View all Bahrain legal letters →

Personal Data Protection in Bahrain

Researched by , Founding Editor

Primary sources cited; not legal advice.

Last verified:

Source: Law No. 30 of 2018 (Personal Data Protection Law — PDPL); regulations issued by the Personal Data Protection Authority

Reviewed by the Commoner Law Editorial Team. Sourced from Bahraini national legislation, decree-laws, and ministerial orders. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Bahraini National Law

What is this right?

Bahrain's Personal Data Protection Law (PDPL), enacted in 2018, was one of the first comprehensive data privacy laws in the Gulf, giving individuals enforceable control over their personal information:

  • Consent required: Organisations must obtain your clear, informed consent before collecting, processing, or sharing your personal data, with limited legal exceptions.
  • Right to access: You can request a copy of all personal data an organisation holds about you — and they must respond within a reasonable timeframe.
  • Right to correction: You can demand that inaccurate or outdated data be corrected.
  • Right to deletion: When your data is no longer needed for its original purpose, you can request permanent deletion.
  • Breach notification: Organisations must notify the Personal Data Protection Authority and affected individuals when a breach poses a risk to personal data.
  • Cross-border transfer restrictions: Personal data cannot be sent outside Bahrain unless the receiving country has adequate data protection or you have given explicit consent.
  • Penalty bands: fines on controllers from BHD 1,000 up to BHD 20,000, plus up to 1 year imprisonment for serious violations (processing without lawful basis or unauthorised cross-border transfers); failure to notify a breach can attract fines up to BHD 10,000.
  • CBB Data Protection Guardian directive (24 March 2025): every financial-sector data controller must appoint a Data Protection Guardian and notify the PDPA of the appointment within three working days — an additional layer above the general PDPA controller designation.

When does it apply?

  • A company is collecting your personal information without asking for consent or explaining the purpose.
  • You want to access, correct, or delete personal data held by a business or government entity.
  • You believe your data has been breached — leaked, sold, or shared without authorisation.

What to Do If a Company in Bahrain Is Using Your Personal Data Without Consent or Has Suffered a Data Breach

  • Read privacy policies before providing personal data — Bahrain businesses are required to have one.
  • Submit a written data subject request (access, correction, or deletion) to the organisation. They must respond.
  • If the organisation ignores or refuses your request, file a complaint with the Personal Data Protection Authority.
  • For data breaches, change your passwords immediately and monitor your bank accounts and CPR-linked services for suspicious activity.

What should you NOT do?

  • Do not share personal data unnecessarily — only provide what is genuinely required for the service.
  • Do not ignore privacy policy updates — organisations must notify you of changes, and you can withdraw consent if you disagree.
  • Do not assume all data collection is legal — challenge requests for excessive information, especially if it includes your CPR number, financial details, or biometric data without clear justification.

Common Questions

When does it applypersonal data protection?

A company is collecting your personal information without asking for consent or explaining the purpose.You want to access, correct, or delete personal data held by a business or government entity.You believe your data has been breached — leaked, sold, or shared without authorisation.

What should I do if a business in Bahrain collected my personal data without my permission or I suspect my data was leaked?

Read privacy policies before providing personal data — Bahrain businesses are required to have one.Submit a written data subject request (access, correction, or deletion) to the organisation. They must respond.If the organisation ignores or refuses your request, file a complaint with the Personal Data Protection Authority.For data breaches, change your passwords immediately and monitor your bank accounts and CPR-linked services for suspicious activity.

What should you NOT dopersonal data protection?

Do not share personal data unnecessarily — only provide what is genuinely required for the service.Do not ignore privacy policy updates — organisations must notify you of changes, and you can withdraw consent if you disagree.Do not assume all data collection is legal — challenge requests for excessive information, especially if it includes your CPR number, financial details, or biometric data without clear justification.

More in Consumer Rights

Right to Product SafetyAll products sold in Bahrain must meet safety standards enforced by the Ministry of Industry and Commerce (MOIC) and the...Read more →Warranty and Return RightsBahrain law gives consumers strong warranty protections that override store-level policies:Implied warranty: Every produ...Read more →Deceptive Practices ProtectionBahrain's Consumer Protection Law and Competition Law work together to prohibit businesses from misleading consumers:Fal...Read more →

Related Topics

Workers' RightsKafala, LMRA & Employer TransferTax RightsFree Zone and Investment Incentives
← Browse all Consumer Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission