There is currently no standalone data protection law in Bahrain. A draft is being reviewed before Parliament but has not yet been officially finalised nor published.
Notwithstanding the above, provisions relating to data protection are generally captured in a number of laws in Bahrain and these suggest that consent from data subjects is required to process and transfer their personal data:
- Constitution of Bahrain 2002 (the ‘Constitution’) protects citizens' rights to privacy as it contains provisions on confidentiality relating to postal, telegraphic, telephonic and electronic communications
- Amiri Decree No. 15 of 1976 with respect to the Penal Code (the ‘Penal Code’) protects individuals' right to privacy as it contains provisions on the sanctions against those who disclose information without the consent of the concerned person
- Legislative Decree No. 9 of 1984 with respect to Central Population Register (the ‘Central Population Register Law’) prohibits divulging demographic information and imposes sanctions against those who disclose information without the consent from the concerned person
- Legislative Decree No. 28 of 2002 with respect to Electronic Transactions (the ‘Electronic Transactions Law’) contains provisions protecting the confidentiality of electronic records
- Legislative Decree No. 48 of 2002 with respect to the Telecommunications Law (the ‘Telecommunications Law’) prohibits divulging of any confidential information
- Decree No. 64 of 2006 with respect to the Central Bank of Bahrain and Financial Institutions Law (the ‘CBB Law’) contains provisions relating to confidential information and disclosing such information
- Resolution No. 8 of 2009 with respect to Licensees to implement Lawful Access (the ‘Lawful Access Regulation’) contains provisions protecting the subscriber's right to privacy in the telecommunications services domain
- Consumer Protection Guidelines Reference No. CCA/1112/451 (29 December 2011) (the ‘Consumer Protection Guidelines’) contains provisions on consumers' privacy relating to personal information and calling patterns
- Law No. 35 of 2012 with respect to Consumer Protection (the ‘Consumer Protection Law’) protects consumer's privacy, to maintain personal information and not to exploit it for other purposes
- Law No. 36 of 2012 with respect to Labour Law in the Private Sector (the ‘Labour Law’) covers generally right to privacy of employee's data
- Decree No. 16 of 2014 with respect to the Protection of Information and National Documents (the ‘Protection of Information and National Documents Law’) covers the importance of information relating to national security
- The Resolution No. 3 of 2015 with respect to Bulk Messaging (the ‘Bulk Messaging Regulation’) protects recipients from unsolicited and solicited messages
- Law No. 60 of 2014 with respect to Information Technology Crimes (the ‘Information Technology Crimes Law’) mentions the penalties of unlawful taping, capturing or intercepting, by technical means, any non-public transmission of information devices data to, from or within an information technology system
- The Central Bank of Bahrain Rulebook (the ‘CBB Rulebook’) contains provisions relating to customer confidentiality during outsourced services and activities.
Definition of personal data
There is no single definition of personal data under Bahrain laws as each law defines personal data differently. The definition of personal data is captured in the following laws:
The Labour Law defines employees' personal data as:
- The employee’s name, age, ID number, marital status, house address, and nationality
- Job or occupation and qualification and experiences
- Date of employment, current wage, and all modifications to this wage
- Leave taken and sanctions imposed
- The date of termination of service and the reasons thereof
- Minutes of the investigations conducted with the employee, and
- Supervisors’ reports on the level of the employee's performance in accordance with regulations enforce at the place of work together with any other papers related to the employee’s service
The Central Population Register Law defines demographic information relating to personal data as:
- House address
- Place and data of birth
- Marital status
- Parents' or spouse's ID number
- Educational qualification, and
The CBB Law defines personal information as:
- House address
- Email address, and
- Phone number
Furthermore, the CBB Law defines confidential information as any information relating to private affairs of any licensee's customers.
Definition of sensitive personal data
There is no specific definition of sensitive personal data.
There is no authority which is specifically responsible for data protection. However, the Information and e-Government Authority holds demographic and censors information, facilitates communications between all government entities, and controls these communications.
There is no requirement in Bahrain for organisations to appoint data protection officers.
Generally consent is obtained from the individuals when collecting and processing their personal data, in order to avoid any breach of privacy and confidentiality provisions mentioned under Bahrain laws. In certain circumstances, the relevant government authority may waive the requirement for an individual's consent.
Subject to the Information and e-Government Authority's approval, the Central Population Register Law gives the right for any governmental or non-governmental bodies to obtain demographic information for its interests or for purposes of fulfilling the requirements of its activities.
The Electronic Transactions Law states that, as long as consent is obtained from the user or subject, and provided such information does not give rise to civil or criminal liability, a network intermediary has the right to transmit, send, receive, or store an electronic record or provide other services with respect to that electronic record. Except in respect of public bodies, the necessary consent may be implicitly given through a positive action.
The Consumer Protection Guidelines states that licensed operators should obtain a subscribers' express permission before publishing the subscribers' information or providing it to another licensed operator.
For entities regulated by the CBB, the CBB Rulebook contains provisions on outsourcing activities in the Operational Risk Management section whereby the licensees must ensure that the outsourcing agreements comply with all applicable legal requirements regarding customer confidentiality.
The data controller must implement adequate security measures in order to ensure national security and to protect the user's or subject's personal data from misuse, modification, or unauthorised access or disclosure.
For entities regulated by the CBB, the CBB Rulebook obliges entities to notify the CBB when there is a breach in data protection.
For entities regulated by the Electronic Transactions Law, in the event of a data breach, help may be sought from named officers of the Ministry of Industry, Commerce and Tourism in order to gain more protection.
Mandatory breach notification
There is no mandatory notification required in the event of a data breach.
The law is enforced when the affected party submits a claim to the competent court in Bahrain. However, there is no formal reporting of court decisions in Bahrain and courts do not rely on a formal system of precedence. This can lead to an increased level of unpredictability in litigious matters.
Electronic marketing in Bahrain is subject to the Consumer Protection Guidelines, the Lawful Access Regulation and the Bulk Messaging Regulation established by the Telecommunications Regulatory Authority.
According to the Consumer Protection Guidelines, licensed operators are expected to protect consumers from unwanted, offensive, unsolicited or illegal electronic solicited messages, including live voice solicitations, artificial pre-recorded voice advertisements, electronic mail, electronic wireless messages (e.g. short text messages and multimedia messages) and facsimile messages.
According to the Lawful Access Regulation, a licensee may access the subscriber's information for marketing purposes or to provide value added services to its subscribers only after obtaining consent from the subscriber.
The Bulk Messaging Regulation regulates solicited and unsolicited messaging. Opt-out principles are adopted whereby text messages are only sent to recipients who have expressly consented to the receipt of the message. Texts may only be sent between 9 am to 8 pm. Licensed operators will take appropriate measures to reduce the number of unsolicited bulk messages which are sent over their telecommunications networks by non-contracted sources.