Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Bahrain Personal Data Protection Law
01 August 2019
Bahrain Personal Data Protection
Law came into force – defining
stringent requirements on
collection, processing, storing
and disposing of personal data.
©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Contents
Key definitions and
roles 0 2 Transfer of data
outside Bahrain0 3
0 4
Overview0 1
Journey to
implement PDPL
requirements0 5Key differences
between PDPL and
GDPR
Key definitions and roles
©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Key Definitions and RolesPerson Personal Data Sensitive Personal Data
Any natural or legal
person including any
public entity.
(PDPL definition of person
has been extended to
legal person also)
Information in any form (1)
related to an identifiable
individual, or (2) can
identify an individual
directly or indirectly
Information that is of a
special category and for
which law mandates
specific protection
Processing means any operation or set of operations performed upon personal data, whether or not by automatic means, including
collecting, recording, organizing, classifying into groups, storing, adapting, altering, retrieving, using, disclosing by transmission,
dissemination, transference or otherwise making available for others, or combining, blocking, erasing or destructing such data.
Legal Person
Legal person may be a
private or public
organization
Person who processes
data for and on behalf of
the Data Controller
Person who decides,
solely or in association
with others, the
purposes and means of
processing
Data Controller Data Processor
Individual whose
personal data is being
processed
Data Subject Data Recipient
Any Person to whom
personal data is
disclosed
©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Data controller – Key obligations
Data Controller shall
inform Data
Subjects about
rights of Data
Subject
Data Controller shall
implement
appropriate technical
and organizational
measures
Data Controller shall
choose Data Processor
who provides sufficient
safeguards and ensure
appropriate compliance
Data Controller shall
give prior notice to
Authority of any
wholly or partially
automated
processing
operation
Data Controller
shall ensure that the
processing is only
carried out pursuant to
a written contract
between the Data
Processor and Data
Controller
In case of breach, Data
Controller to eliminate
the cause of violation
or undertake the
necessary rectification
Data Controller must
not process any
Personal Data in
breach of this Law
The Data Controller must not disclose any personal data and sensitive personal data without the data subject’s consent or in execution of
a judicial order issued by a competent court, Public Prosecution, investigation judge or Military Prosecution.
©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Key highlights
Penalty ranging from 1000
dinar to 20,000 dinar
Including imprisonment up
to 1 year and daily penalty
Consent to process personal data
unless required by law, legitimate
interest or contractual obligation Organizations may appoint a Data
Protection Guardian with
independent and impartial functions
Transfer outside Bahrain based on
adequacy of the receiving country
or case by case permission from
Commission or consent of data
subject
Notification to commission before
beginning an automatic, complete or
partial personal data processing
01
02
03
0405
06Key
Highlights
Rights of data subject like
Right to Blocking, Object
to Direct Marketing
©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
05 03
02
01
04
06
Processing Sensitive Personal
Data
Processing sensitive personal
data contrary to the provisions
of the Law
Processing Data without notification
Processing personal data without
notifying the AuthorityDisclosing information
Disclosing any data or information
accessed due to work, or using the
same for own or others benefit
unreasonably and in violation of the
Law
Lack of Prior Authorization
Processing personal data without prior
authorization from the Authority
False / misleading information
Providing false or misleading
information to the Authority
Transferring Data outside Bahrain
Transferring personal data outside
Bahrain contrary to the provisions of
the Law
Imprisonment up to one year and fine between
1000 Dinar and 20,000 Dinar, or penalty, will be
imposed on :
What Can Attract Penalties?
Transfer of data outside Bahrain
©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Transfer of data outside of Bahrain
Data subject has provided
the consent for the transfer
The performance of a contract
between the data subject and the Data
Controller
Protecting the vital interests of the data
subject
Preparing or pursuing a legal claim or
defense
Case-by-case basis and depending
upon following considerations:
a) Nature of data to be transferred
b) Originating country, final
destination & measures to protect
the personal data
c) Relevant international agreements
When the transfer is for the
purpose of providing
information to the public
The transfer is to a country on a list compiled
and updated by the Authority
Transfer to countries/ jurisdiction having
adequate level of protection Transfer to countries/ jurisdiction not
having adequate level of protection
Provides adequate laws and regulations
according adequate level of protection to
personal data.
The data can be transferred out of
Kingdom in the following cases
Difference between PDPL and GDPR
©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Main Differences: DPL v. GDPRPersonal Data Protection Law (PDPL) Global Data Protection Regulation (GDPR)
Applicable to Bahrain Based entities and individuals with habitual
residence in Bahrain
Entities worldwide if they process data of EU data
subjects.
FinesUp to BD 20,000
(No limit on compensations)
Very substantial: Between 2 – 4% of previous year’s
turnover or € 10 – 20 million whichever is higher
Notification Prior notification or appoint Data Protection Guardian
Processing only after impact assessment on Data
subject, security measure to protect the data and
ensure up to date technical and organizational process
and procedures are in place.
Opt-in and consent No specific requirement for opt-in. Arguably opt-out
may not be sufficient.Opt-in
Personal Data Definition Definition narrower than GDPR. Wider definition. Includes IP address, mobile device
identifier, geolocation.
Notification of Data
BreachNo express requirements. Could be introduced in
regulation.Notify Data Subject and Authority.
Journey to Implement PDPL Requirements
©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Step by Step Journey to PDPLConduct Gap Assessment against PDPL Obligation to identify current state
Define roles & responsibilities, develop policy, procedure and templates aligned to PDPL
Prepare inventory for personal data, sensitive personal data and data processing activities
Document all technical and organizational measures adopted to protect the personal data
Review and update privacy notices and contracts with vendors
Creating awareness about provisions of this law and privacy program
Conduct Gap Assessment
Establish Data Privacy Framework
Prepare Data Inventory
Document Technical, Organizational Measure
Update Privacy Notice & Contracts
Conduct Awareness Session
©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
• Develop a data registry which identifies the processing activities of your organization which require the processing,
transfer, disclosure or use of personal data and sensitive personal data, as defined by the applicable laws and
regulations.
• Draft a framework for implementation which identifies the roles and responsibilities of your organization, and its
various functions.
• Draft the policies and procedures which are required to be in place.
• Assist your organization to achieve the legislative requirements with an implementation plan including suggested
changes to:
• contract clauses with third parties, data processors and customers
• privacy notices
• customer onboarding forms
• customer marketing communications
• data sharing agreements (if applicable).
• Roll out an awareness eLearning course introducing to employees the compliance requirements and points to
consider when processing personal/ sensitive personal data.
How KPMG can help
©2020 KPMG Fakhro, a Bahrain partnership registered with Ministry of Industry, Commerce and Tourism (MOICT), Kingdom of Bahrain and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Thank You
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although
we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that
it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination
of the particular situation.
Copyright
No part of this work may be reproduced or transmitted in any form by any means, electronic or mechanical, including photocopying and recording, or by
any information storage or retrieval system, except as may be permitted, in writing, by KPMG.
We lead by example
We work together
We respect the individual
We seek the facts and provide insight
We are open and honest in our communication
We are committed to our communities
Above all, we act with integrity
EXPERT
GLOBAL
MINDSET
FORWARD
THINKING
VALUE
ADDING PASSIONATE
KPMG values