Your Rights Under Bahrain's PDPL (2026 Legal Guide) — Rules & Requirements
About this article
Sourced from Bahraini national legislation, decree-laws, and ministerial orders. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards
What is this right?
Bahrain's Personal Data Protection Law (Law No. 30 of 2018, PDPL) was issued on 19 July 2018 and came into effect on 1 August 2019. The regulator is the Personal Data Protection Authority (PDPA), established under Article 27 of the Law, with duties assumed by the Ministry of Justice, Islamic Affairs and Waqf by Royal Decree 78/2019. Data-subject rights: access, correction, deletion, withdrawal of consent, objection to processing.
When does it apply?
- A company in Bahrain holds your personal data and refuses to disclose / correct / delete.
- You withdraw consent but processing continues.
- Data breach.
- Bank, telecom, hospital, or government agency discloses your data without lawful basis.
Using Your Rights Under Bahrain's PDPL
- Start with a written request to the data controller. Cite PDPL Law 30/2018.
- If refused, escalate to PDPA at pdp.gov.bh.
- For banking data, parallel a CBB Consumer Protection complaint.
- For criminal-side disclosure, file with MOI Cybercrime Directorate via iGA / Tawasul.
What should you NOT do?
- Don't skip the controller's internal channel.
- Don't disclose more identification data than necessary.
- Don't pay 'data removal services' upfront.
About Data Privacy & Digital Rights in Bahrain
Bahrain's Personal Data Protection Law (Law No. 30 of 2018, PDPL) has been in force since 1 August 2019. The regulator is the Personal Data Protection Authority (PDPA), with duties assumed by the Ministry of Justice, Islamic Affairs and Waqf by Royal Decree 78/2019. For NCII and unauthorised intimate imagery, the criminal framework is the Cybercrime Law 60/2014. Investigation runs through the MOI Cybercrime Directorate. Victims should also use StopNCII.org (18+) or takeitdown.ncmec.org (under-18) — both free.
Common Questions
Is the PDPA independent?
PDPA was established under Article 27 of the PDPL. By Royal Decree 78/2019, the Ministry of Justice, Islamic Affairs and Waqf was designated to assume PDPA duties — so day-to-day enforcement sits with the Ministry of Justice rather than a standalone agency.
Does the PDPL apply to foreign companies?
Yes — the PDPL applies to processing of personal data of individuals in Bahrain, regardless of where the controller is established. Foreign companies processing data of Bahraini residents are subject to PDPA enforcement.
What is the your rights under bahrain's personal data protection law (pdpl) right in Bahrain?
Bahrain's Personal Data Protection Law (Law No. 30 of 2018, PDPL) was issued on 19 July 2018 and came into effect on 1 August 2019. The regulator is the Personal Data Protection Authority (PDPA), established under Article 27 of the Law, with duties assumed by the Ministry of Justice, Islamic Affairs and Waqf by Royal Decree 78/2019. Data-subject rights: access, correction, deletion, withdrawal of consent, objection to processing.
When does it apply — your rights under bahrain's personal data protection law (pdpl)?
A company in Bahrain holds your personal data and refuses to disclose / correct / delete.You withdraw consent but processing continues.Data breach.Bank, telecom, hospital, or government agency discloses your data without lawful basis.
What rights do I have under Bahrain's Personal Data Protection Law?
Start with a written request to the data controller. Cite PDPL Law 30/2018.If refused, escalate to PDPA at pdp.gov.bh.For banking data, parallel a CBB Consumer Protection complaint.For criminal-side disclosure, file with MOI Cybercrime Directorate via iGA / Tawasul.
What should you NOT do — your rights under bahrain's personal data protection law (pdpl)?
Don't skip the controller's internal channel.Don't disclose more identification data than necessary.Don't pay 'data removal services' upfront.