Bahrain’s Personal Data Protection Authority (PDPA), established under the auspices of the Ministry of Justice, Islamic Affairs and Awqaf, published five draft executive resolutions on its official website ( on 1 August 2021 regarding the implementation of Bahrain’s personal data protection law (the PDPL).


States, countries and territories with adequate legislative and regulatory protection for personal data

The PDPA’s whitelist of 43 countries that data managers can transfer data to without obtaining prior authorisation include:

  • EU member states (GDPR)
  • The USA
  • The UK
  • Canada
  • New Zealand
  • Switzerland
  • Argentina
  • Japan

Rules and procedures governing submission of complaints relating to personal data protection

Under the PDPL, data subjects can lodge formal complaints against data controllers, data processors and data protection guardians. Complaints must include:

  • The complainant’s name, address and contact information
  • The defendant’s name, address and contact information
  • Reason(s) for the complaint
  • Supporting evidence


Data subjects may file complaints if data controllers:

  • Reject a data subject’s request to be notified that their personal data is being processed
  • Fail to respond to a personal data notification within 15 working days
  • Reject a data subject’s objection to processing data for direct marketing purposes
  • Fail to respond to a direct marketing notification within 15 working days
  • Automate processing decisions according to work performance, financial standing, credit worthiness, reliability or data subject conduct


The PDPA is required to process complaints within 45 days and to notify all parties of its decision.


Data processing rules and procedures

Data controllers must notify the PDPA on new and existing processing activities, in addition to:


Data controllers must – using a form on the PDPA’s website – obtain prior approval from the PDPA for certain data processing. The PDPA can give data managers up to 10 days to update requests where necessary.


Sensitive data processing procedures

Data controllers are required to obtain consent from data subjects prior to processing their sensitive personal data, unless that processing is:


Data controllers are also required to acquire authorisation from the PDPA before processing sensitive data.


Data controllers (and data processors working on their behalf) must set guidelines for processing and protecting sensitive data, in addition to recording sensitive data processes, processing purposes and associated risks.


Public directories

Where data controllers want to create a register of personal data and make it publicly accessible, they must:


What should you do now?

With Bahrain one of a limited number of jurisdictions in the world with a personal data protection law, Bahraini businesses should carefully consider the impact of the PDPL on their operations. Keypoint’s personal data protection team is well-placed to advise you on the PDPL, having worked with public and private sector organisations across most economic sectors. Contact a member of our team for more information.

Srikant Ranganathan
Senior Director
Share via
Copy link
Powered by Social Snap