The Bahrain Personal Data Protection Authority issues 10 ministerial decisions with respect to the Personal Data Protection Law

Following several months of public consultations on draft decisions relating to the Personal Data Protection Law (Law No. 30 of 2018) (“PDPL”), the Bahrain Personal Data Protection Authority (currently the Ministry of Justice, Islamic Affairs and Waqf) (“Authority”) issued ten (10) decisions supplementing and giving effect to several provisions under the PDPL. The decisions relate to:-

1. Transferring personal data outside the Kingdom of Bahrain (including a ‘white list’ of countries that are deemed to have adequate legislative and regulatory protection for personal data by the Authority);
2. The conditions to be met in the technical and organisational measures that guarantee protection of personal data;
3. The rules and procedures for submitting notifications and prior authorisation requests to the Authority;
4. The procedures for processing sensitive personal data;
5. Data Protection Guardians;
6. The registration / renewal fees and related exemptions for registering Data Protection Guardians in the Authority’s register
7. The data subjects’ rights;
8. The rules and procedures governing the submission of complaints relating to personal data;
9. Processing personal data concerning pursuing criminal proceedings and their related judgments; and
10. Public registers of personal data.

The most notable concepts / procedures under the decisions include:

• The introduction of “Privacy by Design”– data controllers will be required to adopt the principles of Privacy by Design when preparing, designing, selecting and using applications, services and products that are used for processing personal data.
• The introduction of the requirements to conduct Data Protection Impact Assessments (DPIAs) and Vulnerability Assessments and Penetration Testing (VAPT) as part of the conditions that must be met in the technical and organisational measures to be implemented by data controllers.
• The introduction of a mechanism for data breach notifications and the relevant rules and procedures thereof.
• The introduction of a mechanism for submitting notifications to and obtaining authorisations from the Authority as prescribed under the PDPL.
• The recognition of Binding Corporate Rules (BCR) for cross-border data transfers.

Timeline for implementation

While all ten (10) decisions became effective on 18 March 2022, it is yet to be clarified whether in practice, businesses subject to the law will be provided with a grace period for compliance before the Authority takes enforcement action(s). We note that the forms for submitting notifications or requests from the Authority have not been issued yet.

What should you do next?

Businesses must, as soon as possible, ensure that they:-

• Adhere to the obligations imposed by the PDPL and related decisions; and
• Undertake a “health check” on their existing data processing activities in Bahrain.

We will be scheduling a webinar in the near future to discuss the PDPL and the new decisions.

How we can help

As a leading law firm in the Middle East & North Africa Region and with a reputable and dedicated Digital & Data practice, Al Tamimi & Company is well placed to assist you with assessing the probable impact of the PDPL and its implementing regulations on your organisation.

If you would like to further discuss the contents of this update, please contact Al Tamimi & Company in Bahrain.