Data & Privacy - Bahrain

Law No. (30) of 2018 (PDPL) is an omnibus data-protection statute that entered into force on 1 August 2019, covering the processing of personal data across sectors rather than only specific industries.

The Personal Data Protection Authority (PDPA) is the regulator; by Royal Decree No. (78) of 2019 its duties are currently assumed by the Ministry of Justice, Islamic Affairs and Waqf. Its governance includes a board of seven members.

Individuals have rights to be informed of and access processing of their data, to know recipients and purposes, to rectify inaccurate data, to object to/restrict processing, and to deletion of unlawfully processed or no-longer-necessary data.

Transfers of personal data outside Bahrain are restricted unless the destination ensures adequate protection (a whitelist of approved countries/territories) or prior authorization/consent is obtained; Order No. (42) of 2022 sets the implementing framework.

The Authority can investigate complaints, audit, issue stop orders and emergency orders, publish violation statements, and impose administrative fines (e.g., up to BD 20,000); certain breaches, such as unlawful processing of sensitive data, carry criminal penalties of up to one year imprisonment and/or fines up to BD 20,000.

Controllers must process data lawfully and fairly, generally obtain consent or another lawful basis, observe sensitive-data restrictions, maintain security, and (for certain higher-risk processing) notify or seek authorization, with provisions for appointing data protection guardians.