12/09/2022
With the growing threat of cyber-attacks, data protection and privacy issues have become one of the hottest topics globally and in the region. In accordance with the rapidly evolving digital landscape and associated increasing risks, a necessary step for the GCC countries was the introduction of comprehensive personal data protection legislation in order to protect the use of personal data. Each of the six countries forming the GCC now have a personal data protection regime in place, the most recent being Oman which issued Sultani Decree No. 6 of 2022 on the Issuance of Personal Data Protection Law on 9 February 2022 and which comes into force on 13 February 2023 (Oman PDP).
Any statutory provisions which conflict with the Oman PDP, including Chapter 7 of Sultani Decree No. 69 of 2008 issuing the Oman Electronic Transactions Law, have been revoked. Further details of what and how businesses will be required to comply with the Oman PDP will be set out in the Executive Regulations which are likely to be published around the time the legislation comes into force.
The following is a brief overview of the key provisions of each of the GCC countries’ Data Protection Legislation regime (DPL).
Sultani Decree No. 6/2022 on the Issuance of Personal Data Protection Law
Federal Decree Law No. 45 of 2021 on the Protection of Personal Data
Saudi Arabia Cabinet Decision No. 98/1443 on the approval of the Personal Data Protection Law
Kuwait Decision No. 42/2021 on the Data Privacy Protection Regulation
Law No. 13 of 2016 on Personal Data Privacy Protection
Bahrain Law No. 30/2018 issuing the Law on Personal Data Protection
Ministry of Transport, Communications and Information Technology
The UAE Data Office
The Saudi Authority for Data and Artificial Intelligence
Telecommunication and Information Technology General Authority
Ministry of Transport and Communication
The Personal Data Protection Authority
Applies to personal data which is being processed and protected under the DPL except in the following circumstances (i) protecting a public interest (ii) complying with a legal obligation (iii) performing a contract to which the data subject is a party.
Applies to processing of personal data by (i) any data subject residing or has a place of business in the UAE (ii) any Controller or Processor located inside the UAE processing personal data of a data subject inside the UAE (iii) any Controller or Processor located outside the UAE processing personal data of a data subject inside the UAE.
Applies to processing personal data related to individuals that takes place in KSA including processing personal data of individuals residing in KSA by any entity outside KSA.
Applies to all telecommunications and information technology service providers (“Service Providers”) who collect, process and store personal data, whether the processing takes place inside or outside Kuwait, when it is related to processing activities on sending advertising or marketing materials or monitoring the behaviour and trends of data subjects.
Applies to personal data being electronically processed, obtained, gathered or extracted in preparation in any other way for electronic processing, or when processed via a combination of electronic and traditional processing.
Applies to data processing by (i) every natural person who normally resides in or has a place of business in Bahrain and (ii) every legal person that has a place of business in Bahrain and (iii) every natural or legal person who doesn’t normally reside in Bahrain and has no place of business in Bahrain processing data using means available in Bahrain, unless the purpose of using such means is merely to transfer data through Bahrain.
The data subject’s express written consent is required to process the data and send marketing materials to the data subject.
Permission from the regulator is required to process personal data relating to genetics, health, ethnicity, sexuality, political or religious opinions or beliefs and criminal convictions or security measures.
Unless it is in the child’s best interest, it is prohibited to process a child’s personal data without the approval of the child’s guardian.
Processing personal data is prohibited without the consent of the data subject except in certain circumstances set out in the DPL.
The data subject’s written consent (or the legal guardian in the case of children’s or incapacitated individuals’ data) is required to process the data and send marketing materials to the data subject.
The data subject’s consent (or the legal guardian in the case of children’s data) is required to process the data.
The Controller may not (i) process personal data unless it obtains consent of the individual except where processing is necessary to achieve a lawful purpose (ii) send any electronic communication to an individual for the purpose of direct marketing without a prior consent (iii) limit the cross border data flow unless the processing of such data is in breach of the DPL or may cause serious damage to the personal data or to the data subject’s privacy (iv) process personal data of a special nature without permission from the regulator.
The data subject’s express consent (in writing or electronically) is required to process personal data unless processing is necessary for any of the following (i) implementing a contract to which the data subject is a party (ii) taking steps at the request of the data subject with a view to concluding a contract (iii) implementation of a duty prescribed by law, contrary to a contractual obligation or a court order (iv) protecting the vital interests of the data subject (v) directly for the legitimate interests of the Controller and any third party to whom the data is disclosed, unless this conflicts with the fundamental rights and freedoms of the data subject (there are further exceptions for processing sensitive personal data).
Permission from the regulator is required to process (i) sensitive personal data (ii) biometrics data (iii) genetic data (except processing by medical practitioners and when necessary for medical treatment) (iv) linking of personal data files of two or more Controllers handled by them for different purposes (v) optical recording used for monitoring purposes.
The regulator may request that an external auditor be appointed by the Controller and Processor to ensure that the personal data processing procedures are in accordance with the DPL and produce a report.
Service Providers shall carry out comprehensive audits and reviews on the commitment to protect personal data.
The Controller shall conduct comprehensive audits and reviews on the compliance extent with personal data protection requirements.
