Although Law No. 30 of 2018 promulgating the Personal Data Protection Law (“PDPL”) came into force on 1 August 2019 not all provisions of the PDPL actually became effective from that date. This is because under the resolution issuing the PDPL, it is provided that Board of Directors of the Personal Data Protection Authority (“Authority”), will issue the necessary decisions for the implementation of the provisions of the PDPL.
However, the Authority did not appear to have been established.
This has now been addressed by the publication of Decree No. 78 of 2019 Determining the Administrative Body entrusted with the tasks and Competences of Personal Data Protection Authority which provides:
- The Ministry of Justice, Islamic Affairs and Awqaf (“Ministry”) will assume the responsibility of the duties and powers for the Authority until the financial budget for the Authority has been allocated within the overall budget of the State, and a Decree forming the Board of Directors is issued.
- The Minister of Justice, Islamic Affairs and Awqaf has been determined as the member of the Ministry who is responsible for the duties and powers prescribed under the PDPL for the Authority’s Board of Directors and the Chairman of the Board.
- The Undersecretary for Justice and Islamic Affairs has been determined as the member of the Ministry who is responsible for the duties and powers prescribed under the PDPL for the Authority’s Chief Executive Officer.
This does not mean that the PDPL is now fully effective, as various implementing regulations, rules and procedures still need to be issued, including:
- How to give the Authority notice of data processing activities under Article14 of the PDPL.
- How to apply to the Authority for prior written authorisation for automatic processing of certain personal data (including biometric data and genetic data and visual recording to be used for monitoring purposes) under Article 15 of the PDPL.
- A decision specifying the terms and conditions that the technical and organisational measures capable of protecting data must satisfy under Article 8 of the PDPL.
- A decision requiring specific categories of data controllers to appoint a Data Protection Guardian under Article 10 of the PDPL.
- Issuing a list of the names of the countries that are deemed to have statutes or regulations in effect that provide sufficient protection to personal data under Article 12 of the PDPL so that data controller’s can transfer data from the Kingdom of Bahrain to such a country without the need (as currently is the case) to fall within an exception set out in Article 13.
- A resolution specifying the procedures for a data subject to withdraw their consent for the processing of their personal data under Article 24.
What has happened is that it is now certain who has responsibility for implementing the law and it is clear that the necessary steps are being taken by the Kingdom of Bahrain to do this.
Al Tamimi’s specialist TMT lawyers and members of our Bahrain office can assist you with the necessary steps you need to take to comply with the new law. For more details on our offering and how we can assist you, please contact us at email@example.com.
Senior Counsel, TMT
Partner, Head of Office – Bahrain, Corporate Commercial