Digital & Data / Bahrain
Andrew Fawcett Partner, Digital & Data
Zeina Albuainain Associate, Corporate Commercial
In recent years, the MENA region has witnessed substantial growth in privacy and data protection legislation, with all jurisdictions attempting to strike a balance between data privacy and innovation in the age of technology. Correspondingly, the Kingdom of Bahrain continues to aim at securing information confidentiality and individual privacy whilst also promoting a digital economy.
Following several months of public consultation on the then-draft decisions, in March 2022, the Bahrain Personal Data Protection Authority ("Authority") (currently the Ministry of Justice, Islamic Affairs, and Waqf) published ten (10) decisions supplementing Law No.30 of 2018 with respect to Personal Data Protection Law ("PDPL") as envisaged by the law. Set out below is a brief overview of the new decisions, and some key considerations as to what companies processing personal data in Bahrain may have to consider.
Under Decision No.42 of 2022, the Authority published the long-awaited ‘white-list’ - a list of 83 countries that the Authority considers to have adequate legislative and regulatory protection for personal data. The great majority of the countries on the white-list are consistent with the countries that the European Union has granted adequacy for the purpose of the General Data Protection Regulation (“GDPR”). As a result of the Authority’s white-list, any data transfer to a country not on the list could potentially require prior approval from the PDPL, unless certain exemptions under the law apply.
The Decision also recognises Binding Corporate Rules (“BCRs”) for cross-border data transfers. However, whilst Data Controllers are required to adhere to their BCRs (if any such rules exist), unlike the GDPR approach, BCRs need not be approved by the Authority. Based on the wording of the law, having BCRs in place would not on its own provide for an exemption from the requirement to obtain the Authority’s approval for intra-group cross-border data transfers.
Most notably, the Decision makes clear that when transferring data pursuant to a contract to another Data Controller or a third party in a country that does not provide adequate protection for personal data, Data Controllers must obtain prior authorisation from the Authority, and submit, inter alia, a copy of the contract to the Authority. However, it is yet to be clarified how this requirement affects Article 13(1)(c)(ii) of the PDPL, which allows for cross-border data transfers where this is necessary for the performance of a contract between a Data Controller and a third party, without the need to obtain any approval from the Authority.
The PDPL makes clear that Data Controllers must implement technical and organisational measures to ensure adequate protection of personal data, taking into account the latest technological security measures, the associated costs, the nature of the data to be processed, and the potential risks involved (Article 8, PDPL). As envisaged by Article 8 of the PDPL, Decision No.43 of 2022 has passed which prescribes several measures which shall be implemented by Data Controllers, some of which are comparable with those outlined under the GDPR. These include (but are not limited to) implementing a Privacy by Design model, and undertaking Data Protection Impact Assessments (DPIAs) where the circumstances so require.
As anticipated, one of the main unanswered questions has been finally addressed under this Decision – data breach notification requirements. Controllers may potentially be required to notify the Authority of any data breach within seventy two (72) hours of becoming aware of it, subject to certain exemptions. Controllers may also be required to notify Data Subjects upon any such breach.
When submitting notifications and obtaining prior authorisations to process personal data generally or to undertake certain processing activities respectively, Data Controllers must follow the rules and procedures set out under Decision No.44 of 2022 unless an exemption is granted. A notification for data processing activities should be submitted prior to any wholly or partially automated processing operation, or set of operations, intended to serve a single purpose or several related purposes. The Decision emphasises on the need to be transparent with Data Subjects in regards to the processing of their personal data. It further emphasises on Data Controllers’ obligations to attend to Data Subject Access Requests (SARs).
Similar to other data protection regimes, the PDPL makes a distinction between personal data and sensitive personal data. The law’s definition of sensitive personal data is broadly comparable to that of the GDPR, except that (i) the PDPL does not expressly recognise generic and biometric data as sensitive data; and (ii) under the PDPL, ‘personal criminal record’ is considered as sensitive data. Decision No.45 of 2022 emphasises on the need to adopt additional protection measures when handling such categories of data.
