The Personal Data Protection Law (PDPL) has come into force in the kingdom. Modelled on European Union data protection laws, the PDPL is the second national law in the Gulf region to directly address the right to personal data protection and will impose obligations on businesses that collect personal data in relation to how organisations use and secure it.
In this Part 1 of our Bahrain Personal Data Protection Law Series, we look at the core concepts contained in the PDPL and what these will mean for Bahrain businesses.
The PDPL applies to:
1. Every individual normally living or working in Bahrain
2. Every business with a place of business in Bahrain
3. Individuals and businesses outside Bahrain who collect personal data of individuals in Bahrain using means available in Bahrain unless those means simply facilitating the transfer of personal data through Bahrain without the information being used for any other purpose
The PDPL will impose strict obligations on businesses in Bahrain in relation to how, why and when personal data can be collected, used and stored.
It will require businesses to manage their personal data processing activities including ensuring that personal data is processed fairly; individuals are notified of when their personal data is collected and processed; and they can exercise their personal data rights directly with the business.
The following terms are all contained in the law and are essential to fully understand to whom and to what the law applies:
• Personal data is defined by the PDPL as any information of any form related to an identifiable individual, or an individual who can be identified, directly or indirectly, particularly through their personal identification number, or one or more of their physical, physiological, intellectual, cultural or economic characteristics or social identity. For example, name, address, phone number, email address, passport number, IP address on the Internet, fingerprint, credit card number, etc.
• Sensitive personal data, a subset of personal data, is information that directly or indirectly reveals a person’s race, ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or sexual life. Such information requires heightened treatment and security.
• Processing means any automated or manual operation(s) carried out on personal data. In essence, this covers almost any relevant action word that could possibly be performed on information, including collecting, recording, organising, classifying in groups, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making available to others, integrating, blocking, deleting or destroying.
• A data owner is defined as the person to whom the personal data relates. For example, an individual bank customer or employee will be the data owner of the personal data about whom that the bank collects.
It is important to note that businesses who collect, store and use personal data of individuals will never be considered to be the owner of that information – such companies are merely the custodians or stewards of the data.
• A data manager is the person or company who decides why personal data should be collected from individuals and what it will be used for.
• A data processor will be the person or business who processes personal data on behalf of, and at the instruction of, the data manager. For example, an insurance company may outsource its customer care contact service to a company that provides call centre services. The call centre, in capturing the name, address, date or birth, policy number etc., of callers would be seen as processing this information on behalf of the insurance company (the data manager).
• The data protection authority will be the national body established to be responsible for upholding the right of individuals to the protection of their personal data through the enforcement and monitoring of compliance with the PDPL. This body will be empowered to order businesses to stop any processing activity that violates the law and may issue financial penalties on offenders of BD1,000 per day for committing a violation for the first time, and BD2,000 per day when committing another violation within three years from the first violation. An administrative penalty of up to BD20,000, can also be levied. Imprisonment of up to one year can also be imposed instead of or in addition to fine.
Companies operating in Bahrain will need to determine if their business activities bring them within the definitions of either data manager or data processor under the PDPL. If they do, the next step is to determine what sort of personal data is being collected, from who, and what purposes it is being used for. Data managers in particular will need to identify all the third parties with whom they share their personal data, e.g. payroll providers, cloud service providers, call centres, marketing agencies, etc.
The author is partner and head of digital trust at PwC