Published: Jul 11, 2021

The Bahrain Data Protection Authority issues five additional draft decisions with respect to the Personal Data Protection Law

The Data Protection Authority (currently the Ministry of Justice, Islamic Affairs and Waqf) (“Authority”) has issued five (5) additional draft decisions for consultation (“Draft Decision(s)”), pursuant to certain articles in the Personal Data Protection Law (Law No. 30 of 2018) (“PDPL”) stipulating the issuance of executive regulations. The Authority is currently accepting feedback on the Draft Decisions. Whilst no official deadline has yet been set for submissions, it is anticipated that the Authority will continue accepting feedback until the end of July. Feedback can be sent to the following e-mail address:

We have set out below some important highlights of the Draft Decisions.

  • Draft Decision on the Rules and Procedures of Data Processing

This Draft Decision relates to the critical compliance step under the PDPL of notifying the Authority regarding processing activities.

Article 14 of the PDPL stipulates that, subject to certain exemptions, data controllers must notify the Authority prior to any processing activities, and update the Authority regarding any changes to the register within thirty (30) days from such change.

The Draft Decision clarifies that both existing and new processing activities shall require prior authorisation from the Authority. The Decision sets out, amongst other things, the information data controllers shall include when submitting the above-mentioned notification, the form of the notification, and the timeline during which the Authority shall respond to such notification request.


  • Draft Decisions on the States, Countries and Territories with Adequate Protection for Personal Data

With reference to the PDPL, it is prohibited to transfer personal data outside the Kingdom subject to certain exemptions or an authorisation from the Authority; the latter includes where the transfer is “to a country or jurisdiction…on a list compiled and updated by the Authority…”. This Draft Decision lists 42 states, countries and territories which are deemed to have adequate legislative protections for personal data – i.e. it will be permissible to transfer personal data to these countries without the Authority’s prior approval.

A few significant differences exist between Bahrain’s ‘whitelist’ and that of the EU and even the financial free zones of the ADGM and DIFC in the UAE.  Whilst it includes almost all EU countries, in addition to (inter alia) Israel, Japan, New Zealand and Switzerland, the Authority does not currently include the UK as offering adequate protection of personal data. However, in contrast with the DIFC, ADGM and EU, it proposes to grant adequacy status to the USA.


  • Draft Decision on the Procedures for Processing Sensitive Personal Data

The Draft Decision details general obligations that all data controllers should abide by when processing sensitive personal data.  This includes adopting internal policies and guidelines for protecting sensitive personal data (as mandated by the PDPL and/or instructed by the Authority), and maintaining appropriate records of the data processed whilst clearly setting out (inter alia) the purpose of the processing.

Data Controllers shall ensure that their appointed data processors comply with all regulations applicable to sensitive personal data.


  • Draft Decision on the Personal Data Registers

The PDPL requires that data controllers maintain a register of the processing operations that the Data Manager must notify the Authority about in accordance with Article 14 with the law.

It is not completely clear that this is the “register” the Draft Decision refers to.  The Draft Decision defines the “register” referred to in the PDPL as any register, whether in paper or electronic form, containing the personal data of an identifiable individual, and is accessible to the general public.

The Draft Decision also sets out the obligations of data controller upon the creation of the register – these mainly entail ensuring accuracy of the data and providing the relevant data subjects with information concerning the register, such as the purpose of creating the register, the data to be published in the register and the means of publication.


  • Draft Decision on the Rules and Procedures Governing the Submission of Complaints Relating to Personal Data

As per this Draft Decision, data controllers shall establish procedures for receiving data subjects’ complaints and make the procedures known to the data subjects.

The Decision further sets out the circumstances under which data subjects may file complaints against data controllers with the Authority as well as the information to be submitted with the complaint.


How we can help

As a leading law firm in the Middle East & North Africa Region and with a reputable and dedicated Digital & Data practice, Al Tamimi & Company is well placed to assist you with  preparing your submissions to the Authority and/or assess the probable impact of the PDPL on your organisation.

If you would like to further discuss the contents of this update, please contact Al Tamimi & Company in Bahrain.