As an employer, you process and collect personal data of your employees on a daily basis and for various purposes. Personal data is processed about employees before, during and after an employment relationship.
The data may concern employee benefits, salary, records of sick leave, maternity leave, performance evaluation and others. Some of that information you are obligated to collect and process under the provisions of the Labour Law, while some of the data is processed for internal procedures and policies. However, as an employer, you should take into account the requirements of the Personal Data Protection Law (the PDPL). The data protection rules, as embodied in the PDPL, establish the framework for how this information should be handled.
The PDPL came into force in the Kingdom of Bahrain on 1 August
2019 and sanctioned a new regime in the Kingdom of Bahrain
governing the processing by employers of personal data of their
employees substantially increasing employers' obligations and
responsibilities in relation to how
they collect, use and secure personal data of their employees. A regime which employers must now familiarise themselves with in order to avoid civil and criminal liability which may arise from any violation of their obligations by employers under the PDPL. Employers must ensure that their
workforce understands their responsibilities under the PDPL through proper training on the PDPL and that adequate data protection policies and procedures are implemented in their organisations to guard againstsuch liability. In this article, we will provide an overview of the main obligations for
employers under the PDPL and the rights it affords to employees.
Employee Personal Data
The term 'personal data' is the gateway to the
application of the PDPL. Only when the processing of data concerns
personal data, will the PDPL provisions come into play. The term
'personal data' is, however, very broadly defined in
Article 1 of the PDPL as any information which relates to an
identified or identifiable natural person, the 'data subject' and necessitates that employers, when processing data belonging to its employees, to interpret such definition as broadly as possible in order to avoid liability for violating the provisions of the PDPL. Under the provisions of the PDPL, data subjects will be identifiable if they can be directly or indirectly identified by reference to an identifier such as name, identification number, location or one of several special characteristics,
which denotes the physical, physiological, intellectual, cultural, economic, or social identity of such individuals. In practice, these also include all data which are or can be assigned to a person in any manner including, by way of example, telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.
Processing Personal data
Employers handle and process large volumes of employee personal
data to execute routine business functions including human
resources, payroll, background checks, performance reviews and
training and development. Employers are also likely to engage in
the processing of employee personal data for other employment
related reasons including employee investigations, monitoring
employee activities and compliance with applicable law, court
orders and other legal requirements. This necessitates a clear
understanding on the employer's part of what would
constitute 'processing' under the PDPL?
The processing of personal data in the context of an employment
relationship concerns any automated or manual operation or series
of operations performed by an employer on personal data or sets of
personal data of its employees including collecting, recording,
organising, classifying in groups, storing, modifying, amending,
retrieving, using or revealing such data by broadcasting,
publishing, transmitting, making available to others, integrating, blocking, deleting or destroying.
Legitimate Grounds for Processing
The processing of any personal data of employees by an employer
requires a legitimate reason. The PDPL identifies in Article 4 five
grounds where the processing of employees' personal data will
be PDPL compliant even when undertaken without the employees'
consent. We summarise these
grounds as follows:
- Employeehas given consent to the processing of their personal data: in order to ensure that the consent is freely given Article 24 of the PDPL requires it to be clearly given in writing and specific to the processing of certain data. The employer is required to advise the employees of the intended purpose or purposes of the processing. Although consent is only one of the grounds permitting an employer to process personal data, it is the safest option for the employer to pursue before any processing.
- Performance of the employment contract: The need to perform the employment contract is a key ground relied on by employers for processing personal data. The processing under this ground must be necessary to fulfil contractual obligations to which the employer is a party.
- Taking steps at the request of the employee with the purpose of entering into a contract: Some of the steps taken by the employer prior to concluding an employment contract, such as obtaining reference, would be in compliance with the PDPL.
- Compliance with any legal obligation: Under this category, the processing of employee personal data must be necessary for compliance with a legal obligation to which the employer is subject, other than obligations emanating from the employment contract. This would extend to include pre-employment vetting of the right to work in Bahrain to comply with an employer's obligation under the Labour Market Regulatory Authority Law to prevent illegal working and to carry out right to work checks on all prospective employees.
- Protecting the vital interests of the employee: This basis is likely to be rarely used by employers since it really only applies where processing personal data is necessary to protect the employee's life. It is likely to be particularly relevant for emergency medical care when you need to process personal data for medical purposes but the employee is incapable of giving consent to the processing.
- Pursuing the legitimate interests of the employer or any third party to whom personal data has been disclosed: Pursuant to Article 4(5) of the PDPL, employee personal data may be processed by an employer where necessary for the purposes of the legitimate interests pursued by the employer or a third party, except where such processing impinges upon the fundamental rights and freedoms of the employee. This ground may for example manifest itself in cases where the processing is necessary to protect the employer's proprietary and commercially sensitive information or the monitoring of employees' outgoing emails.
Data Protection Principles
Even where the employer has a legitimate ground for the processing of personal data of employees, any processing of personal data must be performed by the employer in compliance with the data protection principles set out in Article 3 of the PDPL. Article 3 of the PDPL sets out five data protection principles which an employer should comply with:
- Principle 1: Lawfulness and fairness: compliance with this principle requires the processing of personal data by the employer to be based on one of the grounds set out in Article 4 (described above). Such processing must always be undertaken in a fair manner to employees. This means the employer must not process the data in a way that is unduly detrimental, unexpected or misleading to the employees.
