Global Data and Cyber Handbook

Bahrain

Select a Topic
Start Comparison
Information Requirements, Data Subject Rights, Accountability and Governance
Jump to
Information Requirements, Data Subject Rights, Accountability and Governance Start Comparison
What information needs to be included in a privacy notice to data subjects?

Last review date: 31 December 2024

  • the identity and the contact details of the controller and, where applicable, of the controller's representative
  • the purposes of the processing for which the personal data is intended
  • the source from which the personal data originates, and if applicable, whether it came from publicly accessible sources
  • the recipients or categories of recipients of the personal data, if any
  • the existence of data subjects' rights, such as the right to access, rectification, erasure, data portability, etc. (only required for a consent form)
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
  • other

Data subjects must also be provided with any further information that is necessary in the circumstances to ensure fair processing, including whether the personal data will be used for marketing purposes.

There are certain exceptions to the information provision requirements where data is obtained indirectly, namely where the processing is undertaken for statistical purposes or historical or scientific research (and where notification to the data subject is impossible or unusually onerous) and where processing is necessary for compliance with a legal obligation or order of the court, public prosecution, investigating judge or military prosecution.

Do data subjects have specific privacy rights that must be operationalized?

Last review date: 31 December 2024

Yes

Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:

  • right to rectify/correct the data subject's own personal data where inaccurate or incomplete
  • right to erasure of personal data
  • right to restrict data processing
  • right to object to the processing of personal data
  • right to withdraw consent
  • other

The PDPL includes rights to information, a right to be notified if personal data is being processed, and a right to object to direct marketing. Further details on data subject rights are set out in Executive Order No. 48 of 2022.

Are there accountability and governance requirements?

Last review date: 31 December 2024

There are accountability and governance requirements to:

  • take privacy by default and design measures for all processing of personal data

    Privacy by design is not referenced in the PDPL, but specified as a requirement in Executive Order No. 43 of 2022.
  • perform and document data protection impact assessments (DPIAs) for high-risk processing:

    DPIAs are not referenced in the PDPL, but specified as a requirement in Executive Order No. 43 of 2022.
  • maintain a record of processing activities
  • implement appropriate measures to comply with data privacy and security
  • identify a specific individual as the data privacy contact for data subject or data protection authority inquiries
  • provide training to employees

    Training of employees is not referenced in the PDPL, but specified as a requirement in Executive Order No. 43 of 2022.
  • audit or supervise data processors
  • appoint a local representative in the jurisdiction (if the controller or processor is not located in the jurisdiction)
{{ $store.state.loadingScreen.message }} ...