Bahrain enhances its data protection regime
On 17 March 2022, there were 10 resolutions published by the Personal Data Protection Authority (PDPA) in support of Law No 30 of 2018 in relation to Personal Data Protection (PDPL).
The publication of these follows a consultation in respect of draft regulations circulated during May 2021 and as discussed in an earlier article.
These resolutions cover the following:
- conditions for transferring personal data outside of Bahrain;
- technical and organisational measures for the protection of personal data;
- notification to the Personal Data Protection Authority for certain types of processing or transfers;
- rules and procedures for processing sensitive personal data;
- rules regarding data protection officers;
- fees for registration of data protection officers;
- rights of data subjects;
- complaints about personal data violators;
- confidentiality of data relating to criminal case filings and judgments; and
- public personal data records.
We set out below some of the areas of interest arising from the publication of these resolutions.
Whitelist for data transfers outside of Bahrain
The most meaningful changes are the rules regarding transfers of personal data outside of Bahrain under Resolution No. (42) of 2022, which includes an updated whitelist of 83 countries, an increase from 43 countries set out in the consultation document. This whitelist permits data managers to transfer personal data outside of Bahrain without the consent of the PDPA, provided that the transfer is to a whitelist country and that the relevant consent from data subjects is obtained or where there is a contractual or legal need for such data to be transferred.
Where the transfer of personal data is to be made to a country other than those on the whitelist, a permit will be required from the PDPA – this shall include any intra-group transfers of personal data and those pursuant to a contract with a third party. In relation to the latter, the data manager will need to submit a copy of the contract to the PDPA as part of their request for a permit.
Resolution No. (43) of 2022 formally sets out the requirement that data managers must notify the PDPA within 72 hours of the discovery of the breach unless the breach is unlikely to threaten the rights of data subjects.
Where the data manager does not notify the PDPA within the 72 hour period, the data manager must set out in its notification to the PDPA justification for the delay.
The data manager should notify the data subject of any breach of their data unless:
- their personal data is incomprehensible to any person accessing such data; and
- the directors of the data manager take subsequent measures to ensure significant risk to the rights and freedoms of the data subjects may not arise.
In addition, the data manager may notify data subjects via public statement rather than individual notifications if the notifications require unusually stressful efforts.
Approval for certain types of automatic processing
Resolution No. (44) of 2022 sets out the requirements of the application for approval of the PDPA in relation to the restricted areas of data processing under Article 15 of the PDPL, particularly the automatic processing of sensitive personal data that is necessary for an individual's protection where the individual is legally incapable of providing the required consent, automatic processing of biometric data used to identify an individual, automatic processing of genetic data (other than for preventive medicine, medical diagnosis, treatment and healthcare), automatic processing involving the linking of personal data from at least two separate data managers or the processing of visual recording for surveillance purposes.
This application shall be made via the PDPA's website and must be made before the automatic processing takes place. Where the PDPA provides its consent to the data manager, it shall do so within 30 days of receiving all relevant information. If the PDPA does not provide consent within that timeframe, then the application shall be considered rejected.
In submitting its application to the PDPA, the data manager must advise the PDPA of how it will carry out the processing in a transparent manner, including notifying data subjects of any visual recordings (if relevant), the treatment of the data should be sufficient for the purposes in which it has been collected, processes in place to restrict access to the data to authorised persons only and processes to allow data subjects to access their data upon request.
Notwithstanding the consent of the PDPA, the consent of the data subject is required for the relevant automatic processing as required by the PDPL.
Data Protection Controllers
Resolution No. (46) of 2022 provides further information regarding the requirements for Data Protection Controllers, which may be appointed as an internal position by a data manager or as an external consultant.
An external Data Protection Controller (if an individual) must have qualifications in the field of information / electronic security or a degree in IT and (if a company) be licensed in legal, auditing, IT, accounting or risk management with a least three (3) employees with the relevant qualifications required of an individual Data Protection Controller.
An internal Data Protection Controller must satisfy the relevant qualifications required of an external individual Data Protection Controller, as well as being an employee of the data manager and being resident in Bahrain.
The PDPA will decide upon applications within 30 days of receiving all relevant documents and notify the relevant applicants within seven days from the decision. If the PDPA fails to respond within the relevant time period, the application shall be deemed rejected.
An external Data Protection Controller must disclose to the data manager if they are currently acting for or have been previously appointed by a competing entity or if they have any potential conflicts of interest.
The fees for appointing a Data Protection Controller are set out in Resolution No. (47) of 2022.
Consent of data subjects
Resolution No. (48) of 2022 provides additional clarity on electronic consent by data subjects and states that if a data subject is obliged to provide their consent prior to the browsing of a website, then such consent shall not be valid for the purposes of the processing.
In addition, a data subject may withdraw their consent at any time upon notice to the data manager without any payment or liability to the data manager. The resolution requires data managers to formulate procedures for responding to requests from data subjects in respect of withdrawal of consent. The data manager is permitted to retain such data subject to regulatory requirements and confidentiality obligations but not process the personal data in any other manner.
We have acted for a number of clients within Bahrain in relation to their compliance with the PDPL, and the publication and implementation of these resolutions has been welcome news to our clients as they provide clarity and specificity to the PDPL, which had been lacking following its implementation.