The Controller may transfer personal data outside of Oman in accordance with the Executive Regulations except if it was processed in violation of the DPL or would cause harm to the data subject.
The personal data may be transferred outside the UAE if there is an adequate level of protection in the country to which the data is to be transferred. If there is not an adequate level of protection, data may be transferred outside the UAE (i) under a contract or agreement that obliges the entity in the country without adequate protection to implement the provisions, measures, controls and requirement set out in the DPL (ii) if express consent of the data subject is obtained (iii) if the transfer is necessary to comply with a legal obligation, enter into or execute a contract between the Controller and Data Subject, or between the Controller and a third party to achieve the Data Subject’s interest, perform a procedure relating to international judicial cooperation or protect the public interest.
Personal data may not be transferred outside KSA (except to implement an obligation under a convention or to serve the interests of KSA), unless the following conditions are met (i) the transfer does not prejudice national security (ii) sufficient guarantees are provided for preserving confidentiality of the data being transferred so the level of protection is the same as set out in the DPL (iii) transfer is limited to the minimum personal data needed (iv) the regulator approves the transfer pursuant to the Regulations.
Service Providers shall notify the data subject in the event where the Service Provider intends to transfer the personal data outside Kuwait in accordance with the data classification policy issued by the regulator.
The Controller shall
be prohibited from taking any decision or measure that may limit the Cross Border Data Flow, unless the processing of such data is in breach of the DPL, or where such processing may cause serious damage to the data or to the data subject’s privacy.
Data should not be transferred outside Bahrain except in the following cases (i) transfers to a country or territory included in a the adequate level of protection country list attached to Decision No. 42 of 2022 (ii) transfers with the regulator’s permission which must be requested in accordance with Article 3 of Decision No. 42 of 2022 and will be issued in a case by case basis if the regulator is satisfied that the data will have an adequate level of protection.
If the country to which the data is being transferred does not have an adequate level of protection, the data may still be transferred in the following cases (i) if the data subject consents (ii) if the data is already publicly available (iii) if the transfer is necessary to implement a contract between the Controller and the data subject, execute or conclude a contract between the Controller and a third party for the benefit of the data subject, protect the data subject’s vital interests, comply with a legal or judicial obligation or order, and investigation of, directly claiming or defending a legal claim.
The Controller must notify the regulator and the data subject in the event of a data breach that may lead to its unlawful destruction, alteration, disclosure, access or processing. Further details of the breach notification requirements will be contained in the Executive Regulation.
The Controller must notify the regulator immediately upon becoming aware of the breach.
The data subject must be notified in the event that the breach would prejudice the privacy, confidentiality and security of the data.
The period and method for the notifications will be set by the Executive Regulations of the DPL.
The Controller shall notify the regulator immediately after becoming aware of the breach and the data subject if the breach would cause serious harm to the data or data subject.
The Service Provider shall notify the regulator and data subject within 72 hours after knowledge of breach.
The Controller shall inform the data subject and the regulator of any breach and if such breach may cause serious damage to data or the data subject’s privacy.
Article 4 of Decision No. 43/2022 sets out data breach notification requirements as follows:
(i) The Controller must open communication channels to directly communicate with data subjects or their legal representatives to notify them of the breach unless the data is encrypted or the Controller has taken subsequent measures to ensure that high risks to the rights and freedoms of the data subject are not likely to arise;
(ii) The Controller must notify the regulator of the breach within 72 hours from the time the breach is discovered. If the regulator is not notified within the specified period the notification must contain justifications for the delay. The regulator may order that a data subject be notified if it deems that the incident may lead to high risks to the data subject’s rights.
A wide range of fines in the event of non-compliance, the most substantial being in the range between OMR 100,000 to OMAR 500,000 for violation of Article 23 which relates to data transfers.
No penalties are listed in the DPL. The regulator shall issue a decision with the acts which constitute violations and the administrative penalties to be imposed.
A wide range of fines in the event of non-compliance, the most substantial being SAR 10M for repeated breaches and sentences of imprisonment.
The regulator may impose the penalties and fines stipulated in Kuwait Law No.37/2014, as amended by Kuwait Law No.98/2015, for failure to comply with the DPL.
Fines shall be imposed for violating the provisions of the DPL, the most substantial being QAR 5M.
A fine not less than BHD 1,000 and not exceeding BHD 20,000 and/or imprisonment not exceeding 1 year shall be imposed for violating the provisions of the DPL.
In addition to the significant fines to be imposed for breaches of the DPL, in some circumstances non-compliance with the relevant provisions could result in enforcement notices being issued actually prohibiting businesses from processing data, effectively preventing them from continuing their operations.
There are several standardised operational and procedural steps that can be undertaken in order to comply with the DPL, such as:
GCC entities should consider these steps and ensure that their data collection, processing and storage practices are DPL-compliant.
To discuss the above in more detail, including seeking assistance with setting up cyber response protocols and/or undertaking a data use audit for your business, please contact our GCC & ME cyber & data team.
For emergency cyber response assistance, please call the Kennedys’ Crisis Hotline (Global 24/7 Cyber Incident Response) on +44 203 137 8749.
)
)
)
)
)
)
)
)
)
