In this Part 3 of our ‘Bahrain Personal Data Protection Law Series’, we look at the personal data rights that are granted to individuals by the Bahrain Law No. 30 of 2018 promulgating the Data Protection Law (BDPL) and what these will mean for Bahrain businesses.

Individual rightsPart 3

IntroductionDue to come into force on 1 August 2019, the BDPL will have a significant impact on the way organisations in Bahrain conduct their business operations. Alongside enshrining international best data protection practices and principles, the BDPL will also provide individuals with a host of rights in relation to how their personal data can be collected, processed and stored. These rights require that individuals have all the information they need in order to understand why their information is being used and to exercise all their rights associated with that information. For this reason, the PDPL requires that any information communicated by the organisation be provided in an ‘understandable form’ – i.e clear, concise, transparent, intelligible and in an easily accessible form, using clear and plain language.

Businesses in Bahrain will need to be aware of these rights and how to give effect to them particularly as there is an obligation to inform the individuals whose personal data is processed that they can exercise their rights directly with the businesses.

1 Right to certain minimum information

When organisations collect personal data from a data owner, whether directly (e.g. through a consent form) or indirectly (e.g. from a public source like social media), the data manager must, at the time of collection, notify the data owner of the following information:on the internet, fingerprint, credit card number etc.

• the full name of the data manager, their field of activity or profession and address;

• the personal data that is held about them;

• the source of the personal data;

• the purpose for which the data is to be processed;

• names or categories of any recipients of the data;

• details about the data owner’s rights in respect of the data; and

• whether the data will be used for direct marketing.

This information notification requirement is important because it makes data owners aware of their various regarding their personal data – it is central to the data manager being transparent about, and accountable for, how they use personal data. Website privacy notices, terms and conditions etc. can be effective ways of providing individuals with this information and for emphasising the importance of their rights of choice and control.

The rights established by the Regulation require that data subjects have all the information they need in order to understand the nature of the processing and to exercise their further statutory rights. Consequently, Article 12(1) requires that any information communicated by the organisation be provided in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’.

190916-141754-CA-OS_V2_combined.indd 6 9/17/2019 11:06:26 PM

3 Right to object to direct marketing

Data mangers that intend to use personal data to carry out direct marketing are required to notify the relevant data owners that they have the right to object, free of charge, to being marketed. The data owner is required to provide proof of their identity with their request.

Where a data owner does raise an objection, the data manager must, within 10 business days of receiving the request:

• cease the processing and notify the data owner that it has done so;

• partially cease the processing and notify the data owner of the reason for only partial cessation and extent to which the processing will continue; or

• reject the request and provide a reason(s) for this.

Where the data owner does not accept what the data manager has set out in its notification above, or the 10-day time period expires before the data manager provides its response to the initial request, the data owner may submit a formal complaint to the Data Protection Authority.

4 Right to object to processing that causes harm or distress to data owner or others

A data owner has the right to object, free of charge, to the processing of their personal data by a data manager where this processing causes harm or distress to the data owner or other persons. In the application, the data owner is required to provide:

• reasons why they feel the processing causes harm to them or to others;

• evidence that the harm is being caused; and

• proof of their identity.

The data manager must, within 10 business days of receiving the objection, refrain from commencing with, or cease the processing of any personal data of the applicant. However, the data manager need not completely stop the entirety of the processing; rather it may do so totally or only for a specific purpose or only in a specified manner if:

• the processing for such purpose or in that specified manner causes substantial and unwarranted harm or distress to the data owner or others; or

• it is reasonably likely that the processing for such purpose or in that specified manner will cause substantial and unwarranted harm or distress to the data owner or others.

It appears that the data owner will not be entitled to object to the processing where the processing is:

• based on the consent already given by the data subject;

• necessary to execute and/or perform a contract that the data owner is a party to;

• required in order to take steps on the instructions of the data owner for entering into a contract;

• required for the data manager to carry out a legal obligation imposed on it;

• necessary to protect the best interests of the data owner; or

• in furtherance of some legitimate interest/objective of the data manager or any third party, unless this conflicts with the rights of the data owner.

2 Right to be notified when personal data is being processed

The right to be notified under the BDPL means that individuals have the right to ask organisations whether they process personal data about them and, if so, what personal data, why it is processed etc.

Data owners may contact a data manager and request confirmation of:

• whether their personal data is being processed and, if so, what that personal data is;

• from where the data manager received the information (unless the law requires the source to be kept confidential);

• what purpose(s) the personal data will be processed for;

• names or categories of any recipients of the data; and

• if any decision is to be made on or using the data that affects the personal and direct interests of the data owner, a clear, transparent and intelligible explanation of the decision-making method(s).

The data owner is required to provide proof of their identity with their request.

The data manager must respond, at no cost to the data owner, within 15 business days of the request to confirm if the data owner’s persona data is being processed. Alternatively, the data manager may, no later than 10 days from the date of the request, require the applicant to provide additional information to support the request. The BDPL provides no guidance as to what additional information the data manager may seek but this would presumably include providing proof of identification if this was not previously submitted. The data manager may refuse to comply with a data owner request if:

• the applicant fails to provide the additional information requested and the grace period has passed, the data manager may reject the application; or

• the data manager considers that the request entails an arbitrary use by the data owner of this right.

Where a request is refused, the data manager must notify the applicant within 15 business days of the request. Data owners may submit a formal complaint to the Data Protection Authority if their request is rejected or not complied with within the 15-day period.

190916-141754-CA-OS_V2_combined.indd 7 9/17/2019 11:06:27 PM

5 Right to object to decisions made based upon automated processing

Data owners have the right to object, free of charge, to a data manager processing their personal data by purely automated means (i.e. with no human input) where it involves the evaluation of the data owner on the basis of their:

• performance at work;

• financial position;

• credit worthiness;

• behavior; or

• trustworthiness.

