THE BAHRAIN PERSONAL DATA PROTECTION LAW
The Kingdom of Bahrain’s nationally applicable data protection law: the Personal Data Protection Law No. 30 of 2018 (“PDPL”) will come into effect in August this year.
The PDPL establishes the Personal Data Protection Authority (“Authority”) as the competent authority for overseeing compliance with the law. This article highlights instances where businesses may have to provide notifications, obtain authorizations, or otherwise report to the Authority with respect to their data processing activities in Bahrain.
WHAT AND WHO DOES IT APPLY TO?
The PDPL applies to the processing of data that is “personal data” – essentially information in any form concerning an identified or identifiable individual.
The PDPL applies to:
• Every natural person (individuals) residing normally in Bahrain or having a workplace in Bahrain;
• Every legal person (corporates) having a place of business in Bahrain
• Every natural or legal person not normally residing or having a business in Bahrain, where such persons are processing data using means available in Bahrain, except where such processing means are solely for the purpose of passing data through Bahrain.
In this latter scenario, the legal person (corporation) is required to appoint an authorized representative in Bahrain, and notify the Authority of such appointment. The PDPL does not apply to processing of personal data within the context of personal or family affairs or processing that relates to national security undertaken by security authorities in Bahrain. Under the PDPL a “data controller” is a person who (either alone or jointly with other persons) determines the purposes and means of processing any particular data. Every business is a data controller – even a shell company has personal data concerning its shareholders and directors. However, the extent of a data controller’s compliance or obligations under the PDPL is inextricably linked to the purposes, means and extent of the processing of personal data.
NOTIFICATIONS
Data controllers must give prior notice to the Authority of any wholly or partially automated processing operation or set of operations (subject to certain exclusion including an employer processing data in relation to its employees). Regulations are designed to set out the rules and procedures for the submission of the notifications (which is to include a simplified notification process for certain situations).
AUTHORIZATIONS
It is prohibited to process the following data without obtaining the Authority’s prior written authorization:
• Automatic processing of sensitive personal data;
• Automatic processing of biometric data needed to verify an individual’s identity;
• Automatic processing of genetic data unless carried out by licensed medical practitioners, and it is necessary for health care;
• Automatic processing involving linkage between personal data files of two or more data controllers; and
• Processing that is done using visual recordings that are used for surveillance purposes.
Again, regulations are to be issued prescribing the rules and procedures of how a request for authorization is to be submitted and processed.
The PDPL provides that data controllers may appoint a Data Protection Guardian, who has a supervisory role acting as an independent and impartial intermediary between the data controller
and the Authority. Although they are not compulsory, a Data Protection Guardian may be required for specific data controllers by regulations. The Data Protection Guardian will also be required to maintain a registry of the data controller’s processing operations that the data controller must notify the Authority, and update the Authority of the same on a monthly basis. If no Data Protection Guardian is appointed, then the data controller is required to do this on their own.
SECURITY
Data controllers are required to maintain documentation that reflects the technical and organizational measures adopted capable of protecting personal data. This documentation must be available for viewing by the Authority. Additionally, the PDPL contemplates the issuance of a regulation specifying requirements that technical and organizational measures must satisfy. It also provides a scope for specific requirements to be prescribed in such regulations. There does not appear to be any specific obligation to notify the Authority in the event of a data breach incident. It is possible that this might be addressed in the regulations.
ENFORCEMENT
The PDPL criminalizes a variety of acts and enforces penalties, which generally comprise up to one year in prison and/or a fine of between BHD 1,000 and BHD 20,000 (between about USD 2,600 to about USD 53,000) (or a fine only in the case of corporate entities).
WHAT TO DO?
Although at the time of writing of this article, the PDPL is still to be augmented by implementing regulations, businesses that need to comply with the law should already be addressing what they need to do so that their processing of personal data is compliant with the new legal obligations. As a first step, any business that processes personal data in Bahrain should conduct an assessment of those processing activities with the objective of understanding current data flows and practices. Based on that assessment, the business then needs to identify the requisite actions to be taken in order for the business to achieve PDPL compliance.