees in order to carry out duties and responsibilities as an employer; or
- where a Data Protection Controller (as defined in the PDPL) is appointed.
A Data Manager must take such technical and organisational measures to protect any Personal Data against unintentional disclosure, destruction, accidental loss, unauthorised alteration or access.
Data Subjects must be notified of certain information by a Data Manager prior to the Processing of any Personal Data, these include:
- the purpose for which the Personal Data is to be Processed; and
- the rights of the Data Subject under the PDPL in respect of the right to request all information held by the Data Manager, the right to object to direct marketing and the right to object to Processing that causes harm.
As at the date of this article, the implementing regulations in respect of the PDPL have not yet been implemented and therefore certain obligations have yet to be implemented, these include the following:
- the procedure by which a Data Manager is to notify the Authority prior to Processing of any Personal Data;
- the procedure by which a Data Manager requests written permission from the Authority to carry out automatic processing of certain categories of Personal Data;
- the technical specifications and organisational measures that the Authority deems are required to protect Personal Data under the PDPL;
- the special categories of Data Managers which the Authority will require a Data Protection Controller to be appointed;
- the issuance of a 'white' list of countries which are considered as having sufficient protection of Personal Data in respect of transfers of Personal Data outside of Bahrain; and
- the procedure in which a Data Subject may withdraw its consent to Processing of its Personal Data.
The obligations under the PDPL that already have direct effect and do not require any further implementing regulations are as follows:
- notification to the Data Subject of their rights under the PDPL, including the right to submit a data access request and object to certain types of processing; and
- the requirement for there to be a written agreement with any third party processor on behalf of the Data Manager.
Failure to comply with the above obligations does not attract criminal liability but does leave a Data Manager open to a claim from a Data Subject in respect of any loss arising from such.
The breach of any of the following obligations by a Data Manager may result in criminal sanctions:
- processing Sensitive Personal Data without the consent of the Data Subject, if one of the exemptions does not apply;
- transfer of Personal Data outside of Bahrain to a jurisdiction that is not on the 'white' list or without the permission of the Authority, unless it falls within the exemptions listed in the PDPL; and
- the disclosure of any Personal Data in violation of the PDPL.
Who enforces the PDPL?
On 30 September 2019, pursuant to Decree No. 78 of 2019, it was announced that the Ministry of Justice, Islamic Affairs and Awqaf (MOJ) was appointed as the interim authority for the purposes of the PDPL until the establishment of the Authority and the financial budget for the Authority has been allocated and the relevant decrees issued. Until such time, the MOJ shall be responsible for the duties and powers under the PDPL reserved for the Board of Directors of the Authority.
The public prosecutor may proceed with such prosecution without the establishment of the Authority.