๐ Law No. 30 of 2018
Bahrain was the first GCC country to enact comprehensive data protection legislation. The PDPL applies to all businesses processing personal data of individuals in Bahrain, regardless of where the company is headquartered.
Key Obligations
โ Lawful Basis
Must have consent, contractual necessity, legal obligation, or legitimate interest to process personal data.
๐ Data Inventory
Maintain records of all personal data processing activities, purposes, categories, and retention periods.
๐ Cross-Border Transfers
Transfers to countries without adequate protection require PDPA approval or binding corporate rules.
๐จ Breach Notification
Notify data subjects and PDPA within 72 hours of discovering a personal data breach.
๐ค DPO Appointment
Large-scale processors must appoint a Data Protection Officer and register with the PDPA.
โ๏ธ Penalties
Fines up to BD 20,000 for violations. Criminal penalties including imprisonment for serious breaches.