The Bahrain Personal Data Protection Authority issues 10 ministerial decisions with respect to the Personal Data Protection Law
Following
several months of public consultations on draft decisions relating to the
Personal Data Protection Law (Law No. 30 of 2018) (“PDPL”), the Bahrain
Personal Data Protection Authority (currently the Ministry of Justice, Islamic
Affairs and Waqf) (“Authority”) issued ten (10) decisions supplementing and
giving effect to several provisions under the PDPL. The decisions relate to:-
1. Transferring
personal data outside the Kingdom of Bahrain (including a ‘white list’ of
countries that are deemed to have adequate legislative and regulatory
protection for personal data by the Authority);
2. The
conditions to be met in the technical and organisational measures that
guarantee protection of personal data;
3. The
rules and procedures for submitting notifications and prior authorisation
requests to the Authority;
4. The
procedures for processing sensitive personal data;
5. Data
Protection Guardians;
6. The
registration / renewal fees and related exemptions for registering Data
Protection Guardians in the Authority’s register
7. The
data subjects’ rights;
8. The
rules and procedures governing the submission of complaints relating to
personal data;
9. Processing
personal data concerning pursuing criminal proceedings and their related
judgments; and
10. Public registers of personal data.
The most notable concepts / procedures under the decisions include:
Ø
The introduction of “Privacy by Design”– data
controllers will be required to adopt the principles of Privacy by Design when
preparing, designing, selecting and using applications, services and products
that are used for processing personal data.
Ø
The introduction of the requirements to conduct
Data Protection Impact Assessments (DPIAs) and Vulnerability Assessments and
Penetration Testing (VAPT) as part of the conditions that must be met in the
technical and organisational measures to be implemented by data controllers.
Ø
The introduction of a mechanism for data breach
notifications and the relevant rules and procedures thereof.
Ø
The introduction of a mechanism for submitting
notifications to and obtaining authorisations from the Authority as prescribed
under the PDPL.
Ø
The recognition of Binding Corporate Rules
(BCR) for cross-border data transfers.
Timeline for implementation:
While all ten (10) decisions became effective on 18 March 2022, it is yet to be clarified whether in practice, businesses subject to the law will be provided with a grace period for compliance before the Authority takes enforcement action(s). We note that the forms for submitting notifications or requests from the Authority have not been issued yet.
What should you do next?
Businesses must, as soon as possible, ensure that they:
Ø
Adhere to the obligations imposed by the PDPL
and related decisions; and
Ø Undertake a “health check” on their existing data processing activities in Bahrain.
We will be scheduling a webinar in the near future to discuss the PDPL and the new decisions.
How we can help
If
you would like to further discuss the contents of this update, please contact us
directly.