In this Part Two of our Bahrain Personal Data Protection Law Series, we look at the core principles of data privacy and protection contained in Bahrain Law No. 30 of 2018 promulgating the Personal Data Protection Law (BDPL) and what these will mean for Bahrain businesses.
The BDPL incorporates the internationally accepted, fundamental principles of data protection law and practice governing how organisations collect, process and store the personal data of data owners (i.e. individuals).
1. Legitimate and fair processing
Businesses must only process personal data fairly and for legitimate, lawful purposes.
Being fair means that data owners must be aware of the fact that their personal data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree with such processing and to enable them to exercise their data protection rights.
Lawful means that organisations must obtain the unambiguous, freely given and fully informed consent of the data owner to process their personal data for specific purposes or the processing must be necessary for another purpose, including:
a. to execute and/or perform a contract with the data owner;
b. the law requires the data manager to process the information; or
c. in furtherance of some legitimate interest/objective of the data manager or any third party.
There are additional requirements for processing sensitive personal data.
2. Legitimate, specific and clear purpose(s)
Organisations must only collect and process personal data for specified, clear and legitimate purposes and not process personal data for any other purposes unless these other purposes would be considered compatible with the original purpose(s) the data was collected for.
3. Sufficient, relevant and not excessive
Organisations must only collect and process personal data that is relevant, necessary and adequate to accomplish the purpose(s) for which it is processed. This means that businesses should collect only as many personal data as they actually need and no more.
4. Correct, accurate and updated when requested
Organisations must ensure that the personal data they hold is correct, accurate and updated when requested by the relevant data owner. To ensure that personal data is kept accurate, data managers should take reasonable steps to rectify or delete inaccurate information.
5. Retained for no longer than necessary
Organisations should not keep personal data for longer than necessary to achieve the purpose(s) for which it was collected unless the law requires that the information be retained for a longer period. Whether or not the information will be needed should be informed by whether there exists some legitimate objective business need to retain it. Thereafter, it should be securely deleted.
6. Security and confidentiality
Organisations must ensure that the personal data they process is secured against unintentional or unauthorised destruction, accidental loss, unauthorised alteration, disclosure or access, or any other unauthorised processing. Organisations must use technical and organisational security measures that are appropriate for protecting the type of personal data that is processed having regard for: the standard market practices of their industry; and state-of-the-art technological protection methods and the costs of these.
7. Authorisation
Organisations may not process certain types of personal data without the prior authorisation of the Data Protection Authority, including automatic processing of sensitive personal data of persons who cannot provide consent; automatic processing of biometric or genetic data; or visually recording people for monitoring purposes.
Implications for Bahrain Businesses
Data managers need to ensure that they are collecting and processing personal data in accordance with the law.
They must also familiarise themselves with the circumstances in which prior authorisation must be obtained before engaging in certain data processing activities or processing certain types of data. Preserving the security and confidentiality of personal data requires organisations to assign sufficient and appropriate resources to develop and implement an information security policy framework.
The author is a data protection and privacy lawyer at PwC