By Dr AbdelGadir Warsama, Legal Counsel
11 October 2023
It is important in this “data” era, to protect the personal data of all, everywhere. On the face of it, to protect the personal data indicated a high good respect to any person and to all his personal belongings and this is a good initiative to protect personal rights. To fulfill this good stand the European Union (EU) took major steps and issued an important regulation (GDPR). The General Data Protection Regulation, applies to different types of data processing to be carried by organizations operating within or without the EU. It applies on entities outside EU, offering goods or services to individuals in EU.
GDPR is mainly to apply for protection of personal data, however, there is an exemption as GDPR does not apply to certain activities including certain instances of data processing if they are covered by the law enforcement directives, processing for national security purposes and processing carried out by individuals purely for personal activities.
The regulation for more clarity, specifies types of exemptions for application whenever required. To streamline the process, GDPR applies to ‘controllers’ and ‘processors’. Controller is the authorized body to say how and why personal data is processed, whereas, the processor is the body that acts on the controller’s behalf and control.
If you happened to be a processor, GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and the processing activities undertaken. As a processor, you have more legal liability if responsible for any breach. Obligations for processors are new requirements under GDPR and they confirm the firm strategy of the EU towards stringent rules to regulate the personal data to curb the huge destructive misuse we are facing. However, controllers are not relieved of their obligations where a processor is involved. GDPR places further obligations on the controllers to ensure that contracts with processors comply with the provisions of the GDPR.
As a general rule, GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed. The definition provides for wide range of personal identifiers as personal data, reflecting changes in technology and the way organizations collect info about persons. I believe, the justification behind covering automated and manual filling systems, is to cover all data processing, otherwise there could be escape room by manual data processing.
It is necessary to say, GDPR of EU gives great boost to protect data and it is good that it has been taken as benchmark by countries in the region, including Bahrain, when issuing relevant laws. We take the opportunity to say that, Bahrain issued a well-advanced law regarding the personal data protection in Bahrain.