DLA Piper Intelligence

Data Protection
Laws of the World

Registration

The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must be registered in that register.

Last modified 28 Jan 2019
Law
Bahrain

Bahrain enacted Law No. 30 of 2018 with respect to Personal Data Protection (Data Protection Law) on July 12, 2018. The Data Protection Law will be the main data protection regulation in Bahrain when it goes into force on August 1, 2019, and will supersede any law with contradictory provisions.

Notwithstanding the foregoing, Bahrain has a number of laws with provisions relating to data protection, including:

  • Constitution of Bahrain 2002, provides citizens with a right to privacy, including confidentiality relating to postal, telegraphic, telephone and electronic communications
  • Amiri Decree No. 15 of 1976 with respect to the Penal Code, protects individuals’ right to privacy with provisions allowing sanctions against those who disclose information without consent from the concerned person
  • Legislative Decree No. 9 of 1984 with respect to Central Population Register, prohibits divulging demographic information and imposes sanctions against those who disclose information without the consent from the concerned person
  • Legislative Decree No. 54 of 2018 with respect to Electronic Letters and Transactions, which will come into force on February 1, 2019, protects the confidentiality of electronic records
  • Legislative Decree No. 48 of 2002 with respect to Telecommunications, prohibits divulging confidential information
  • Decree No. 64 of 2006 with respect to the Central Bank of Bahrain and Financial Institutions Law, contains provisions relating to confidential information and disclosing such information
  • Resolution No. 8 of 2009 with respect to Licensees to implement Lawful Access, protects the subscriber's right to privacy in the telecommunications services domain
  • Consumer Protection Guidelines Reference No. CCA/1112/451 (December 29, 2011), contains provisions on consumer privacy relating to personal information and calling patterns
  • Law No. 35 of 2012 with respect to Consumer Protection, protects consumer privacy to maintain personal information and keep it from being exploited for other purposes
  • Law No. 36 of 2012 with respect to Labour Law in the Private Sector, provides a right to privacy for employee data
  • Decree No. 16 of 2014 with respect to the Protection of Information and National Documents, covers the importance of information relating to national security
  • The Resolution No. 3 of 2015 with respect to Bulk Messaging protects recipients from unsolicited and solicited messages
  • Law No. 60 of 2014 with respect to Information Technology Crimes, mentions the penalties of unlawful taping, capturing or intercepting, by technical means, any non-public transmission of information devices data to, from or within an information technology system
  • The Central Bank of Bahrain Rulebook contains provisions relating to customer confidentiality during outsourced services and activities
Last modified 28 Jan 2019
Definitions

Definition of personal data

Personal data is defined under the Data Protection Law as any information of any form related to an identifiable individual, or an individual who can be identified, directly or indirectly, particularly through their personal identification number, or one or more of their physical, physiological, intellectual, cultural or economic characteristics or social identity.

Definition of sensitive personal data

Sensitive personal data is a subset of personal data. It is personal data which reveals, directly or indirectly, the individual's race, ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or sexual life. Sensitive personal data requires more rigorous treatment by data controllers. Sensitive personal data requires more rigorous treatment by data controllers.

Last modified 28 Jan 2019
Authority

Under the Data Protection Law, Bahrain will have a new data protection authority, known as the Personal Data Protection Authority (Authority). The Authority will have power to investigate violations of the Data Protection Law on its own, at the request of the responsible Minister, or in response to a complaint.

The Authority can issue orders to stop violations, including issuing emergency orders and fines. Civil compensation is also allowed for any individual who has incurred damage arising from the processing of their personal data by the data controller (often referred to as a "data controller" in other data protection laws), or violating the provisions of the Data Protection Law by a business's data protection officer (often referred to as a "data protection officer" in other data protection laws). Finally, the most concerning feature of this law for businesses is that the Data Protection Law carries criminal penalties for violations of certain provisions.

Last modified 28 Jan 2019
Registration

The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must be registered in that register.

Last modified 28 Jan 2019
Data Protection Officers

Data controllers may voluntarily appoint a data protection officer. The Authority's Board of Directors may also issue a decision requiring specific categories of data controllers to appoint data protection officers. However, in all instances, the data controller must notify the Authority of such an appointment within three days of its occurrence.

A data protection officer must help the data controller in exercising its rights and fulfilling its obligations prescribed under the Data Protection Law. The data protection officer also has a number of other roles, including liaising with the Authority, verifying that personal data is processed in accordance with the Data Protection Law, notifying the Authority of any violations of the Data Protection Law that the data protection supervisor becomes aware of and maintaining a register of processing operations that the data controller must notify the Authority about.

The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must be registered in that register.

Last modified 28 Jan 2019
Collection & Processing

Processing is defined under the Data Protection Law as any operation or set of operations carried out on personal data by automated or non-automated means, such as collecting, recording, organizing, classifying in groups, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or destroying them.

