Data NuanceData>Nuance

These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.

All checklistsScope review
Back to Checklists
Bahrain

Personal Data Protection LawNo. (30) of 2018

Comprehensive compliance checklist for Bahrain's Personal Data Protection Law and supplementing Ministerial Resolutions No. 42–51 of 2022.

Key Provisions

Article 1: Key Definitions

  • Personal Data: Any information identifying a natural person directly/indirectly (e.g., ID numbers, physical/economic/cultural identifiers).
  • Sensitive Data: Race, religion, health, criminal records, political views, sexual status.
  • Processing: Any operation on data (collection, storage, transmission, destruction).
  • Data Controller: Entity determining processing purposes.
  • Data Processor: Entity processing data on behalf of the controller.
  • Data Protection Guardian: PDPA-registered compliance officer.

Article 2: Scope & Applicability

  • Applies to automated processing and non-automated processing if part of a filing system.
  • Covers entities in Bahrain, foreign entities using Bahrain-based means (excluding data transit).
  • Exemptions: Personal/family activities, security agencies (Ministry of Defense, Interior, etc.).

Article 4: Lawful Processing Basis

Requires consent or necessity for:

  • Contract performance
  • Legal obligations
  • Vital interests
  • Legitimate interests (if not overriding data subject rights)

Articles 5 & 15: Sensitive Data Processing

Explicit consent required unless exceptions apply:

  • 1.Employment obligations
  • 2.Legal claims
  • 3.Public health
  • 4.Public interest (authorized entities)

Note: Biometric/genetic data require prior PDPA authorization.

Article 8: Security Measures

  • Implement encryption, access controls, breach response plans.
  • Mandatory written contracts with processors.
  • PDPA may prescribe specific technical measures via resolution.

Articles 17–24: Data Subject Rights

  • Access: 15-day response time
  • Rectify/Delete: 10-day response time
  • Object to direct marketing: 10-day notice
  • Block automated decisions: Unless contractual
  • Withdraw consent: Procedures set by PDPA

Articles 12–13: Data Transfers

Allowed to "adequate" countries listed by PDPA. Non-adequate countries require PDPA authorization or:

  • 1.Consent
  • 2.Public register data
  • 3.Contract necessity
  • 4.Legal claims

Article 15: Prior Authorizations

Required for:

  • Sensitive data processing (Article 5(2))
  • Biometric data
  • Genetic data (non-medical)
  • Data linkage across controllers
  • Surveillance systems

Article 10: Data Protection Guardian (DPO)

  • Appointed by PDPA.
  • Maintains processing register, reports breaches.
  • Must be registered with PDPA (fees apply).

Articles 55 & 58: Penalties

  • Fines: BD 1,000–20,000
  • Imprisonment: Up to 1 year
  • Legal entities: Double fines
  • Daily penalties: BD 1,000–2,000/day for non-compliance

Ministerial Resolutions No. 42–51 of 2022

Supplementing the PDPL with detailed requirements:

Resolution 42: Data Transfers

Transfers allowed to 83 "adequate" countries (e.g., EU, UAE, USA). Non-listed countries require PDPA authorization or binding corporate rules.

Resolution 43: Technical Measures

Mandates GDPR-like measures: privacy by design, DPIAs, breach notifications (72 hours), encryption, and employee training.

Resolution 45: Sensitive Data

Requires high-security measures (e.g., encryption) and restricts processing to specific legal bases.

Resolutions 46–47: DPOs

DPOs must register with PDPA (fees up to BD 500). Responsibilities include compliance oversight and breach reporting.

Resolution 48: Data Subject Rights

Consent must be explicit and revocable. Invalidates coercive cookie banners. Automated decision-making requires transparency.

Resolution 49: Complaints

Data subjects may file complaints with PDPA. Controllers have 7 days to respond.

Resolution 50: Criminal Data

Restricted to authorized entities (e.g., law enforcement). Requires encryption and prohibits unauthorized disclosure.

Resolution 51: Public Registers

Requires transparency, consent for public access, and anonymization/encryption for long-term storage.

Compliance Checklist

Scope of Applicability

Article 2: Scope of Application

Confirm processing aligns with PDPL scope (automated/non-automated filing systems).

Lawful Basis for Processing

Article 4: Conditions for Processing

Establish a valid legal basis (consent, contract, legal obligation, etc.).

Sensitive Data Handling

Article 5 & Resolution 45: Sensitive Data Processing

Obtain explicit consent for sensitive data (race, health, etc.) unless exceptions apply.

Security Measures

Article 8 & Resolution 43: Security of Processing

Implement encryption, access controls, and breach response plans.

Data Subject Rights

Articles 17–24 & Resolution 48: Rights of Data Subject

Facilitate access, rectification, deletion, and objection to direct marketing.

Cross-Border Data Transfers

Article 12 & Resolution 42: Transfers of Personal Data

Transfer data only to PDPA-listed "adequate" countries or obtain authorization.

Prior Authorizations

Article 15: Prior Authorizations

Obtain PDPA approval for biometric data, genetic data, or surveillance systems.

Data Protection Officer (DPO)

Article 10 & Resolutions 46–47: Register of Guardians

Appoint and register a DPO with PDPA (if required).

Breach Notification

Resolution 43: Technical and Organizational Measures

Notify PDPA of breaches within 72 hours of discovery.

Public Registers

Article 11 & Resolution 51: Public Registers

Ensure public registers are transparent, consensual, and anonymized for long-term storage.

Complaint Handling

Resolution 49: Complaints

Respond to data subject complaints within 7 days and cooperate with PDPA.

Criminal Data Processing

Resolution 50: Criminal Data

Restrict criminal data processing to authorized entities (e.g., law enforcement).

Record-Keeping

Article 14 & Resolution 46: Data Protection Guardian

Maintain updated records of processing activities.

Direct Marketing

Article 20 & Resolution 48: Right to Object

Allow data subjects to object to direct marketing within 10 days.

Penalties & Enforcement

Articles 55 & 58: Penalties

Avoid violations punishable by fines (up to BD 20,000) or imprisonment (1 year).

Need Help with Bahrain PDPL Compliance?

Our expert team can guide you through Bahrain's Personal Data Protection Law requirements and ensure your organization meets all compliance obligations.

Schedule a ConsultationContact Us

Checklist to implementation

Need a fact-specific view?

Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.

Book a consultationSend structured brief