Bahrain’s Personal Data Protection Law (Law No. 30 of 2018)

July 2018

View the original document

National Regulations

The Personal Data Protection Law (Law No. 30 of 2018), enacted in the Kingdom of Bahrain was introduced to regulate the processing of personal data to ensure the rights of individuals are protected while providing a legal framework for organisations and entities that handle such data. It aims to balance data protection with the operational needs of businesses and government institutions.

The law applies to the processing of personal data using automated or manual systems if the data forms part of a filing system. It also applies to natural or legal persons residing or conducting business in Bahrain, as well as those outside Bahrain, if they process data using means located within the country.

Overview of the sections

Section 1: Preliminary provisions

  • Definitions:
    This section defines key terms used throughout the law to ensure clarity. Notable definitions include:
    • Personal data: Any information related to an identified or identifiable natural person.
    • Sensitive data: Information revealing racial, ethnic, or religious identity, health conditions, political opinions, and other similar attributes.
    • Processing: Any operation performed on personal data, including collection, storage, use, or dissemination.
    • Data Controller and Processor: Entities or individuals determining the purpose and means of processing or performing processing activities on behalf of the controller.
  • Application scope:
    The law applies to:
    • Data processed by automated or manual means, provided it forms part of a filing system.
    • All natural or legal persons in Bahrain engaged in processing personal data.
    • Non-resident entities if they process data using tools located within Bahrain.
    • Exemptions include personal data used solely for household purposes and data processed for national security.

Section 2: General rules for lawful processing

  • Principles of data quality:
    Personal data must be:
    • Processed lawfully and transparently.
    • Collected for specific, legitimate purposes.
    • Adequate, relevant, and not excessive.
    • Accurate and kept up-to-date.
    • Stored only as long as necessary for its purpose.
  • Lawful basis for processing:
    Data can be processed if:
    • The data subject has given explicit consent.
    • It is necessary to perform a contract involving the data subject.
    • There is a legal obligation.
    • Processing is essential for vital interests (e.g., emergencies).
    • It is done for legitimate interests of the controller, provided it doesn’t infringe on fundamental rights.

Section 3: Sensitive personal data

  • Special protections:
    Sensitive data such as racial, ethnic, or health-related information requires explicit consent from the data subject or must meet specific exceptions (e.g., public health purposes or employment law compliance).
  • Permissible processing:
    Sensitive data may be processed without consent in scenarios such as:
    • Protecting vital interests when the subject is incapable of giving consent.
    • Legal claims or judicial proceedings.
    • Health or social care purposes by authorised professionals.

Section 4: Data transfer

  • Cross-border data transfer:
    Personal data may only be transferred to countries or territories providing adequate protection levels. This includes:
    • Countries listed by the Data Protection Authority as having sufficient safeguards.
    • Transfers authorised by the Authority under specific contractual or legal frameworks.
  • Exceptions for transfer:
    Data can be transferred to countries without adequate protection if:
    • The data subject has consented.
    • The transfer is necessary for contractual obligations or legal claims.
    • Public interest grounds apply.
    • Adequate safeguards, such as standard contractual clauses, are implemented.

Section 5: Data subject rights

  • Access and information:
    Data subjects have the right to:
    • Know if their data is being processed.
    • Access their personal data and information on the purpose of processing.
    • Know the recipients of their data.
  • Rectification, erasure, and restriction:
    Data subjects can request:
    • Correction of inaccurate data.
    • Deletion of unlawfully processed or no longer necessary data.
    • Restriction of data processing in specific circumstances.
  • Right to object:
    Subjects can object to:
    • Processing based on legitimate interests.
    • Direct marketing activities, including profiling.

Section 6: Data security

  • Controller pbligations:
    Data controllers must implement technical and organisational measures to protect data from:
    • Unauthorised access.
    • Accidental loss or destruction.
    • Unlawful processing.
  • Breach notification:
    Controllers must notify the Data Protection Authority and affected data subjects in cases of significant breaches, specifying the impact and mitigation measures taken.

Section 7: Oversight authority

  • Establishment of Data Protection Authority (DPA):
    This independent body oversees compliance, conducts audits, and handles complaints. Its responsibilities include:
    • Issuing guidelines and codes of conduct.
    • Granting authorisations for specific data processing activities.
    • Investigating breaches and imposing sanctions.
  • Powers of the DPA:
    • Conduct inspections and audits.
    • Issue fines and penalties for non-compliance.
    • Approve or deny data transfers and processing activities.

Section 8: Offenses and penalties

  • Violations:
    Offences include:
    • Unlawful processing without a valid legal basis.
    • Failure to obtain required consent for sensitive data.
    • Non-compliance with data subject rights or Authority instructions.
  • Sanctions:
    Penalties vary depending on the severity of the violation, including:
    • Fines proportional to the breach.
    • Criminal sanctions for intentional or grossly negligent violations.
    • Suspension or restriction of processing activities.

Section 9: Implementation and transitional provisions

  • Timeline for compliance:
    Organisations must align their data processing activities with the law within a specified transitional period.
  • Guidelines and regulations:
    The Data Protection Authority is tasked with issuing detailed regulations and guidelines to support compliance.