Personal Data Protection

Law No. (16) of 2014 (PDF, 142KB, 4 pages, Arabic only) regarding the protection of state information and documents.
This law confers criminal protection on everything related to state information and documents, with that protection extending to all parties that contribute or participate in them, even if the bulk of their capital is owned by the private sector.
Law No. (60) of 2014 (PDF, 189KB, 10 pages, Arabic only) regarding Information Technology crimes.
In line with rapid technical developments, this law came to be a deterrent to everyone who exploits technology and the Internet to carry out their crimes and serves as criminal protection for Information Technology users. The law stipulates Information Technology crimes and the procedures for combating them.
Law No. (2) of 2017 (PDF, 914KB, 31 pages, Arabic only) ratifying the Arab Convention to Combat Information Technology Crimes.
This agreement strengthens cooperation between Arab countries in the field of combating information technology crimes.
Law No. (30) of 2018 (PDF, 345KB, 55 pages) issuing the Personal Data Protection Law.
This law covers the provisions for automated data processing, in whole or in part, the general legality framework, the provisions for the transfer of personal data outside the Kingdom, and the establishment and organisation of the competent authority.
Decision of the Prime Minister No. (36) of 2018 (PDF, 132KB, 4 pages, Arabic only) regulating the technical requirements for sending, receiving, and updating electronic records and signatures of public entities.
The decision includes a set of technical requirements that government agencies must observe during electronic transactions, whether from within the Kingdom of Bahrain or abroad.
Decree No. (54) of 2018 (PDF, 210KB, 20 pages, Arabic only) issuing the Law on Electronic Communications and Transactions.
This law replaces a repealed law, expands the on range of transactions that may be carried out electronically, and creates an advanced and safe electronic economic environment for Internet transactions in line with recent technology and legal advancements.
Law No. (1) of 2020 (PDF, 23.1MB, 107 pages, Arabic only) approving the accession of the Kingdom of Bahrain to the United Nations Convention on the Use of Electronic Communications in International Contracts.
The decision approved the Kingdom’s accession to the UN Convention, which was drawn up in New York on November 23, 2005.
Decree No. (45) of 2021 (PDF, 81KB, 1 page, Arabic only) naming the administrative authority competent in the Law of Electronic Communications and Transactions issued by Decree No. (54) of 2018.
This decree named the Telecommunications Regulatory Authority (TRA) as an administrative body competent in the law of electronic communications and transactions.
Resolution No. (42) of 2022 (PDF, 61.7KB, 4 pages, Arabic only) regarding the transfer of personal data outside the Kingdom of Bahrain.
This decision grants the data manager the authority to transfer personal data directly outside the Kingdom of Bahrain without permission from the Personal Data Protection Authority in the countries and territories listed in the list accompanying this decision. An application for obtaining a permit from the authority to transfer data outside the Kingdom or to a regional or international group is submitted in accordance with the procedures established in Article (3) of the decision, in addition to the possibility of transferring personal data to a data manager or a third party outside the Kingdom who are outside the countries and regions listed in The disclosure accompanying this decision is based on a contract, and the data manager must obtain a permit from the authority and submit a copy of the contract to transfer personal data in this case.
Resolution No. (43) of 2022 (PDF, 100KB, 6 pages, Arabic only) specifying the requirements to be met in the technical and organizational measures to ensure the protection of personal data.
The decision regulates a set of technical and organizational measures to be applied in data processing, in addition to evaluating the impact of data protection and the obligation to notify a data breach or violation. The decision included a reference to the provisions of contracting with an external data processor or any third party by invoking the provisions contained in Resolution No. (42) of 2022 regarding the transfer of personal data outside the Kingdom of Bahrain. Adherence to specific procedures exclusively in the decision, and finally, the decision obligated the data manager to provide periodic training programs to ensure the familiarity of the employees involved in data processing.
Resolution No. (44) of 2022 (PDF, 59.8KB, 4 pages, Arabic only) regarding the transfer of personal data outside the Kingdom of Bahrain.
