Bahrain Personal Data Protection Law
The Trust Challenge

Key obligations and consequences

The provisions of the Data Protection Law apply to any natural person who resides normally in Bahrain or has a place of business in Bahrain, any legal person who has a place of business in Bahrain and any natural or legal person who processes data using the means available in Bahrain, unless the purpose of using data processing means in Bahrain is to pass the data on to a different jurisdiction through Bahrain.

Data controllers are required to notify an Authority before proceeding with data processing as well as obtaining prior permission for some forms of data processing as explained in further detail under paragraph 5 above. The Data Protection Law imposes further responsibilities and obligations on data controllers including

  • Complying with the decisions of the Authority with respect to the rules and procedures of processing sensitive personal data.
  • Ensuring the safety of the processing by applying adequate levels of security and technical measures to avoid the unintended destruction, unauthorized access, alteration, loss of the data and protecting the data from other forms of processing.
  • Ensuring that the data processor is applying adequate safeguards to the data, and verifying that the data processor conducts the process in accordance with the data processing agreement entered into by the data controller and the data processor
  • Maintaining confidentiality of the personal data. Data controllers are prohibited at all times from disclosing any data without the consent of the data subject or pursuant to an order of the court or public prosecutor.
  • Complying with the provisions of the Data Protection Law in connection with the processing of data.
  • Obtaining the Authority’s authorization before transferring data outside the territory of Bahrain unless exempted.
  • Disclosing his/her identity and the intended purpose of processing the data to the data subjects.
  • Informing the data subjects if their data is intended to be used for direct marketing purposes, while the data subjects shall have the right to object.
  • Updating the data subject with the status of any data processing application.
  • Receiving applications from the data subjects to correct, block, erase or withdrawtheir processed data.
  • Keeping record of the process of processing data conducted and providing the Authority with an updated copy of the record once a month (in the absence of a data protection officer).

Data controllers may be held liable in compensating a data subject who suffered damage as a result of the processing of his data.

The data processor is required to conduct the processing in accordance with the terms of the written agreement binding the data controller and the data processor, and shall only process data in accordance with the instructions of the data controller. The same duties and obligations that are applicable to data controllers with respect to the confidentiality and security of the data are applicable to data processors.

The Trust Challenge

Key Challenges in brief:

The Data Protection Law sets an obligation on data protection officers to notify the Authority of any violation/breach committed by the data controller, after the lapse of 10 days from the data of notifying the data controller to ratify the breach if such breach is not rectified by the data controller.

Data subjects are entitled to request from the data controller to remove, erase or withdraw their data.

The Data Protection Law sets a general prohibition on transferring personal data outside the territory of Bahrain. However, there are exclusions to the general principle whereby the transfer of data outside Bahrain is allowed and they are as follows.

  • The Authority shall issue a statement published in the official gazette containing a list of countries and territories to which transfer of data is permissible. The Authority.
  • Will issue such list after taking into consideration territories which have applicable data protection legislation and regulations that are deemed satisfactory to the.
  • Extent which ensures to the Authority the adequacy of the protection provided by the laws and regulations of the said territories.
  • The Authority may authorize the transfer of data on a case-by-case basis after assessing the circumstances surrounding the transfer of data. The Authority will mainly consider the size and nature of the data and purposes of the transfer thereof and the data protections laws, regulations or international conventions applicable in the territory to which data will be transferred. The authorization will be subject to the discretion of the Authority, as the Authority may set specific conditions and time.
  • Periods for such authorization.

Processing of personal data is prohibited without obtaining the written consent of and approval of the data subject. The Data Protection Law grants data subjects the following rights.

  • To have their data stored in a manner which does make them identifiable, or having their identity encrypted if it is impossible to store their data in such manner.
  • To have their data protected and not to disclose the data to any unauthorized party without the consent of the data subject.
  • To be informed by the data controller when their data is being processed; to be informed of The data controller's full name, scope of activity or profession, address, the purposes for which the data are intended to be processed and any other necessary information, depending on the circumstances of each case, that would ensure the fair processing for the data subject.
  • To object to the use of their personal data for direct marketing or making the data publicly available.
  • To object to the processing causing material or morale damage to the data subject or others.
  • Where data processing is used to assess the data subject’s performance, financial position, extent of efficiency for borrowing, behavior or reliability, the data subject may request a different approach and not to make his/her assessment solely dependent on automatic processing of data.
  • The right to correct, block, erase or withdraw their processed data at any time by sending a written application to the data controller.
Win-Win Situation

Solutions

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

The Trust Challenge

Key Obligations & Consequences

Pointer

The principles of data subject privacy which every data controller is obligated to take into account in processing data are.