- Principle 2: Personal data is collected for specific, explicit and legitimate purpose and shall not be further processed in a way incompatible with the purpose for which it was collected: this principle dictates that personal data collected for one specified purpose should not be used for any other new incompatible purpose. Employers must be clear about the purpose for processing personal data from the start and record such purpose as part of the employer's documentation obligations. Such personal data may only be processed for another purpose if the new purpose is compatible with the original purpose, or with the employee's consent or in order to comply with an obligation or function prescribed in the law.
- Principle 3: Personal data should be adequate, relevant and not excessive in relation to the purpose for which it was collected or further processed: in order to comply with this principle, the employer must ensure that the personal data being processed is relevant, sufficient to fulfil the stated purpose, and limited to what is necessary to achieve the stated purpose without holding more personal data that the employer requires to fulfil the stated purpose.
- Principle 4: Personal data should be correct, accurate and, where relevant, kept up to date: employers must take all reasonable steps to ensure that personal data of employees processed is not incorrect or misleading as to any matter of fact and is updated when requested by the employee.
- Principle 5: Personal data shall not be kept in a form which permits identification of the employee once the purpose for which the data was collected or further processed was achieved: under this principle Personal data which is kept in a form which permits identification of the employees must not be kept for longer than is necessary for the purposes for which the personal data is processed.
Employees have a number of rights under the PDPL, including the right to:
- Information about the collection and processing of their personal data: Pursuant to Articles 17 and 18 PDPL employees have the right to be informed about the collection and use of their personal data including: (i) personal data that is held about them; (ii) source of the personal data if obtained from a third party; (iii) purpose for which the data is to be processed; (iv) names or categories of any recipients of the data; (v) data owner's rights in respect of the data; and (vi) whether the data will be used for direct marketing purposes.
- Object to their personal data being processed for direct marketing, scientific or historical research: Pursuant to Articles 19 and 20 PDPL employees that intend to use personal data to carry out direct marketing are required to notify their employees that they have the right to object to being marketed.
- Object to processing causing material or moral damage to the employee or others: Pursuant to Article 21 PDPL employees can also object to the processing of their personal data where the processing is for a purpose or in that manner that causes or will very likely cause unwarranted substantial damage to the employee or others.
- Object to decisions based on automated processing: Pursuant to Article 22 PDPL employees have the right to object to the processing by their employers of their personal data automated means (making a decision solely by automated means without any human involvement) where it involves the evaluation of employees on the basis of their: (i) performance at work; (ii) financial position; (iii) credit worthiness; (iv) behavior; or (v) trustworthiness.
- Have their personal data rectified, blocked and erased: Article 23 PDPL. includes a right for employees to request the employer to rectify, block or erase personal data when the processing of such data is in breach of the provisions of the PDPL in particular where such data is inaccurate, incomplete, outdated or if its processing is illegal.
Enforcement and Remedies
The PDPL prescribes a host of penalties for violations of its provisions including: Imprisonment for a term not exceeding one year, and/or a fine not less than BD1000 and not exceeding BD20,000 for: (i) any contravention by an employer of the provisions of Articles 5, 12, 13, 14(1), 14(6), and 15 PDPL; (ii) the provision of incorrect or misleading data to the Personal Data Protection Authority (the PDPA); (iii) the withholding of personal data from the PDPA, (iv) the prevention or interference with PDPA's investigations, and (v) the use of personal data for the employer's personal benefit. Employers may also face potential civil liability for compensation in respect of any employee who suffers damage as a result of the wrongful processing of employee personal data by an employer under Article 57 PDPL.
Next Steps for Employers
Employers must be transparent with their employees about how they use and protect their personal data; an obligation that is not limited only to any processing that takes place inside the workplace but also outside workplace. Employers must be accountable for employee personal data processing activities and must demonstrate how they comply with the protection principles embodied within the PDPL. Attaining PDPL compliance requires a well-considered strategy aimed at avoiding potential civil and criminal liability which may arise from any violation of the PDPL provisions. We summarise below the main steps which employers must consider implementing towards adopting such strategy:
- Review and assess all data: Undertake an assessment of whether employee personal data is absolutely necessary to have on employees' files and implement a process for the timely deletion of unnecessary employees' personal data.
- Implement a transparency policy: Keep employees informed of their rights under the PDPL in a clear and obvious manner.
- Conduct a security check: Review who has access to employees' personal data and put the right controls in place. implement appropriate technical and organizational measures to guarantee protection of data against accidental or unauthorized destruction, accidental loss, as well as against alteration or disclosure of, access to and any other unauthorized forms of processing.
- Assign accountability: Determine whether the organisation requires a Data Protection Guardian (the DPG), and if not required, ensure that there is in place a clear chain of command for all security and data management processes.
How can we help?
- The employer's desire to maintain a compliant culture should be documented in a Data Protection Policy. This policy should include detail of the roles and responsibilities in relation to data protection within the employer's organisation and the policy on other activities within the organisation such as direct marketing, information security, clear desk policy, training etc. We can assist you in drafting your Data Protection Policy.
- There is no point in having all the documentation if your employees do not know about it! It is absolutely vital that all employees are made aware of the requirements in relation to working with personal data. Training must be appropriate to the employees and we can certainly provide it to ensure that your employees are aware of the requirements when handling personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.