Data & Privacy · Bahrain
Data protection & privacy laws in Bahrain (2026)
Bahrain shaded by its data & privacy status
Bahrain has a comprehensive, GDPR-style data protection regime enacted as Law No. 30 of 2018, which came into force on 1 August 2019. It applies to data controllers and processors operating in Bahrain (and certain extraterritorial cases), sets out data-subject rights and processing principles, and is enforced by the Personal Data Protection Authority, whose functions are currently assumed by the Ministry of Justice, Islamic Affairs and Waqf.
Key points
Law No. (30) of 2018 (PDPL) is an omnibus data-protection statute that entered into force on 1 August 2019, covering the processing of personal data across sectors rather than only specific industries.
The Personal Data Protection Authority (PDPA) is the regulator; by Royal Decree No. (78) of 2019 its duties are currently assumed by the Ministry of Justice, Islamic Affairs and Waqf. Its governance includes a board of seven members.
Individuals have rights to be informed of and access processing of their data, to know recipients and purposes, to rectify inaccurate data, to object to/restrict processing, and to deletion of unlawfully processed or no-longer-necessary data.
Transfers of personal data outside Bahrain are restricted unless the destination ensures adequate protection (a whitelist of approved countries/territories) or prior authorization/consent is obtained; Order No. (42) of 2022 sets the implementing framework.
The Authority can investigate complaints, audit, issue stop orders and emergency orders, publish violation statements, and impose administrative fines (e.g., up to BD 20,000); certain breaches, such as unlawful processing of sensitive data, carry criminal penalties of up to one year imprisonment and/or fines up to BD 20,000.
Controllers must process data lawfully and fairly, generally obtain consent or another lawful basis, observe sensitive-data restrictions, maintain security, and (for certain higher-risk processing) notify or seek authorization, with provisions for appointing data protection guardians.
Timeline - major decisions & events
The CBB directed all licensees acting as data controllers to appoint a Data Protection Guardian (DPO) and notify the PDPA, embedding PDPL compliance into financial-sector supervision.
Lex Mundi (citing CBB directive) ↗Set out when and how controllers must appoint internal or external Data Protection Guardians, with notification to the PDPA within three working days — later relied on by the CBB's 2025 financial-sector directive.
Lexis Middle East ↗Established the conditions for transferring personal data outside Bahrain and the Authority's 'adequate protection' country list, defining the legal basis for international data flows.
Personal Data Protection Authority (PDPA) ↗The Ministry of Justice, acting as the Personal Data Protection Authority, issued the package of executive resolutions (Orders 42–46 of 2022) that turned the 2018 law into an enforceable, operational regime covering transfers, security, notifications and DPOs.
Personal Data Protection Authority (PDPA) ↗The Authority published draft executive resolutions on notifications, sensitive-data processing and international transfers for stakeholder feedback, the consultation phase that shaped the 2022 implementing rules.
Trowers & Hamlins ↗After a one-year transition, Bahrain's PDPL became effective, making it the first GCC state with a comprehensive, generally-applicable data protection statute and creating enforceable rights for data subjects.
Personal Data Protection Authority (PDPA) ↗Pending a standalone regulator, the decree assigned the Ministry of Justice, Islamic Affairs and Waqf to perform the PDPA's functions, establishing the supervisory body that enforces the law.
Government of Bahrain ↗King Hamad bin Isa Al Khalifa enacted Bahrain's foundational data-protection statute, setting out lawful-processing principles, data-subject rights, transfer restrictions and the framework for a supervisory authority.
Ministry of Legislative Affairs (Bahrain official gazette) ↗Bahrain - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →