0 likes | 22 Views
Learn all about Bahrain Personal Data Protection Law
E N D
Bahrain's Personal Data Protection Law ('PDPL') Insights into the Legislation © 2022 Tsaaro. All rights reserved.
INTRODUCTION Overview On July 12, 2018, Bahrain passed Law No. 30 of 2018 concerning Personal Data Protection ("PDPL"). The PDPL is Bahrain's primary data protection law. It came into effect on August 1st, 2019. The PDPL which is the second national law in the Gulf area to specifically address the right to personal data protection is modelled after the European Union's General Data Protection Regulations. This law aims at setting up requirements establishing procedures for entities involved in the processing of the personal data of individuals. Target Audience This whitepaper seeks to analyse the legislation and evaluates it against other significant legal frameworks for data privacy and protection. Data protection awareness programs and training sessions are expected to become progressively prevalent in Bahraini firms which must adopt data governance mechanisms and data protection policies to ensure compliance with the law. Therefore, it is written to cater to a wide range of audiences, including senior and mid-level IT management, privacy officers, and compliance leaders, to assist them in understanding the salient features of this legislation. This will also help secondary audiences, including students and academicians in understanding the complexity of the legislation and its clauses.
INTRODUCTION Bird's Eye View The major piece of legislation in Bahrain governing the processing of personal data is the Personal Data Protection Law (PDPL). Different laws in Bahrain include a number of data privacy clauses before the PDPL was passed. As long as they do not contradict the Law or the resolutions issued in compliance with it, these clauses will remain valid. The Ministry of Justice and Islamic Affairs is designated as the Data Protection Authority to ensure compliance with the Law. Recently the Authority issued enforcement decisions with guidelines to further the Law's provisions. This along with the other features of PDPL shall be discussed in detail in this whitepaper. Problem Statement The PDPL is largely consistent with the EU GDPR's definition of personal data and sensitive personal data, however, the term 'data protection guardian' is a new nomenclature for privacy regimes. Further, PDPL introduces sector-specific categories for the processing of data. Consequently, compliance requirements for each will be strict. A range of administrative and criminal fines will be imposed for non- compliance with the PDPL. Considering this, the entities processing personal data would have to focus on complying with the provisions of the PDPL.
STRUCTURE Scope & Application 01 06 Authorisation & Breach Notifications Key Features of the Act 02 Enforcement and Liability 07 03 Grounds of Processing 08 Comparison with the EU GDPR 04 Data Subject Rights 09 Conclusion Cross Border Data Transfers 05
SCOPE AND APPLICATION The provisions of the Law apply to any natural person who habitually resides in, or has a place of business in, or processes information by means available in the Kingdom of Bahrain. However, it does not apply to the processing activities involving the transit of data over the territory of Bahrain. Territorial Scope The Law safeguards the personal data of citizens and legal residents of the Kingdom of Bahrain. It applies to any person/controller who processes personal data in Bahrain, regardless of their place of residence. Material Scope The Law applies to any processing of data partially or fully automated or data non-automated processing of data structured in a manner wherein the personal data of individuals is readily accessible. Exemptions The PDPL will not be applicable under the following circumstances- Where the data processing activity is carried out by an individual for the sole purpose of ‘the individual’s personal or family affairs.’ Where processing operations are undertaken for public security.
KEY FEATURES OF THE ACT Data Quality Control The PDPL entail the following responsibilities to ensure Data Quality Control- Legitimate and fair processing of data must be a priority. Personal information must be collected with a clear, specific and legitimate purpose. Must ensure that the data collected meets the intended purpose, it should be adequate, relevant and not excessive. Notifying the data protection regulator and, in some cases, obtaining prior approval. Ensuring that the data protection supervisor is impartial and independent. The Data should not be transferred outside the country of Bahrain except under restricted circumstances. Consent Under the PDPL, the consent obtained by the data subject must be freely given, written, explicit, clear, and specific to the processing operations undertaken by the entity. Further, the PDPL makes it clear that personal data can not be processed unless the consent of the data subject is obtained before processing such data, except where it falls within one of the five grounds for processing provided in Article 4 of the Law.
Sensitive Personal Data The PDPL defines "sensitive personal data" as any personal data that contains a reference to ethnic or tribal origins of a person's religious, or political beliefs, philosophical opinions, information indicating a person's involvement in civic organisations or institutions, health data, or sexual status. Data Protection Guardians The PDPL has a provision for data protection guardians who are responsible for assisting the data controller in exercising his rights and performing his obligations as provided by the provisions of this Law. The data protection guardians are akin to data protection officers (DPO) under other legislations but the PDPL has adopted a different nomenclature for them. They liaison between the Authority and the Data Controller on the implementation of specific provisions related to the processing of personal data and ensure lawful processing. In case the data protection guardian identifies any violation, he must bring it to the data controller's attention to eliminate the causes of the violation.
