Fatima Alsayed – Associate ([email protected])
The Kingdom of Bahrain is expanding its regulations on the protection of individuals and their personal data. On the 17th of March 2022, the Bahraini Ministry of Justice, Islamic Affair and Endowments (the“Ministry”) issued ten ministerial resolutions regarding various elements of the Personal Data Protection Law established under Legislative Decree No. (3) of 2018 (the”PDPL).
This update will address the decisions the Ministry imposed in order to regulate and improve the process of personal data in light of the PDPL.
Transferring Personal Data Outside the Kingdom
Relevant to Article 12 of the PDPL, the first ministerial resolution issued lists all the countries and territories that, upon the Personal Data Protection Authority (the” Authority”), provides adequate legislative and regulatory protection for personal data. This will guide the data controller (the person entrusted with the processing of personal data) on where he can transfer the personal data, knowing such data will be protected, without the need to obtain a permit from the authority. Such permit is only needed in the case of a transfer done to countries and territories that are not enlisted, are within a regional or international group, or transferred to another data controller or a third party outside the kingdom based on a contract.
Technical and Organisational Measures
To ensure the appropriate level of security is taking into account for the data to be processed, the data controller shall adhere to the following:(i) apply all or some technical and organisational measures needed during the processing operations, (ii)conduct a data protection impact assessment during the process of procedures which will help identify and minimize the data protection risks of a project, (iii) open communication channels between the data controller and the data subject (the person subject of data) or their legal representatives to report if there is any breach, (iv) implement rules for internal investigation to reveal the reasons that led to the breach, (v) provide training programs to employees on such measures and protocols related thereto.
Notification to the Authority
According to Resolution No. 44 of 2022, the data controller shall give prior notice to the Authority of any wholly or partially automated processing operation, or set of such operations, intended to serve a single purpose or several related purposes through the authority’s website. The Authority will have ten days prior to the date of receiving the notice to request the completion of any deficiency in the notification. In the cases stipulated in Article 15(1) of the PDPL, the data controller shall obtain a prior written permission from the authority. Obtaining such prior notification will not mean that the data controller is obligated to obtain the consent of the data subject.
Procedures of Processing Sensitive Personal Data
In the event of the data controller giving prior notice to the authority, as mentioned in the paragraph above, it is prohibited to process sensitive personal data without the consent of the data subject. However, the data controller may process without the consent of the data subject if one of the cases set forth in Article 5 of PDPL is present.
During the processing of any sensitive personal data, the data controller must abide the following:(i) it shall be carried out within the scope of the consent of the data subject and the authority, (ii) he shall use technical measures to guarantee the safety from any breach, (iii) not keeping the data for a period exceeding the period specified by the data subject.
Data Protection Guardian
A data protection guardian is any natural or legal person (companies) registered under the Data Protection Guardians Register either internally or externally, assisting the data controller in exercising his rights and adhering to his duties. Resolution No.46 of 2022 elaborates on the requirements of becoming an internal/external data protection guardian.
Meanwhile Resolution No. 47 of 2022 specifies the registration and renewal fees of registering under the Data Protection Guardians Register. Such fees may be exempted depending on the bank statement for the last three months of the concerned party with a copy of the annual report of the accounting audit for the last fiscal year.
Rights of the Data Subject
The main obligation of the PDPL is to protect the data subject from any breach and violation of his personal data. Hence, the data controller must take up all measures in order to ensure such protection is accessible to the subject, by informing him of the decision distributed for the processing of the personal data and setting rules and procedures to ease the data subject’s right to withdraw his consent.
Anyone having a legitimate interest or capacity may lodge a written complaint to the authority if he believes that there might be a breach of any provision of the PDPL. After the complaint is submitted and accepted by the authority, they shall notify the parties accused of their right. The resolution gives out a period not exceeding seven working days from the date of the complaint for the accused to respond with their defense. However, when the complaint is conducted under serious matters accompanied with strong evidence, the chairman of the board may investigate without any prior notice. The authority will investigate and decide on the complaint in accordance to Chapter One of Section Three from the PDPL.
Controls and Guarantees for Maintaining Confidentiality of the Data with Respect to Filing and Conducting Criminal Proceedings and Related Judgments
In accordance with Article 7 of the PDPL, entities and individuals authorized to process data related to filing and initiating a criminal case are prohibited from disclosing, transmitting, publishing, broadcasting, circulating, or providing such data to any other party not concerned with it in accordance with the law. They shall use technical systems or any appropriate means to ensure an adequate level of protection and privacy during the process of the data, whether it’s carried out in an automated or non-automated manner, in order to preserve it in a way that ensures its confidentiality and protection.
Public Access to Personal Data Register
The personal data recorded in the registers may be accessible to the public by the consent of the data subject. The data controller will be obliged to inform the data subject on the purpose of creating the register with any other necessary information in accordance with the circumstance of the case and shall update the register regularly and ensure that it’s protected from any kind of hacking or data manipulation. Furthermore, Resolution No. 51 of 2022 indicates the content that should be included in the register, such as the data type, purpose of the data collection, and the date of the last update to the register.
Since the PDPL has come into force along with recent ministerial resolutions, it has created a precedent for the companies and organizations in the Kingdom of Bahrain to follow and protect their customers and employee’s personal data by defining the methods and means of processing such data in a way that gives them confidence.
For more information, please contact us on [email protected].