Bahrain has taken a proactive approach towards data protection, being one of the first countries in the MENA region to issue standalone data protection legislation, with the Personal Data Protection Law No. 30 of 2018 (PDPL), which came into force on August 1, 2019. The PDPL is modelled on the EU’s General Data Protection Regulation (EU GDPR) and applies to any personal data collected by any means from or within the country. The PDPL aligns the kingdom with internationally recognised data protection standards and best practices, and reflects its response to the rise of cybercrime and data leaks in the region following the onset of the Covid-19 pandemic, in addition to promoting the country’s growing reputation as a regional data centre.
The PDPL also created the Personal Data Protection Authority (PDPA), the primary regulatory body responsible for supervising compliance with the PDPL. The authority is one of the first of its kind in the GCC, and holds wide powers to issue authorisations, investigate complaints and sanction breaches of the law.
Framework
Bahrain supplemented the PDPL with a series of accompanying resolutions in March 2022 to provide detailed guidance on transferring personal data outside of Bahrain, the minimum acceptable technical and organisational measures to protect personal data, notification procedures for data breaches, the processing of sensitive personal data, the appointment of data protection guardians (DPGs), data subject rights, complaints, criminal claims and public registers. Specifically, the accompanying resolutions introduce:
• A list of 83 countries Bahrain deems as providing an adequate level of data protection as enshrined in its local law. The transfer of personal data to countries on this list is unrestricted, so long as all other obligations under the PDPL and resolutions have been met;
• A framework of the minimum technical and organisational measures to be implemented by all persons collecting personal data, drawing on such EU GDPR concepts as privacy by design, data impact assessments, employee data protection training and strict breach notification requirements;
• The conditions for appointing external or internal DPGs, required qualifications, notifications following appointments, the DPG register and associated fees;
• The necessary elements of valid data subject consent and the invalidity of consent obtained by way of cookie walls; and
• The eligibility of concerned and capable persons to submit complaints of PDPL breaches to the PDPA, whether they are a relevant data subject or not.
Compliance
Given the scope of the updated measures introduced by the PDPL, it will be critical for all entities collecting data from or within Bahrain to prioritise the new data protection obligations to avoid the penalties thereunder, which include significant fines, potential criminal liability as well as terms of imprisonment for severe breaches. As a first step, organisations must ensure appropriate internal controls are introduced and enforced, employee training is undertaken, required notifications to the PDPA are made, and appropriate procedures for the collection, storage and retention of personal data are implemented as soon as possible.
The new obligations and resolutions under the PDPL are an important step in Bahrain’s recognition and protection of its resident data subjects’ rights. These measures have facilitated the free movement of personal data between the kingdom and those countries with equivalent data protection policies, leading to increased confidence and interoperability between organisations doing business in these jurisdictions. This, in turn, has reinforced the country’s image as an attractive and reliable place to invest and conduct business, especially for those operations in which the collection and movement of personal data is necessary.