GROUNDS FOR PROCESSING Consent Consent obtained by an individual has to be freely given, written, explicit, clear, and specific to the processing of certain data granted by a person with full legal capacity. Contract Where it is necessary for the execution of a contract to which the data subject is a party or processing occurs at the request of the data subject to conclude a contract. Legal Obligation Where it is necessary for the enforcement of a legal obligation or an order issued by a competent court or the Public Prosecution. Vital Interests Where it is necessary to protect the vital interests of the data subject. Legitimate Interests Where it is necessary for the legitimate interests of the data controller or any third party to whom the data is disclosed unless this conflicts with the fundamental rights and freedoms of the data subject.
DATA SUBJECT RIGHTS On the rights of data subjects, the PDPL states everything that data controllers must do during the data processing operations, where they carry out automated processing, such as establishing clear rules outlining processes to allow the data subject to deny such processing, clarifying the purpose of the processing as well as how decisions are made, and informing the data subject of the decision's consequences. Right to be Notified Upon Processing of Personal Data 01 Right to Object to Direct Marketing 01 02 Right to Object for Processing for Direct Marketing Purposes 03 Right to Object to Processing causing Material/Moral Damage to Data Subject or Others 04 Right to Object to Automated Processing Based Decisions 05 Right to Request, Rectification, Blocking and Erasure of data 06 Right to Lodge Complaints 07
Article 18: Right to be notified upon processing of personal data The PDPL requires that data subjects must be notified upon processing of their personal data by the data controller. This should be free of charge. Further, the notification should entail information on- all the data being processed any information available to the data controller as to the source of the data, except where the confidentiality of the source is required by law the purpose of the processing the names of the recipients of the data or their categories. Timeline to respond-Notification to be issued within 15 days. Article 19: Right to object to direct marketing The data subjects must be informed by the data controller where any personal data may be processed by them for purposes of direct marketing. The data subjects have the right to submit objections concerning such processing. Article 20: Right to object for processing for direct marketing purposes Data controller must stop processing for purposes of direct marketing within 10 working days of receiving such request. Remedies for non-compliance by data controller: If the data controller does not accept the data subject’s request within the prescribed period, the data subject may file a complaint to the Authority. Timeline to respond- Request must be honoured within 10 days.
Article 21: Right to object to processing which causes material or moral damage to the data subject Data controller must stop processing data where the processing causes unwarranted damage, whether material or moral, to the data subject or others. Timeline to respond- Request must be honoured within 10 days. Article 22: Right to object to automated processing based decisions Data subjects have the right not to be subject to a decision based solely on automated processing. These may include assessments of his performance at work, financial standing, creditworthiness, reliability, conduct etc. Article 23: Right to request rectification, request, blocking and erasure of Data A data subject has the right to request for rectification, blocking and erasure of their personal data where such processing breaches the law. Timeline to respond- Request must be honoured within 10 days. Article 25: Right to lodge complaints Anyone with a legitimate interest or ability is empowered to file a written complaint with the Authority if- any provision of the PDPL is violated, processing personal data in a manner which is inconsistent with the terms of this Law.
CROSS BORDER DATA TRANSFERS The Law prohibits data controllers from transferring personal data outside the Kingdom of Bahrain unless it is listed in the Adequacy List which iscompiled and updated by the Personal Data Protection Authority (PDPA). Data transfer to any country not mentioned in the Adequacy List requires authorisation from the PDPA, which is determined on a case- by-case basis. Where transfers are made to third parties in a country not on the Adequacy List but under a contract, the law requires controllers to obtain authorisation from the PDPA and to provide a copy of the agreement. Additionally, the law sets out technical and organisational measures which include the privacy by design program, establishing privacy frameworks, Conducting a Vulnerability Assessment and Penetration Testing (VAPT), developing effective plans to address breaches and determining the competence of employees. Exemptions: Data controllers can also transfer personal data to countries that are not determined to have an adequate level of protection of personal data where- consent of the data subject has been obtained, data is publicly available, where it is necessary for the performance/conclusion of the contract, vital interests of the data subject and complying with legal obligations
BREACH NOTIFICATION Article 15: Prior Authorisation The PDPL prohibits the processing of a few operations without obtaining the Authority’s prior written authorisation. These operations include automated processing of- Sensitive personal data, Linkage between personal data files of two or more data controllers (for different purposes), Means of visual recording, used for surveillance purposes. Notification of Data Breach For the longest,the PDPL did not have a provision on the data protection officer's responsibility to notify the Authority regarding any data breach. However, recently Minister of Justice, Islamic Affairs and Waqf released its Ministerial Resolution on data breach notification. As per the Ministerial Resolution no. 44 of 2022, the data controllers in the event of a data breach shall inform the Authority within a period of 72 hours from the date of discovery of such data breach incident. Further, if the data breach affects the rights of data subjects, then, in that case, the data controllers would be under an obligation to notify them of such a breach.