The decision requires the data manager to notify the Personal Data Protection Authority before starting the processing process, which is fully or partially automated. The decision prohibits carrying out any of the processing operations without obtaining prior written permission from the authority, which in turn decides on the request for prior authorization according to the period mentioned in the decision, in addition, the decision sets out the obligations of the authorized person to the processing, the additional requirements for the prior authorization of some types of processing, and the notification of changes to the data.
Resolution No. (45) of 2022 (PDF, 38KB, 2 pages, Arabic only) setting the rules and procedures for processing sensitive personal data.
The decision regulates the mechanism and procedures for processing sensitive personal data, to ensure that it is not hacked or violated. The decision sets out how to obtain prior authorization from the Personal Data Protection Authority for the processing of sensitive personal data and the regulatory rules for the processing.
Resolution No. (46) of 2022 (PDF, 108KB, 7 pages, Arabic only) regarding data protection monitors.
The decision regulates the provisions for appointing data protection monitors, whether that is an internal or external monitors. The decision also includes provisions related to the data protection monitors register and obligates those addressed by the provisions of this decision to be bound by registration in the register. The decision also sets the conditions for registering the external data protection monitors in the register and the procedures for recording The external data protection monitor in the register, and the decision obligated the Personal Data Protection Authority to issue a decision in the application for registration of the external data protection monitor and the disclosure of the external data protection monitor, which combines the registration in the register and his work with a public or private entity. The decision also specified the conditions for registering the internal data protection monitor in the registry and the procedures for registering the internal data protection controller in the registry. The decision obligated the Personal Data Protection Authority to issue a decision in the application for registration to the internal data protection controller. The decision also dealt with the provisions of accrediting the internal data protection controller as an external data protection controller and the obligations of the external and internal data protection controller, as well. The decision dealt with the provisions related to determining the period of registration in the register, the expiration or cancellation of registration in the register, and the fee related to the application The application for registration in the register, the authority’s monitoring and inspection of the data protection monitor's work, the referral of the violating data protection monitor to investigation, and the responsibility of the data protection monitors from legal persons.
Decision No. (47) for the year 2022 (PDF, 37.5KB, 3 pages, Arabic only) determining registration fees in the data protection monitors registry, registration renewal fees, cases of exemption and refunds.
The decision determines the categories of fees due for registration in the data protection monitors register, registration renewal, and cases of exemption and refund of such fees.
Resolution No. (48) of 2022 (PDF, 41.4KB, 3 pages, Arabic only) regarding the rights of the owner of personal data.
This decision defines the scope of its provisions for the data stipulated in Article (1) of the Personal Data Protection Law. The decision clarifies the obligations related to the decisions taken based on automated processing, the approval of the processing and the scope of its application, as well as the approval that is not valid. The decision mentioned the cases in which it is entitled the data subject has a request to withdraw the consent, and the decision obligates the data manager to indicate the procedures for submitting the objection by the data subject.
Decision No. (50) of 2022 (PDF, 32.4KB, 2 pages, Arabic only) determining the controls and guarantees for maintaining the confidentiality of data related to filing and conducting criminal cases and the judgments issued therein.
The decision aims to ban the entities and persons authorized to process data related to filing a criminal case and its conduct at all stages of the case and the judgments issued therein and to disclose, transmit, publish, broadcast, circulate, give, provide, or make this data or its content available to any individual or other party. Not concerned with it or to anyone other than the laws permitting their access to. The decision also specified the controls related to the appointment of persons authorized to file a criminal case to process such data. The decision also obligated those addressed with its provisions to use technical systems and modern electronic applications or any appropriate means to ensure an adequate level of protection and privacy for processing.
Resolution No. (51) of 2022 (PDF, 33.9KB, 2 pages, Arabic only) regarding the conditions for creating personal data records available to the public.
This decision considered the issue of determining and providing the conditions for creating and accessing personal data records that are available to the public, with a limitation of what those records must include and the obligations of the data manager regarding updating records and their safety from any penetration or tampering process.