The data owner can request that another method of processing be used instead that does not only rely on automated processing. It appears that the data owner will not be entitled to object to the processing where the decision making element takes place in the context of the conclusion or execution of a contract with the data owner provided that all measures ensuring that his rights are secured.

6 Right to rectify, block or erase personal data

Data owners have the right to request, free of charge, that a data manager:

• rectify their personal data if the data is incorrect, incomplete or not updated; and/or

• block any further processing of their personal data or have their personal data erased if the data is being processed illegally/in contravention of the BDPL.

The data owner is required to provide proof of their identity with their request.

The data manager must comply with the request within 10 business days from the date of the request unless it has a legally acceptable justification for not complying. The data manager has a further 15 business days from the date of its response to notify any third party with whom the personal data in question has been shared about the rectification/blocking/erasure request unless this is not possible or cannot be realised.

Where the personal data are contained in a public register under the control of the data manager, the data manager does not need to comply with a request if the law requires specific procedures for the rectification, blocking or erasure of information. Once processing has been blocked in respect of certain personal data, it may not be processed again unless:

• with the consent of the data owner;

• for the purposes of evidence; or

• to protect the rights of a third party.

7 Right to submit a complaint

Any stakeholder, including a data owner, has the right to submit a complaint to the Data Protection Authority if they have reason to believe that:

• there has been a violation of the BDPL; and/or

• personal data is being processed in a manner that contravenes the BDPL.

Implications for Bahrain Businesses

The BDPL provides data owners with a wide array of rights that can be enforced against Bahrain businesses that process personal data. These rights may limit the ability of an organisation to lawfully process the personal data, and in some cases these rights can have a significant impact upon an organisation’s business model. It is therefore essential for businesses to: The BDPL provides data owners with a wide array of rights that can be enforced against Bahrain businesses that process personal data. These rights may limit the ability of an organisation to lawfully process the personal data, and in some cases these rights can have a significant impact upon an organisation’s business model. It is therefore essential for businesses to:

1. review the rights and ensure that they fully understand the business impact of each;

2. review communications and information material aimed at data owners to ensure that it clearly articulates all the required information; and

3. put in place effective systems to enable the organisation to give effect to these rights.

A key objective of the BDPL is to protect and strengthen the rights of data owners which means that these rights will likely be accompanied by a strict enforcement regime. Organisations should consider implementing the following measures to deal with requests from data owners:

• understand what personal data is held and processed;

• review and update (where necessary) privacy policies to reflect the rights granted to data owners;

• review data processing systems to determine if functionality changes are required to, for example, enable the organisation to quickly identify and isolate all copies of all personal data relating to a particular data subject;

• establish policies and procedures to establish an efficient process for handling requests;

• define roles and responsibility to ensure everyone in the organisation knows what to do when a request is received;

• provide appropriate training to staff who process personal data so that they can quickly recognise, and appropriately respond to, requests from data owners to exercise their rights;

• wherever possible securely erase personal data (in line with your data retention policy) that is no longer required by the organisation in order to minimise personal data held; and

• consider efficiency measures to improve responses to requests such as a ‘data owner access portal’ where individuals can access their information quickly, easily and remotely.

190916-141754-CA-OS_V2_combined.indd 8 9/17/2019 11:06:28 PM

About usIn the world of data privacy and protection, the proliferation of data privacy laws globally and the awareness of the public and the media on data sharing and ownership are creating new challenges and opportunities that will affect your business. Successful strategy development, execution and compliance monitoring require blended skills of a multi-disciplinary professional services team, which PwC Middle East’s Data Privacy Team are uniquely placed to provide. Our team works closely with audit, legal, consulting, risk assurance, digital trust, cyber security and forensics colleagues across the breadth of the PwC global network to provide a unique end-to-end, seamless service.

Our Data Privacy team provides business-critical support on data privacy and protection, confidentiality and cyber security matters to businesses, governments and public authorities all over the world. Our team can help you proactively with data protection compliance requirements to build trust, achieve legal certainty and avoid financial and reputational risk. Through our multidisciplinary team of legal, cyber, risk, e-discovery and assurance professionals, we can be your trusted partner in your data protection compliance journey or digital transformation strategy.

Contacts

Legal

Richard ChudzynskiLegal Data Protection and Privacy Leader

M: +971 56 417 6591E: richard.chudzynski@pwc.com

Gordon WadeSenior Data Protection and Privacy Lawyer

M: +971 50 143 5619E: gordon.wade@pwc.com

Digital trust

Matthew WhitePartner, Head of Digital Trust

M: +971 56 113 4205E: matthew.white@pwc.com

Oliver SykesPartner

M: +971 56 480 2447E: oliver.sykes@pwc.com

Established in the UAE region for 40 years, PwC has more than 4,200 people in 12 countries across the region: Bahrain, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Oman, the Palestinian territories, Qatar, Saudi Arabia and the United Arab Emirates.

This publication has been prepared for general guidance on matters of interest only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of this the information contained in this publication and, to the extent permitted by law, PriceWaterhouseCoopers Legal Middle East LLP, its members, employees and agents do not accept or assume any liability or responsibility or duty of care for any consequence of you, or anyone else acting, or refraining from acting, in reliance on the information contained in this publication or for any decision based on it.

© 2019 PwC. All rights reserved. PwC refers to the PwC member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see http://www.pwc.com/structure for further details.

190724-140949-HO-OS

190916-141754-CA-OS_V2_combined.indd 12 9/17/2019 11:06:30 PM