Bahrain introduces Personal Data Protection Law

Bahrain’s new Personal Data Protection Law (PDPL), Law No. 30 of 2018, will come into force 1 August 2019. It regulates how personal data is collected, processed and stored, and it gives data owners specific rights to know what data is being collected and how it is being processed. Businesses will have new obligations to keep data secure and must obtain authorization from the government data protection authority to automatically process specific types of data, such as sensitive personal data, biometric data, genetic data and video monitoring data.

Like the European Union’s General Data Protection Regulation (GDPR), the PDPL requires that businesses have a legitimate and specific need for the data, that they obtain fully revocable consent, that the data collected is limited to those specific purposes, and that personally identifiable data is not retained after meeting the purpose. Data may only be transferred to countries with sufficient data protection laws that are listed in the Official Gazette. Transfers to other countries require the data owner’s consent or should be limited to executing a contract for the benefit of the data owner. Violations can incur criminal penalties of up to one-year imprisonment and fines of BHD 1,000 to BHD 20,000.