Bahrain Personal Data Protection Law · ©2020 KPMG Fakhro, a Bahrain partnership registered with...

Bahrain Personal Data Protection Law

01 August 2019

Bahrain Personal Data Protection

Law came into force – defining

stringent requirements on

collection, processing, storing

and disposing of personal data.

©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Contents

Key definitions and

roles 0 2 Transfer of data

outside Bahrain0 3

0 4

Overview0 1

Journey to

implement PDPL

requirements0 5Key differences

between PDPL and

GDPR

Key definitions and roles


Key Definitions and RolesPerson Personal Data Sensitive Personal Data

Any natural or legal

person including any

public entity.

(PDPL definition of person

has been extended to

legal person also)

Information in any form (1)

related to an identifiable

individual, or (2) can

identify an individual

directly or indirectly

Information that is of a

special category and for

which law mandates

specific protection

Processing means any operation or set of operations performed upon personal data, whether or not by automatic means, including

collecting, recording, organizing, classifying into groups, storing, adapting, altering, retrieving, using, disclosing by transmission,

dissemination, transference or otherwise making available for others, or combining, blocking, erasing or destructing such data.

Legal Person

Legal person may be a

private or public

organization

Person who processes

data for and on behalf of

the Data Controller

Person who decides,

solely or in association

with others, the

purposes and means of

processing

Data Controller Data Processor

Individual whose

personal data is being

processed

Data Subject Data Recipient

Any Person to whom

personal data is

disclosed


Data controller – Key obligations

Data Controller shall

inform Data

Subjects about

rights of Data

Subject


implement

appropriate technical

and organizational

measures


choose Data Processor

who provides sufficient

safeguards and ensure

appropriate compliance


give prior notice to

Authority of any

wholly or partially

automated

processing

operation

Data Controller

shall ensure that the

processing is only

carried out pursuant to

a written contract

between the Data

Processor and Data

Controller

In case of breach, Data

Controller to eliminate

the cause of violation

or undertake the

necessary rectification

Data Controller must

not process any

Personal Data in

breach of this Law

The Data Controller must not disclose any personal data and sensitive personal data without the data subject’s consent or in execution of

a judicial order issued by a competent court, Public Prosecution, investigation judge or Military Prosecution.


Key highlights

Penalty ranging from 1000

dinar to 20,000 dinar

Including imprisonment up

to 1 year and daily penalty

Consent to process personal data

unless required by law, legitimate

interest or contractual obligation Organizations may appoint a Data

Protection Guardian with

independent and impartial functions

Transfer outside Bahrain based on

adequacy of the receiving country

or case by case permission from

Commission or consent of data

subject

Notification to commission before

beginning an automatic, complete or

partial personal data processing

01

02

03

0405

06Key

Highlights

Rights of data subject like

Right to Blocking, Object

to Direct Marketing


05 03

02

01

04

06

Processing Sensitive Personal

Data

Processing sensitive personal

data contrary to the provisions

of the Law

Processing Data without notification

Processing personal data without

notifying the AuthorityDisclosing information

Disclosing any data or information

accessed due to work, or using the

same for own or others benefit

unreasonably and in violation of the

Law

Lack of Prior Authorization

Processing personal data without prior

authorization from the Authority

False / misleading information

Providing false or misleading

information to the Authority

Transferring Data outside Bahrain

Transferring personal data outside

Bahrain contrary to the provisions of

the Law

Imprisonment up to one year and fine between

1000 Dinar and 20,000 Dinar, or penalty, will be

imposed on :

What Can Attract Penalties?

Transfer of data outside Bahrain


Transfer of data outside of Bahrain

Data subject has provided

the consent for the transfer

The performance of a contract

between the data subject and the Data

Controller

Protecting the vital interests of the data

subject

Preparing or pursuing a legal claim or

defense

Case-by-case basis and depending

upon following considerations:

a) Nature of data to be transferred

b) Originating country, final

destination & measures to protect

the personal data

c) Relevant international agreements

When the transfer is for the

purpose of providing

information to the public

The transfer is to a country on a list compiled

and updated by the Authority

Transfer to countries/ jurisdiction having

adequate level of protection Transfer to countries/ jurisdiction not

having adequate level of protection

Provides adequate laws and regulations

according adequate level of protection to

personal data.

The data can be transferred out of

Kingdom in the following cases

Difference between PDPL and GDPR


Main Differences: DPL v. GDPRPersonal Data Protection Law (PDPL) Global Data Protection Regulation (GDPR)

Applicable to Bahrain Based entities and individuals with habitual

residence in Bahrain

Entities worldwide if they process data of EU data

subjects.

FinesUp to BD 20,000

(No limit on compensations)

Very substantial: Between 2 – 4% of previous year’s

turnover or € 10 – 20 million whichever is higher

Notification Prior notification or appoint Data Protection Guardian

Processing only after impact assessment on Data

subject, security measure to protect the data and

ensure up to date technical and organizational process

and procedures are in place.

Opt-in and consent No specific requirement for opt-in. Arguably opt-out

may not be sufficient.Opt-in

Personal Data Definition Definition narrower than GDPR. Wider definition. Includes IP address, mobile device

identifier, geolocation.

Notification of Data

BreachNo express requirements. Could be introduced in

regulation.Notify Data Subject and Authority.

Journey to Implement PDPL Requirements


Step by Step Journey to PDPLConduct Gap Assessment against PDPL Obligation to identify current state

Define roles & responsibilities, develop policy, procedure and templates aligned to PDPL

Prepare inventory for personal data, sensitive personal data and data processing activities

Document all technical and organizational measures adopted to protect the personal data

Review and update privacy notices and contracts with vendors

Creating awareness about provisions of this law and privacy program

Conduct Gap Assessment

Establish Data Privacy Framework

Prepare Data Inventory

Document Technical, Organizational Measure

Update Privacy Notice & Contracts

Conduct Awareness Session


• Develop a data registry which identifies the processing activities of your organization which require the processing,

transfer, disclosure or use of personal data and sensitive personal data, as defined by the applicable laws and

regulations.

• Draft a framework for implementation which identifies the roles and responsibilities of your organization, and its

various functions.

• Draft the policies and procedures which are required to be in place.

• Assist your organization to achieve the legislative requirements with an implementation plan including suggested

changes to:

• contract clauses with third parties, data processors and customers

• privacy notices

• customer onboarding forms

• customer marketing communications

• data sharing agreements (if applicable).

• Roll out an awareness eLearning course introducing to employees the compliance requirements and points to

consider when processing personal/ sensitive personal data.

How KPMG can help


Thank You

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although

we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that

it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination

of the particular situation.

Copyright

No part of this work may be reproduced or transmitted in any form by any means, electronic or mechanical, including photocopying and recording, or by

any information storage or retrieval system, except as may be permitted, in writing, by KPMG.

We lead by example

We work together

We respect the individual

We seek the facts and provide insight

We are open and honest in our communication

We are committed to our communities

Above all, we act with integrity

EXPERT

GLOBAL

MINDSET

FORWARD

THINKING

VALUE

ADDING PASSIONATE

KPMG values

Date post:	11-Dec-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Bahrain Personal Data Protection Law · ©2020 KPMG Fakhro, a Bahrain partnership registered with...

Documents