  • Accountability.
  • Lawfulness of processing.
  • Specification of purpose.
  • Compatibility of further processing with purpose of collection.
  • Quality of information.
  • Openness.
  • Data security safeguards.
  • Data subject participation.
Pointer

The Data Protection Act requires that personal data may only be processed if the purpose for which it is to be processed is necessary, relevant, and not excessive. These yardsticks must be used in measuring all claims by the data controller in the determining the soliciting and processing of data subjects' information.

Pointer

The obligation for the data subject to consent to the processing of personal data is a condition which must be fulfilled by the data controller unless the data controller can demonstrate that such processing is.

  • Necessary for the purpose of a contract to which the data subject is a party.
  • Authorized or required by law.
  • To protect a legitimate interest of the data subject.
  • Necessary for the proper performance of a statutory duty.
  • Necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.
Pointer

The Data Protection Act requires that the data subject must consent to the further processing of the information, or that the data should be publicly available or have been made public by the person concerned or further processing necessary.

  • For the prevention, detection, investigation, prosecution, or punishment for an offense or breach of law.
  • For the enforcement of a law which imposes a pecuniary penalty.
  • For the enforcement of legislation that concerns the protection of revenue collection.
  • For the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated.
  • For the protection of national security.
Pointer

The principles relating to data retention also carry with them the obligation to maintain data processing records and ensure that data is not kept beyond the retention period.

The Trust Challenge

Key Challenges in brief:

Pointer

Data Breach Notification

If the personal data of a data subject has been accessed or acquired by an unauthorized person, the data controller or a third party who processes data under the authority of the data controller shall notify the Commission and the data subject of the unauthorized access or acquisition as soon as reasonably practicable after the discovery of the unauthorized access or acquisition of the data. The data controller shall take steps to ensure the restoration of the integrity of the information system.

Pointer

Data Retention

The Data Protection Act recognises that there is no one-size-fits-all approach to retention periods. There is also recognition that the period for which data subject records may be held are capable of being benchmarked against specific issues. One statutory prescribed retention principle is that a data controller must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed unless.

  • The retention of the record is required or authorized by law.
  • The retention of the record is reasonably necessary for a lawful purpose related to a function or activity.
  • Retention of the record is required by virtue of a contract between the parties to the contract.
  • The data subject consents to the retention of the record.

The retention period for which personal data may be held may be the subject matter of specialized legislation relating to different aspects of activities. The actions of the data controller may trigger a data subject to submit a request for information, and in such circumstances, the data controller would be required to provide the requested information in line with the provisions of the Data Protection Act.

Pointer

Data Subject Rights

Following are some data owner rights that Ghana can practice.

  • Right to be Informed: Data subjects have the right to be informed of the processing of their personal data and the purposes for which the data is processed.
  • Right to Access: Data subjects have the right to obtain confirmation whether or not the controller holds personal data about them, access their personal data, and obtain descriptions of data recipients.
  • Right to Rectification: Under the right to rectification, data subjects can request the correction of their data.
  • Right to Erasure: Data subjects have the right to request the erasure and destruction of the data that is no longer needed by the organization.
  • Right to Object:The data subject has the right to prevent the data controller from processing personal data if such processing causes or is likely to cause unwarranted damage or distress to the data subject.
  • Right not to be Subjected to Automated Decision-Making: The data subject has the right to not be subject to automated decision-making that significantly affects the individual.
Pointer

Data protection impact assessment

Data Protection Impact Assessments ('DPIA') is a practice that every data controller should commit to. Data controllers ought to ensure that compliance monitoring is done at all times to ensure that there are no breaches of the Data Protection Act. Where there are security breaches, the disclosure regime required under the Data Protection Act means that DPIAs are a core practice which every data controller ought to engage in. Security breaches and violations trigger DPIA at all times.

Win-Win Situation

Solutions

Pointer

Privacy Process Automation: TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Pointer

Consent Management: TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us