The Kingdom of Bahrain enacted the Law Number 30 of 2018 i.e. the Personal Data Protection Law (the PDPL). Bahrain, under the PDPL, shall establish a Personal Data Protection Authority that would enforce this law and oversee the implementation and issues cropping out of it.
The law is applicable to individuals located and engaged in economic activities within the Kingdom of Bahrain as well as the PDPL provides for the liability nexus concept that individuals and organizations not situated in Bahrain but process or handles data related to Bahrain or uses any route of processing data through Bahrain.
The law follows defines the following main roles:
- data manager i.e. person with decision regarding use and means of data processing;
- data processor i.e. person who handles data for and on behalf of the data manager.
The PDPL defines “data or personal data” as information related to a specific individual with particular identifying mechanism such as personal ID number or physical, cultural or economic factors. Also, PDPL deals with concept of “sensitive personal data” that reveals whether directly or indirectly race, ethnicity, political affiliations, religious beliefs, union affiliation, criminal record or health or sexual life. The PDPL defines “processing” organization, collection, storage, retrieval or revelation of personal data in relation to any person or organization. Therefore, different restrictions are applicable to different categories of information.
The PDPL imposes civil or criminal liability as per different categories of the breaches. The Personal Data Protection Authority may impose administrative fines up to 20,000 BD. Individual data owners who have suffered a loss due to violation of the PDPL may file civil complaint in the Bahraini courts for compensation/damages from the offender/perpetrator. Furthermore, the criminal prosecution may result in imprisonment for up to 1 year plus fines of up to 20,000 BD.
The law aligns data protection regulation to global best practices in European Union and USA and also regulates the processing and transfer of data in Bahrain. Bahrain’s adoption of the PDPL reflects the trend among Gulf Cooperation Council (GCC) Nations for enhanced data protection due to incidents of espionages coming forth.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.