There is a reason why we lock our houses and rent safety deposit boxes at the banks, and that is security!
Similarly, as the world is moving towards digitalization, majority of our personal information is collected, processed, and stored online as well as offline. This creates a special need for laws that specifically focus on protecting personal data.
The Kingdom of Bahrain issued Law No. 30 of 2018 – The Personal Data Protection Law (“PDPL”) on July 12, 2018, which has come into force on August 1, 2019, and supersedes any law with conflicting provisions.
With that said, the provisions of the PDPL have not yet taken effect, since the formation of the Personal Data Protection Authority (“PDPL Authority”) is still in process, and the Board of Directors of the PDPL Authority is to issue the implementing regulations subsequent to its formation. Thus, the PDPL Authority shall be responsible for ensuring successful compliance and implementation of the PDPL.
The PDPL aims to ensure that sensitive data (“Data”) is not used without the prior consent of the “Data Owner” and that the Data Owner has the right to withdraw such consent at any time. It shall further safeguard the security of the Data covered by providing standards of collection, processing and storage. Non-compliance of the same can lead to penalties which can be administrative and/or criminal in nature.
2. Scope and Applicability of PDPL
Data covered in the ambit of PDPL is broadly categorized into two categories i.e. “Personal data” and “Sensitive data” which are defined as:
Personal Data – “any information of any kind that relates to an identifiable individual, or an individual who can be identified, directly or indirectly, particularly through their personal identification number, or their physical, physiological, intellectual, cultural or economic characteristics or social identity.”
Sensitive Data – “any personal information which indirectly or directly reveals the individual’s race, ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or sexual life.”
The PDPL shall apply to the following entities/individuals:
- individual Bahraini residents or individuals with a workplace in Bahrain;
- business established in Bahrain; and
- any business established outside Bahrain, but processes Personal Data or Sensitive Data by means available within Bahrain, other than for transitional purposes (In this case, such businesses shall be obliged to appoint an authorized representative in Bahrain)
3. Duties of a Data Manager
In accordance with the PDPL a “Data Manager” is a person who decides individually or in association with others, the purposes and means of processing the Data. The key obligations of the Data Manager include:
- seeking consent of the Data Owner for the processing of the Data;
- ensuring that adequate safety measures are taken while selecting a Data Processor;
- executing a written agreement with the Data Processor;
- maintaining a of record in case they opt out of appointing a data protection controller; and
- seeking authorization from the PDPL Authority in case required under the PDPL.
4. Consent of the Data and their rights
- It is mandatory to take a valid, written and explicit consent of the Data Owner for processing the Data by the Data Manager except as provided otherwise under the law (example journalistic or literary purposes). The Data Managers are required to ensure that the consent of the Data Owners is:
- in writing, explicit and clear; and
- issued by an individual of full eligibility;
- issued based upon the Data Owner’s free will and consent after being fully briefed on the purpose/purposes of processing the data, and, where appropriate, inform them of the consequences of their disagreement.
- In case the Data Owner is incompetent or incapacitated, the consent of their guardian or guardians must be taken in accordance with the conditions referred hereinabove above.
- The Data Owner also has the right to withdraw the consent. The procedures for submitting the withdrawal request and the Data Manager’s decision on the requests of withdrawal will be issued by the PDPL Authority.
- Interestingly, the processing of Data is contingent on the consent of the Data Owner, except:
- to be informed of any processing of the Data;
- to object the direct marketing of the Data or any processing which may harm/distress the Data Owner or others;
- to object the decisions based upon automated processing of the Data;
- to demand correction, blocking, surveying or erasing the Data; and
- the right to file a complaint with the PDPL Authority.
5. Processing of the Data
It interesting to note that the processing of the Data shall be contingent on the consent of the Data Owner except:
- as specified under the law; or
- where it is necessary for the implementation of a contract that the Data Owner is a party to; or
- to take steps requested by the Data Owner to conclude a contract; or
- to implement an obligation required by law; or
- to protect vital interest of the Data Owner.
Separately, an exhaustive list of Data is prescribed, processing of which shall require prior written authorization of the PDPL Authority.
6. Data Protection Supervisor
It is noteworthy that pursuant to the PDPL a “Data Protection Supervisor” may be appointed voluntarily by the Data Manager, however, it is also possible for the PDPL Authority to later issue a decision that requires certain categories of Data Managers to mandatorily hire a Data Protection Supervisor. In all cases, when the Data Protection Supervisor is appointed, the Data Manager must inform the PDPL Authority of the appointment within three days of it taking place. Once registered in the PDPL Authority’s register, the Data Protection Supervisor becomes accredited.
The Data Protection Supervisor shall be responsible to undertake the following duties:
- coordinate between the PDPL Authority and the Data Manager regarding the processing of Personal Data;
- verify that the Data Manager processes the data in accordance with the provisions of this law and notify the Data Manager immediately to remove any violation or make the necessary correction as soon as possible;
- notify the PDPL Authority of any violations of the PDPL that the supervisor becomes aware of; and
- maintain a record of the processing operations that the Data Manager must notify the PDPL Authority about.
7. Data Collection Record
In case a Data Protection Supervisor is not appointed, the Data Manager is obliged to keep a record of the processing operations. This will be in the form of a “notification”. This notification shall include in particular the following details:
- the name and address of the Data Manager, and the data processor, if any;
- purpose of treatment;
- data description and statement of categories of Data Owners and recipients of these data or their categories;
- any transfer of data to a country or territory outside the Kingdom intended to be carried out; and
- a statement that enables the PDPL Authority to assess in principle the adequacy of the measures available to meet the safety requirements.
The Data Managers must inform the PDPL Authority about any changes in the information provided. The PDPL Authority shall maintain a register called the “Register of Notifications and Permits” which shall contain the notifications and any changes.
8. Cross-border transfer of data
Generally, the transfer of data from the territory of Bahrain is prohibited unless it is transferred to a country which has enforced adequate protection of Personal Data. Further, such transfer is permitted under the following scenarios:
- in case the Data Owner has agreed to the transfer;
- if the data is derived from a record created in accordance with the law;
- if the transfer is necessary for:
- implementation of a contract between the Data Owner and Data Manager, or taking preceding steps at the Data Owner’s request for the purpose of concluding the contract;
- conclusion of a contract between the Data Manager and a third party for the benefit of the Data Owner;
- protecting the vital interests of the Data Owner;
- satisfying an obligation imposed by law; and
- in preparation, execution or defense against a legal claim.
In case of non-compliance with PDPL, depending upon the non-compliance the PDPL Authority may impose a criminal penalty for an offence like processing of Data outside Bahrain of up to BD 20 or imprisonment up to one year.
Further, an administrative penalty may be imposed for other offences which can reach up to BD 20,000 or a daily penalty of up to BD 1,000 (subject to increase based on the repetition of the offence).
Note – The capitalized term shall have the same meaning as prescribed under the Law issued Law No. 30 of 2018 -The Personal Data Protection.