Secure Data Transfer

Personal data protection is a crucial aspect of our digital age, where individuals' private information is vulnerable to cyber threats. It refers to the measures taken to safeguard this information from unauthorized access, use, or disclosure.

Personal Data Protection Law

The Personal Data Protection Law (PDPL) was introduced in July 2018 to provide a legal framework for the access and use of individuals' personal information. The law aims to foster public trust in the security of their personal data when it is in the possession of companies and organizations.  The PDPL sets out guidelines and regulations for handling personal data, including how it should be collected, processed, stored, and shared.  The Personal Data Protection Law came into effect in 2019, marking a significant step towards protecting individuals' personal information and promoting trust in the digital economy.

The Personal Data Protection Law (PDPL) is a comprehensive regulation that addresses several critical aspects to ensure the security and privacy of individuals' personal information. The law includes the following provisions:

• The basic rule for obtaining and processing personal data: The PDPL establishes a fundamental rule that personal data cannot be obtained or processed without the explicit written consent of the data owner unless permitted by law.
• Special approvals for transferring personal data: The PDPL requires obtaining special authorization for certain processes, such as transferring personal data outside Bahrain without the owner's approval. The Ministry of Justice, Islamic Affairs, and Waqf is the designated authority responsible for granting permission for such transfers. The regions and countries where data can be transferred are based on decisions by the Minister.
• Prohibition of automated processing to link personal data: The PDPL prohibits the use of automated processing to connect personal data between multiple parties. This includes linking customers' personal data of two different companies, using automated biometric data for personal identification, and processing visual surveillance recordings, such as placing cameras for remote monitoring, without the authority's prior written approval.
• Mandatory information to be provided to data owners: The PDPL mandates that data owners must be adequately informed of all relevant information about the entity that will access their data. This includes the reason for obtaining the data, how it will be processed, and all other necessary details that make the processing fair and just for the data subject.
• Under data protection regulations, the data owner is entitled to know whether their personal data is being processed by a certain party. The responsible entity is required to respond to any inquiries or clarifications from the data owner and provide information on whether their personal data is being processed, the purpose of the processing, and the entities that have received it.
• The data owner has the right to request that the entity correct, withhold, or erase their personal data if processing it would cause unjustified harm to them or others. This includes financial or emotional harm, as well as processing that violates the law, such as inaccurate, indeterminate, or incomplete data. If processing the data is illegal and harms the interests of the data owner, they have the right to request its removal.
• The data owner has the right to object to direct marketing, which is any marketing that targets a specific individual through advertising or promotional material, such as text messages or emails. If the data owner requests that the processing of their personal data for direct marketing purposes be stopped, the party responsible must comply with their request.
• Lastly, if anyone believes that there has been a violation of data protection regulations or that someone is processing personal data in violation of these regulations, they have the right to file a complaint with the appropriate authority. This ensures that all personal data is processed in a lawful and fair manner, protecting the rights of all individuals.

As part of its commitment to establishing legal frameworks that regulate cybersecurity and information security activities, the Kingdom has implemented several laws and regulations. These laws and legislations reflect the Government's dedication to maintaining a secure and protected cyber environment for all citizens. They include the following:

• Law-Decree No. (54) of 2018 regarding issuing electronic transactions and statements (PDPL, 210KB, 20 pages, Arabic only)
• Prime Minister Decision No. (36) of 2018 regarding the regulation of technical requirements for sending, receiving, and updating electronic documents and the signatures of public entities (PDF, 133KB, 4 pages, Arabic only)
• Law No. (2) of 2017 regarding the ratification of the Arab Convention on Combating Information Technology Offences (PDF, 915KB, 31 pages, Arabic only)
• Law No. (60) of 2014 regarding Information Technology crimes (PDF, 189KB, 10 pages, Arabic only)
• Law No. (16) of 2014 regarding the protection of information and state documents (PDF, 142KB, 4 pages, Arabic only)

The Personal Data Protection Authority (PDPA) is responsible for ensuring that personal data is processed and used in accordance with legal standards. The Ministry of Justice, Islamic Affairs and Waqf has been appointed to carry out these tasks, as per Cabinet Decision No. (78) of 2020.

Personal Data

Personal data refers to any information that belongs to an identified person or one that can be directly or indirectly identified. This includes any statement that can lead to the identification of an individual, such as their names, ID or passport numbers, phone numbers, membership numbers in any organization, personal photos, copies of documents related to their personal lives or jobs, bank details, or email addresses. All such data is considered protected by the law.

Processing Personal Data

Any individual or entity responsible for receiving and managing personal data is considered a data manager and must follow legal standards while processing it. Any company that receives the personal data of its customers must ensure that it is processed in accordance with personal data protection laws and regulations. It is the responsibility of the data manager to ensure that personal data is processed and used in a lawful, fair, and transparent manner. This includes obtaining the necessary consent from the data owner and ensuring the confidentiality and security of the data.