Processing of personal data can only occur with the consent of the data subject, (also referred to as the data owner) unless the processing is necessary:

  • To implement a contract to which the data subject is a part
  • To take steps at the request of the data subject to conclude a contract
  • To implement an obligation required by law, contrary to a contractual obligation or an order from a competent court
  • To protect the vital interests of the data subject
  • To exercise the legitimate interests of the data controller or any third party to whom the data is disclosed, unless this conflicts with the fundamental rights and freedoms of the data subject 

Processing of sensitive personal data is also prohibited without the consent of the data subject, unless one of the exceptions in Article 5 of the Data Protection Law apply.

Data controllers are prohibited from processing the following personal data types without the prior written authorization of the Authority:

  • Automatic processing of sensitive personal data of persons who cannot provide consent
  • Automatic processing of biometric data
  • Automatic processing of genetic data (except for treatment provided by physicians and specialists at a licensed medical establishment, where the treatment is necessary for purposes of preventative medicine or diagnostic medicine, or for the provision of treatment or healthcare)
  • Automatic processing that entails the connection of personal data files that are in the possession of two or more data controllers that are processing personal data for different purposes
  • Processing that consists of visual recording to be used for monitoring purposes
Last modified 28 Jan 2019
Transfer

Transfers of personal data out of Bahrain is prohibited unless the transfer is made to a country or region that provides sufficient protection to personal data. Those countries need to be listed by the Authority and published in the Official Gazette.

Data controllers can also transfer personal data to countries that are not determined to have sufficient protection of personal data where:

  • The data subject has consented to the transfer
  • The data is from a public register
  • The transfer is necessary for:
    • Executing a contract between the data subject and data controller, or taking preceding steps at the data subject's request for the purpose of concluding the contract
    • Executing or concluding a contract between the data controller and a third party for the benefit of the data subject
    • Protecting the data subject's vital interests
    • Fulfilling a non-contractual obligation imposed by law, or an order of the court, public prosecution, an investigating judge or military prosecution, or
    • Preparing, executing or defending a legal claim

Transfers can also be made with the permission of the Authority, issued on a case-by-case basis, if it deems that the data will be sufficiently protected.

Last modified 28 Jan 2019
Security

The Data Protection Law requires that data controllers apply technical and organizational measures capable of protecting the data against unintentional or unauthorized destruction, accidental loss, unauthorized alteration, disclosure or access, or any other form of processing.

The Data Protection Law requires that the Authority's Board of Directors issues a decision specifying the terms and conditions that the technical and organizational measures must satisfy. The decision may require specific activities by applying special security requirements when processing personal data.

Data controllers must also use data processors who will provide sufficient guarantees about applying the technical and organizational measures that must be adhered to when processing the data. Data controllers must also take reasonable steps to verify that data processors comply with these measures.

Last modified 28 Jan 2019
Breach Notification

The Data Protection Law contains a general requirement on the data protection officer to notify the Authority of any breach under the Data Protection Law of which that the data protection officer becomes aware.

Mandatory breach notification

Under the Data Protection Law, there is no mandatory data breach notification provision requiring data controllers to notify the Authority or data subject in the event that there is a breach of personal data held by the data controller.

Last modified 28 Jan 2019
Enforcement

The Authority can issue orders to stop violations, including emergency orders and fines. Civil compensation is also allowed for any individual who has incurred damage arising from the processing of their personal data by the data controller, or arising from the data protection officer's violation of the Data Protection Law. Appeals can be made against decisions of the Authority.

The Data Protection Law also carries a range of criminal penalties and administrative fines for violating certain provisions.

Criminal penalties of imprisonment of not more than one year and / or a fine between BHD1,000 (US$2,645) to BHD20,000 (US$52,910), can be issued against any individual who:

  • Processes sensitive personal data in violation of the Data Protection Law
  • Transfers personal data outside Bahrain to a country or region in violation of the Data Protection Law
  • Processes personal data without notifying the Authority
  • Fails to notify the Authority of any change made to the data of which they have notified the Authority
  • Processes certain personal data without prior authorization from the Authority
  • Submits to the Authority or the data subject false or misleading data to the contrary of what is established in the records, data or documents available at their disposal
  • Withholds from the Authority any data, information, records or documents which they should provide to the Authority or enable it to review them in order to perform its missions specified under the Data Protection Law
  • Causes to hinder or suspend the work of the Authority's inspectors or any investigation which the Authority is going to make
  • Discloses any data or information which he is allowed to have access to due to his job or which he used for his own benefit or for the benefit of others unreasonably and in violation of the provisions of the Data Protection Law

Last modified 28 Jan 2019
Electronic Marketing

Under the Data Protection Law, data controllers must notify the data subject when data is collected directly or indirectly of whether data will be used for direct marketing purposes. Notice is important because it alerts data subjects of their right to object to any direct marketing relating to their personal data.

Last modified 28 Jan 2019
Online Privacy

There is no specific online privacy regulation in Bahrain.

 

Last modified 28 Jan 2019
Contacts
Mohamed Toorani
Mohamed Toorani
Legal Director - Head of Bahrain Office
T +973 I 755 0896
Noor Buhusayen
Noor Buhusayen
Legal Consultant
T +973 I 755 0893
Lulwa Alzain
Lulwa Alzain
Trainee Legal Consultant
T +973 I 755 089I
Last modified 28 Jan 2019