This issue is filled with great insights and expert commentary on areas that are relevant to the legal landscape and highlight how the business community is embracing technology, media and telecommunications. There are various topics covered, from new ways of working and digital transformation in the finance sector to data protection regulatory updates and guidance. We also have a series of articles that focus on e-commerce across a number of jurisdictions.
You will also find insights from our lawyers around real estate analytics, tech trends, and data centres.
We hope this edition of Law Update provides some useful food for thought – enjoy the read!Take a read of the edition
The Data Protection Authority (currently the Ministry of Justice, Islamic Affairs and Waqf) (“Authority”) has issued five (5) additional draft decisions for consultation (“Draft Decision(s)”), pursuant to certain articles in the Personal Data Protection Law (Law No. 30 of 2018) (“PDPL”) stipulating the issuance of executive regulations. The Authority is currently accepting feedback on the Draft Decisions. Whilst no official deadline has yet been set for submissions, it is anticipated that the Authority will continue accepting feedback until the end of July. Feedback can be sent to the following e-mail address: firstname.lastname@example.org.
We have set out below some important highlights of the Draft Decisions.
This Draft Decision relates to the critical compliance step under the PDPL of notifying the Authority regarding processing activities.
Article 14 of the PDPL stipulates that, subject to certain exemptions, data controllers must notify the Authority prior to any processing activities, and update the Authority regarding any changes to the register within thirty (30) days from such change.
The Draft Decision clarifies that both existing and new processing activities shall require prior authorisation from the Authority. The Decision sets out, amongst other things, the information data controllers shall include when submitting the above-mentioned notification, the form of the notification, and the timeline during which the Authority shall respond to such notification request.
With reference to the PDPL, it is prohibited to transfer personal data outside the Kingdom subject to certain exemptions or an authorisation from the Authority; the latter includes where the transfer is “to a country or jurisdiction…on a list compiled and updated by the Authority…”. This Draft Decision lists 42 states, countries and territories which are deemed to have adequate legislative protections for personal data – i.e. it will be permissible to transfer personal data to these countries without the Authority’s prior approval.
A few significant differences exist between Bahrain’s ‘whitelist’ and that of the EU and even the financial free zones of the ADGM and DIFC in the UAE. Whilst it includes almost all EU countries, in addition to (inter alia) Israel, Japan, New Zealand and Switzerland, the Authority does not currently include the UK as offering adequate protection of personal data. However, in contrast with the DIFC, ADGM and EU, it proposes to grant adequacy status to the USA.
The Draft Decision details general obligations that all data controllers should abide by when processing sensitive personal data. This includes adopting internal policies and guidelines for protecting sensitive personal data (as mandated by the PDPL and/or instructed by the Authority), and maintaining appropriate records of the data processed whilst clearly setting out (inter alia) the purpose of the processing.
Data Controllers shall ensure that their appointed data processors comply with all regulations applicable to sensitive personal data.
The PDPL requires that data controllers maintain a register of the processing operations that the Data Manager must notify the Authority about in accordance with Article 14 with the law.
It is not completely clear that this is the “register” the Draft Decision refers to. The Draft Decision defines the “register” referred to in the PDPL as any register, whether in paper or electronic form, containing the personal data of an identifiable individual, and is accessible to the general public.
The Draft Decision also sets out the obligations of data controller upon the creation of the register – these mainly entail ensuring accuracy of the data and providing the relevant data subjects with information concerning the register, such as the purpose of creating the register, the data to be published in the register and the means of publication.
As per this Draft Decision, data controllers shall establish procedures for receiving data subjects’ complaints and make the procedures known to the data subjects.
The Decision further sets out the circumstances under which data subjects may file complaints against data controllers with the Authority as well as the information to be submitted with the complaint.
As a leading law firm in the Middle East & North Africa Region and with a reputable and dedicated Digital & Data practice, Al Tamimi & Company is well placed to assist you with preparing your submissions to the Authority and/or assess the probable impact of the PDPL on your organisation.
If you would like to further discuss the contents of this update, please contact Al Tamimi & Company in Bahrain.