ENFORCEMENT & LIABILITY Civil Liability Anyone who suffers damage resulting from the processing of their data may seek compensation from the data controller or DPO if such processing breaches the provisions of the Law. In case of any violation of authorisation, the Authority may order the party committing the violation to immediately or within a specified period, stop their conduct, on failure to comply the Authority may withdraw the authorisation granted. Criminal Liability The Law suggests that a sentence of imprisonment not exceeding one year and/or a fine of not less than BD 1,000 and not more than BD 20,000, may be imposed for committing any of the following- processes sensitive personal data without obtaining consent; unlawfully transferring data outside the Kingdom of Bahrain; processes data without notifying the Authority; processes data without obtaining prior authorisation of Authority; Provides the Authority or data subjects with false information; Prevents Authority from any information or data that is required; Disrupting the work of the Authority's inspections or investigations; Discloses information with them for their benefit. If the liability is on a corporate legal person, the fine may be increased up to twice the fine prescribed to a natural person.
Comparison: GDPR vs PDPL Basis of Comparison Sl. No. PDPL EU GDPR 1. Scope / Applicability The GDPR applies to organisations that have a presence in the EU or if the data of EU processed irrespective company’s location. The PDPL applies to any entity processing the personal data of data subjects in the Kingdom of Bahrain, including the processing by entities outside the Kingdom personal data of individuals residing in the Kingdom. This includes all the controllers and processors. residents is of the processing 2. Data Subject Rights The rights vested with data subjects under the EU GDPR are: The rights vested with data subjects under the PDPL are: right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object right to access, right to object, right to be notified upon processing of Personal Data, right to request blocking and erasure of data, right to lodge complaints rectification, 3. Legal basis of processing data Principles governing the legal basis of processing personal data under the EU GDPR are: Principles governing the legal basis of processing personal data under the PDPL are: consent contract legal obligation vital interests public task legitimate interests consent contract legal obligation vital interests legitimate interests 4. Penalties The penalty under PDPL is defined, and fines and penalties are imposed under Article 55. Infringers of the PDPL may be fined up (approximately 5300 USD) by the Competent Authority. If any of the offences specified in Article (58) of this Law are committed in the name of a legal person, actions are taken by such competent authority. The penalty under GDPR is defined, and fines and penalties imposed under Article 83 are flexible and scale with the administrative fines are determined up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding whichever is higher. to BD 2000/- firm. The financial year,
CONCLUSION The BDPL intends to increase Bahrain's attractiveness to international companies by establishing a clear framework for handling personal data. This legislation is heavily impacted by the country's intentions to become a data centre hub, with tech giants now proposing to operate as data centres and rapidly expanding into the telecoms sector. Companies operating in Bahrain should- evaluate if their business operations fall under the scope of the legislation in advance. discover the type of personal data being collected, from whom, and for what purposes it is being processed. With this law in place, systems are required to guarantee that organisations can meet their commitments while also respecting the new rights granted to data subjects. References http://www.pdp.gov.bh/en/assets/pdf/regulations.pdf http://www.pdp.gov.bh/en/assets/pdf/executivedecisions/eng/the_be _met_in_the_technical.pdf
WHY TSAARO? Tsaaro provides privacy and cybersecurity services to help organisations meet regulatory requirements while maintaining a robust security infrastructure. Our industry-standard privacy services include Privacy compliance, DPO-as-a-service, Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few, delivered by our expert privacy professionals recognised by IAPP. Akarsh Singh (CEO & Co-Founder, Tsaaro) Akarsh is a fellow in Information Privacy by IAPP, the highest certification in the field of privacy. His expertise lies in Data Privacy and Information Security Compliance. CONTACT US You can assess risk with respect to personal data and strengthen your data security by contacting Tsaaro. Tsaaro Bangalore Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer RingRoad, Bangalore- 560045 Anushka Siwach Data Protection Consultant, Tsaaro India P: +91-0522–3581 Krithi Shetty Data Protection Consultant, Tsaaro Tsaaro Gurugram Office Level 1, Building 10A, Cyber Hub, DLF Cyber City, Gurugram, Haryana 122002 India Poojan Bulani Data Protection Consultant, Tsaaro +91522–3581306 Tsaaro Amsterdam Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719 EMAIL US info@tsaaro.com