Personal Data Protection

Personal data protection refers to the safeguarding of individuals’ private information, especially from cyberthreats.

Personal Data Protection Law

The Personal Data Protection Law (PDF, 305KB, 40 pages, Arabic only), announced in July 2018 , sets a legal framework that determines how the information of individuals should be accessed and used. It is designed to maintain public confidence in the security of their personal information when it is in the possession of companies and organisations. The law, which came into effect in 2019, ensures that this information is managed in a sensitive, advanced, and secure manner.

The law addresses the following

• It established a basic rule that personal data may not be obtained or processed without the express written consent of the data’s owner, unless the law states otherwise.
• It requires securing special approvals for certain processes, such as when transferring personal data outside the Kingdom of Bahrain without approval from its owner. Permission must be granted by the Ministry of Justice, Islamic Affairs and Waqf, which is the authority designated to carry out the tasks of the Personal Data Protection Authority. The regions and countries are stipulated based on decisions by the Minister.
• It made it impermissible to use automated processing to link personal data between more than one party. This includes linking the personal data of customers of two different companies; the use of automated processing of biometric data for personal identification, such as those used in smart device applications; or processing via visual surveillance recordings, such as placing cameras for remote monitoring, if in all these cases it is without the prior written approval of the Ministry of Justice, Islamic Affairs and Waqf.
• It required that the data’s owner be adequately informed of all relevant details about the entity that will view the data, the reason the data is being obtained, how it will be processed, and all other information necessary to make the processing fair and just for the data’s subject.
• It gives the data’s owner the right to know whether a certain party processes their personal data. This body is responsible for answering every clarification or question required by the data’s owner to indicate whether it is processing this personal data, clarifying the purpose of this processing, and the entities that received it.
• In this case, the data’s owner has the right to ask this entity to correct, withhold, or erase personal data according to the circumstances and requirements, if processing it would cause him or someone else unjustified harm. This includes whether the damage was financial or emotional, or if the processing is carried out in ways that violate the provisions of the law, especially if the data is inaccurate, indeterminate, or incomplete, and if processing it is illegal and causes harm to the interests of the data’s owner.
• It gives the data’s owner the right to object to direct marketing, which is marketing that is carried out by directing advertising or promotional material to a specific person, such as advertisements sent by text messages or e-mail. The law also requires any party to stop this processing in the event that it receives a request to that effect by the data’s owner.
• Finally, the law allows anyone to submit a complaint to the authority if he or she has reason to believe that there has been a violation of the provisions of this law, or that someone is processing personal data in violation of its provisions. This ensures that the personal data of all individuals is processed in a legitimate and fair manner, preserving their rights.

In line with the Kingdom’s commitment to setting legal frameworks to regulate its cybersecurity and information security activities, the Government has introduced several related laws and legislations, including:

• Law-Decree No. (54) of 2018 regarding issuing electronic transactions and statements (PDF, 210KB, 20 pages, Arabic only)
• Prime Minister Decision No. (36) of 2018 regarding the regulation of technical requirements for sending, receiving, and updating electronic documents and the signatures of public entities (PDF, 133KB, 4 pages, Arabic only)
• Law No. (2) of 2017 regarding the ratification of the Arab Convention on Combating Information Technology Offences (PDF, 915KB, 31 pages, Arabic only)
• Law No. (60) of 2014 regarding Information Technology crimes (PDF, 189KB, 10 pages, Arabic only)
• Law No. (16) of 2014 regarding the protection of information and state documents (PDF, 142KB, 4 pages, Arabic only)

Personal Data Protection Authority (PDPA)

The Ministry of Justice, Islamic Affairs and Waqf was appointed to carry out the tasks of the Personal Data Protection Authority (PDPA) as per Cabinet Decision No. (78) of 2020.

Personal Data

This refers to information of any kind that belongs to an identified person, or one that can be directly or indirectly identified. It is considered personal data in accordance with the law. Therefore any statement that can lead to the identification of an individual, such as their names, ID or passport numbers, phone numbers, membership numbers in any organisation, personal photos or copies of documents related to their personal lives or jobs, bank details, or email addresses are considered personal data protected by the law.

Processing personal data

Anyone responsible for receiving and managing personal details (data processing) is considered a data manager and is responsible for following the law with regards to receiving and managing the data. Any entity or company that receives personal data of its customers must process it in accordance with personal data protection legal standards.