Part 4 of our Bahrain Personal Data Protection Law Series looks at the penalties and sanctions contained in the Bahrain Data Protection Law (BDPL), and the role of the Data Protection Authority (Authority).
1. Penalties and Sanctions
Administrative Penalties: The Authority may order any violation to be stopped and the reason(s) for it and effects of it to be addressed.
If the offending party fails to comply, the Authority may withdraw any authorisation granted allowing the offending party to process certain specialised categories of personal data and impose an administrative penalty not exceeding BD20,000; or a daily financial penalty not exceeding: BD1,000 per day for a first violation; and BD2,000 per-day for further violations within three years of the first violation. In calculating any fine, the Authority will consider the violation committed and its seriousness; any benefits derived from the violation; and any damage suffered by data owners.
Civil Liability
Any person, who incurs damage as a result of the processing of their personal data by a data manager or a violation of any of the provisions of the BDPL by a data protection supervisor, has the right to compel the data manager or data protection supervisor to compensate the damage.
Criminal Liability
Violations: The courts of Bahrain may impose a term of imprisonment not exceeding one year; and/or issue a fine of up to BD20,000 for a number of offences, including unlawfully processing sensitive personal data; unlawfully transferring personal data outside of Bahrain; and processing certain personal data without prior authorisation from the Authority.
Vicarious Liability
A fine of up to BD20,000 may be imposed on a company where the violation is caused by the actions of a director/officer and committed in the name of and/or for the account or benefit of the company.
2. Role of the Authority
The Authority assumes responsibility over all the duties and powers necessary to protect personal data, including:
l Ensuring public awareness of their rights and obligations and data managers are aware of these.
l Arranging training and educational courses and programmes to ‘spread the culture of personal data protection’
Monitoring compliance with the BDPL includes carrying out inspections on data managers to verify compliance.
Notifications and Approval
l Receiving notices from data managers before processing personal data.
l Granting authorisation to carry out certain processing activities.
Complaints: Receiving notifications and complaints regarding contraventions of the BDPL, ascertaining the seriousness of these and investigating as necessary.
Miscellaneous: Studying legislation and draft laws relevant to the protection of personal data and recommending amendments consistent with international standards.
Implications for Bahrain businesses
From a practical compliance perspective, the following may assist Bahrain businesses in their compliance journey:
1. Strategic Privacy Programme
A privacy programme that focuses on satisfying regulatory obligations and addresses how privacy practices fit into overall business strategy. The privacy program must: have the buy-in of senior business stakeholders from the top down; include a dedicated data privacy programme team with the necessary skills and expertise; and lead to the creation of the Personal Data Register illustrating the data life-cycle.
2. Data Protection Policies and Privacy Notices
The principles of transparency and accountability require Bahrain organisations to demonstrate their compliance.
The importance of properly drafted privacy notices that inform data owners of what their personal data is being used for in a clear and unambiguous way cannot be overstated.
3. Third Party Risk Management
The BDPL significantly increases the risk of outsourcing data processing activities.
A robust third party risk management programme will be required to address vendors’ information security risks.
The core elements of this risk management programme should include comprehensive security due diligence questionnaires and the power to audit service providers.
4. Data Owner Access Requests
The BDPL provides individuals with a host of rights in relation to how their personal data can be collected, processed and stored. Business in Bahrain will need to be aware of these rights and how to give effect to them.
The author is a data protection and privacy lawyer at PwC