Law No. (30) of 2018 promulgating the Personal Data Protection Law (“PDPL”) comes into force on Thursday, 1 August. This means that companies with a place of business in the Kingdom of Bahrain (and companies who process data using means available in the Kingdom) who process personal data need to start complying with the PDPL now.
Having said that, some clarification is needed as currently not all provisions of the PDPL will be effective straight away. This is because under the resolution issuing the PDPL, it is provided that Board of Directors of the Personal Data Protection Authority (“Authority”), will issue the necessary decisions for the implementation of the provisions of the PDPL. However, as it currently stands, the Authority has not yet been established and no implementing regulations have been issued.
Consequently, there are many provisions of the PDPL, including importantly the need to notify the Authority before processing personal data under Article 14, which will not actually be implemented immediately (as there has been no decisions on the necessary rules and procedures).
Nevertheless this does not mean the PDPL will not have legal effect right away. There are provisions of the PDPL that do not require the implementing regulations to be effective. These include:
- Chapter V (Rights of Data Owners): which includes provisions that requires a data manager to, amongst other things, notify data owners of certain information, including the data owner’s right to access their personal information and to object to processing of their data in certain circumstances.
- Article 8 (Security of Processing): where a data manager uses a data processor (i.e. a third party service provider) to process personal data on their behalf there has to be a written contract between the data manager and data processor that covers certain matters stipulated by the law (e.g. security and confidentiality).
Although there may not be criminal liability for breaching these provisions, anyone who suffers damage arising from the processing of their personal data in breach of the PDPL is entitled to payment of compensation repairing the damage under Article 57 of the PDPL. This right to compensation appears to come into effect on 1 August.
There are also criminal penalties under Article 58 of the PDPL that do not require implementing regulations. These are:
- Processing sensitive information in violation of Article 5;
- Transferring personal data outside of the Kingdom of Bahrain in violation of either Article 12 or 13; and
- Disclosing data unreasonably and in violation of the provisions PDPL.
The penalty in each case is imprisonment for a period not exceeding one year and/or a fine of not less than BHD1,000 and not exceeding BHD20,000. As these are criminal matters, the public prosecutor can take action in the absence of the Authority.
Consequently, although it is not fully implemented, the PDPL does come into force from Thursday, 1 August 2019, and companies processing personal data in Bahrain need to comply with the provisions of the PDPL that are effective from that date.