What is ‘Personal Data Protection’?

Personal data protection means safeguarding of information in any form which identifies an individual, to prevent breach of and protect his/her privacy, especially in light of digital challenges.

Personal Data Protection Authority
  • The Bahraini legislature issued Law No. (30) of 2018 on 19 July, 2018, with respect to personal data protection. The Law aims to protect the rights and freedoms of individuals and their personal data, by establishing a legal framework that defines the methods and means of processing data in a way that gives individuals confidence in all matters concerning their data handled by companies and organizations, and to be managed in an accurate, up-to-date and secure manner.

  • The Law came into effect on 1 August, 2019. The Ministry of Justice, Islamic Affairs and Waqf was designated, by Royal Decree No. (78) of 2019, to assume the duties of the Personal Data Protection Authority.

  • First, it must be demonstrated that, according to the Law, personal data refers to any information in any form concerning an identified individual, or an individual who can, directly or indirectly, be identified. Thus, any statement identifying a person would fall within the scope of personal data protected by the Law, such as the person’s name, identification number, passport number, phone number, membership number in any organization, personal photo, copies of documents related to him/her or his/her job, credit information, or email address.

  • It is also worth clarifying that any person determining the purposes and means of processing any particular personal data is considered a data controller. A data controller is responsible for complying with the legal conditions of obtaining and processing the personal data. Therefore, any organization, company or entity that obtains, during the course of its operations, personal information of clients and determines the way such information is processed, shall comply with the standards of data protection, as prescribed by the Law.

  • The Law establishes a basic rule, which is, without legal basis personal data may not be obtained nor processed without seeking the data subject’s written and explicit consent. Also, as stipulated by the Law, specific consent shall be obtained for certain types of processing, such as the transfer of personal data outside the Kingdom of Bahrain. In this regard, Article (12) stated that transferring personal data outside the Kingdom is prohibited without the specific consent of the data subject, unless a special authorization is issued by the Ministry of Justice, Islamic Affairs and Waqf, on whitelist of countries and territories to be specified by a ministerial decision.

  • Article (15) states that it is prohibited to undertake any of the following processing operations without obtaining the Ministry of Justice’s prior written authorization: automatic processing involving linkage between personal data, of more than one entity, such as linking personal data, of two different controllers; automatic processing of biometric data used for the verification of an individual’s identity (e.g. the ones used for applications on smart devices); and processing that is undertaken by means of visual recording, and used for surveillance purposes (e.g. placing remote surveillance cameras).

  • In respect of the rights of individuals, the Law stipulates that the data subject shall be informed of all the necessary and adequate information about the entity accessing his/her personal data; the reason for accessing such data and the manner in which it will be processed; in addition to any further information necessary to ensure fair and just processing of data relating to the data subject. This includes, but is not limited to, informing the data subject whether the personal data will be used for direct marketing purposes.

  • In this regard, the Law grants the data subject the right to know whether a particular entity is processing his/her personal data. Under the Law, the entity shall respond to all data subject’s questions and requests for clarification; to state whether the entity is processing his/her personal data, the purpose of processing, and disclosure of other parties that have access or process the personal data.

  • In such case, the data subject may request from the data controller to rectify, block or erase the personal data relating to him/her, as per the circumstances, conditions and requirements, if its processing would cause unwarranted substantial damage, being material or moral, to the data subject or others, or if the processing is in breach of the provisions of the Law, in particular if the data is inaccurate, unspecified, incomplete or incorrect, especially if its processing is illegal or harmful to the data subject’s interests.

  • Further, the Law grants the data subject the right to object to direct marketing which is aimed at a particular person using their personal data, such as behavioral targeting, and ads sent via text messaging (SMS) or email’. Under the Law, any entity shall cease the processing upon receiving a request from the data subject to do so.

  • Finally, under the Law, anyone having a legitimate interest or capacity may lodge a written complaint to the Authority, if he/she believes that there might be a breach of any provision of this Law, or that a person is processing personal data in a manner inconsistent with the provisions of this Law. Therefore, the law aims to provide assurance to individuals that their personal data is processed fairly and lawfully, and that means of safeguarding their rights in this regard are maintained.