The Personal Data Protection Law, Data Privacy in Bahrain

The Personal Data Protection Law No. (30) of 2018 or the PDPL for short is a Bahraini data protection law that was recently passed in 2019. As one of only a handful of comprehensive data protection laws to be passed in the Middle East, a large reason for the enacting of the PDPL was Amazon Web Services or AWS’s plan to open massive data centers within the country by the end of 2019. Furthermore, the PDPL is the first law within the Kingdom of Bahrain to be passed that pertains strictly to data protection, as the data protection framework within the country was limited to other Bahraini legislation that governed the concept indirectly. As such, the PDPL outlines various requirements and mandates in relation to the personal data and information that is collected and processed within the country.

What is the Scope and Application of the PDPL?

In terms of scope and applicability, the provisions of the PDPL apply to “any natural person who normally resides in Bahrain or has a place of business in Bahrain, any legal person who has a place of business in Bahrain, and any natural or legal person who processes data using means available in Bahrain, unless the purpose of such data processing is only for transit through Bahrain”. What’s more, the PDPL also contains extraterritorial applicability in situations where a “every natural or legal person who does not normally reside in Bahrain and has no place of business in Bahrain but processes data using means available in Bahrain, unless the purpose of using such means is merely to transfer data through Bahrain”.

What are the requirements of business entities and organizations under the PDPL?

Under the PDPL, individuals, business entities, and organizations who collect, process, or disclose the personal information of Bahraini citizens must adhere to a variety of obligations and responsibilities. These obligations and responsibilities include:

• Ensuring the safety of data processing by appropriate and adequate levels of security, as well as technical measures for the purposes of avoiding the unauthorized access, alteration, loss, or destruction of personal information, as well as the protection of said information from other forms of processing.
• Ensuring that data processors apply adequate safeguards to personal information, including verifying that data processors conduct said data processing activities in accordance with the data processing rules agreements that both data controllers and processors must comply with.
• Ensuring that the confidentiality of personal information is maintained at all times. Data controllers are also prohibited from disclosing the personal information of a data subject, unless the said data subject consents to this disclosure, or the disclosure is pursuant to an order of the court or the Public Prosecutor.
• Ensuring compliance with provisions of the law in relation to data processing activities.
• Ensuring that business entities, individuals, and organizations disclose their identities to data subjects, as well as the intended purpose for the processing of a data subject’s data. More specifically, data controllers must also inform data subjects if their personal information is intended to be used for direct marketing purposes, as well as provide data subjects with updates in relation to the status of their data processing applications.
• Ensuring that individuals, business entities, and organizations are able to receive applications from data subjects for the purposes of correcting, blocking, erasing, or withdrawing their processed personal information.

What are the rights of data subjects under the PDPL?

Under the PDPL, Bahraini citizens are afforded a litany of rights in relation to both their privacy and the protection of the personal information they share with data controllers. These various rights include the following:

• The right to be informed– Data subjects have the right to be informed by a data controller concerning whether or not their data is being processed, the data controller’s full name, profession or scope of activity, the purposes for which their personal data is to be processed, as well as any other necessary or pertinent information, based upon the individual circumstances of each case, in order to ensure that fair data processing occurs at all times.
• The right to rectification– Data subjects have the right to request that a data controller correct their personal information at any time by submitting a written application to said data controller.
• The right to erasure– Data subjects have the right to request a data controller erase their personal information at any time by submitting a written application to said data controller.
• The right to object or opt-out- Data subjects have the right to object to both the use of their personal information for direct marketing purposes and data processing activities that may lead to material or psychological damage to either themselves or others, as well having their personal information made publicly available.
• The right not to be subject to automatic decision making– Data subjects have the right to object to the use of automatic decision making in relation to data processing in instances where data processing is used to assess a data subject’s performance, creditworthiness, financial position, reliability, or behavior.
• Other rights– Data subjects also have the right to have their personal information stored in a manner that does not make them identifiable, or have their identity encrypted if this is found to be impossible. Moreover, data subjects also maintain the right to have their personal information protected at all times, deny any disclosure of their personal information to unauthorized persons or parties without their consent, and the right to block or withdraw access to their personal information at any time by sending a written request to a data controller.

What are the penalties for violating the PDPL?

Business entities, organizations, and individuals who are found to be in violation of the PDPL are subject to both criminal and civil penalties. In terms of civil penalties, data subjects retain the right under the law to bring civil liability cases against data controllers who they feel have violated their privacy under the law. Alternatively, data controllers who are found to be in violation of the law are also subject to criminal penalties ranging from BD 1,000 (,636) to BD 20,000 (,735) for each individual offense.

As the Middle East is a region that does not have substantial regulation regarding data privacy, the PDPL is in many ways a groundbreaking law. As the PDPL was drafted and subsequently passed to offer Bahraini citizens a similar level of protection as the EU’s General Data Protection Regulation or GDPR, Bahrain is redefining what it means to protect an individual’s personal privacy within the Middle East. As such, many other countries around the region are sure to at least consider passing such laws in upcoming years, as countries all around the world are now connected in a way that has never been witnessed before in history due to the rise of online commerce and communication.