The PDPL prohibits processing sensitive data without the Data Subjects’ consent, unless certain exemptions apply. These include where the processing is necessary to protect any individual, where the Data Subject or the Data Subject’s custodian or guardian is legally incapable of giving his or her consent, subject to obtaining the Authority’s authorisation. Pursuant to the Decision, such authorisation requests shall be made in accordance with the prescribed form on the Authority’s website.
Data controllers may appoint a competent external or internal Data Protection Guardian (“DPG”) as per Decision No.46 of 2022. The appointment of DPGs is currently entirely at the discretion of Data Controllers. However, the Decision contemplates the issuance of a further regulation specifying the categories of Controllers that will be required to appoint a DPG, taking into account the type of work, the nature of the activity, and the volume or manner of the processing.
The Authority shall be notified of a DPG’s appointment within three (3) working days from the date of such appointment. The Decision sets out the rules and conditions that the DPG must fulfil in order to be registered with the Authority as an accredited DPG. The conditions are dependent on whether the DPG will be appointed as an internal or an external DPG. Only upon satisfaction of these requirements will the Authority provide a decision on the license application, which shall be provided within thirty (30) days from the date of submitting the application.
Supplementing the above decision, Decision No.47 of 2022 sets out the fees for DPG registration and renewal fees. The DPG registration fees range between one hundred Bahraini Dinars (BHD 100) and five hundred Bahraini Dinars (BHD 500), depending on whether an internal or external DPG (and in the event of the latter, whether a natural or legal person) shall be registered.
Decision No.48 of 2022 sets out, amongst other things, the Data Controller’s potential obligations when making decisions based solely on automated processing of personal data. Specifically, a Data Controller is required to notify Data Subjects of the relevant automated decision(s), in addition to setting clear rules to enable the Data Subject to object to the decision.
Under this Decision, “cookies” have finally been addressed under Bahrain’s data protection regime. The law makes clear that the use of cookie walls do not constitute a valid way of obtaining consent. This begs the question as to whether the PDPL indirectly recognises that certain cookies may require consent.
Anyone having a legitimate interest may lodge a complaint to the Authority regarding any violation or breach of the PDPL.”
Anyone having a legitimate interest may lodge a complaint to the Authority regarding any violation or breach of the PDPL. Decision No.49 of 2022 lays forth the regulations and processes for filing complaints against violating entities. Complaints may be filed by using the form prescribed on the Authority’s official website, which would entail enclosing the complainant and defendant’s details, the relevant facts concerning the violation or breach, and any supporting documents thereof. After having reviewed the complaint, the Authority may decide to dismiss the complaint, or may alternatively request the defendant to respond to the complaint within a period not exceeding seven (7) days from the date of receiving the request.
Pursuant to Article 7(3) of the PDPL which envisages the issuance of a regulation governing criminal proceedings and related judgments data, Decision No. 50 of 2022 sets out the rules and safeguards to be observed to ensure the protection and confidentiality of such data.
Unlike the GDPR, which requires processing to be carried out under the control of an official authority, there is no such requirement under the PDPL. Nonetheless, it does recognise that such data requires additional protection. Natural and legal persons in Bahrain are permitted to process personal data relating to criminal proceedings so long as they are authorised to do so. Authorised persons are prohibited from disclosing, transmitting, publishing, or in any way making such data available to any individual or third party that is not permitted to access it. This prohibition is applicable to all stages of the proceedings, commencing from the stage of collecting evidence until the issuance of judgements. Such persons are required to take appropriate measures to ensure an adequate level of protection for such data, whether the relevant processing is automated or not, to ensure that it cannot be made available to or accessed by unauthorised individuals (we would add here however that the PDPL’s applicability to ‘non-automated processing’ is limited to where the processing forms part of (or is intended to form part of) a structured filing system.
Decision No.51 of 2022 sets out the prerequisites for creating publicly accessible personal data registers, and details what needs to be included within the register itself (including the type of data, the purpose of collecting such data, and the date in which the data was last updated). Data Controllers are equipped with the responsibility of updating the register periodically or regularly and ensuring that the registered data is protected from any type of tampering at all times.
For further information, please contact Andrew Fawcett and Zeina Albuainain.
Published in September 2022
