Bahrain PDPL

Law No. 30 of 2018 with Respect to Personal Data Protection

Flag of BH
Kingdom of BahrainOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
August 1, 2019
Enacted
July 12, 2018
Enforcing Authority
Personal Data Protection Authority (PDPA Bahrain)
Consent Model
Opt-in
Applies To
All individuals and businesses processing personal data within Bahrain; doubled penalties for corporate entities

Overview

Bahrain's PDPL is a comprehensive data protection law enacted in 2018 and effective from August 2019. It stands out in the Middle East for its explicit prohibition on cookie walls — consent obtained through forced or obligated browsing is void under the law. The PDPA enforces both criminal and administrative penalties, with corporate entities facing doubled fines.

What This Means for Your Website

  • Explicit consent is required before processing personal data of Bahraini visitors
  • Cookie walls are prohibited — you cannot make website access conditional on cookie acceptance
  • Consent obtained through obligated browsing is explicitly void
  • Consent must be genuinely voluntary, not bundled with site access
  • Corporate entities face doubled penalties compared to individuals
  • Administrative daily penalties of BHD 1,000 apply for continuing violations

Key Requirements

The PDPA enforces the law with criminal penalties up to 1 year imprisonment plus BHD 1,000-20,000 in fines, doubled for corporate persons. Administrative penalties include BHD 20,000 one-off fines or BHD 1,000/day for continuing violations. The cookie wall prohibition means consent mechanisms must offer genuine choice without conditioning access on acceptance.

How ConsentStack Handles This

ConsentStack never uses cookie walls and ensures consent is genuinely voluntary for Bahraini visitors. The consent banner provides clear accept/reject options without conditioning site access on cookie acceptance.

Penalties

Criminal: up to 1 year imprisonment plus BHD 1,000-20,000 (doubled for corporate persons). Administrative: BHD 20,000 one-off or BHD 1,000/day continuing.

Maximum Fine
BHD 40,000 per violation

Key Requirements

  • Explicit consent required for personal data processing
  • Cookie walls prohibited — consent via obligated browsing is VOID
  • Data processed lawfully, transparently, for specific legitimate purposes
  • Data must be adequate, relevant, not excessive, accurate, and stored only as necessary
  • Data subjects have rights of access, correction, and deletion

Notable Provisions

  • Cookie walls PROHIBITED — consent through obligated browsing explicitly void
  • Criminal penalties including imprisonment
  • Doubled fines for corporate persons compared to individuals
  • Administrative daily penalties (BHD 1,000/day) for continuing violations

Other Middle East & North Africa Regulations

KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Qatar PDPPLState of Qatar (excluding QFC)
Qatar's national data protection law applying outside the QFC free zone. Notable for imposing only financial penalties without criminal sanctions, which is unusual for the region. Consent is required for data processing, with restrictions on direct electronic marketing and cross-border transfers. The QFC operates its own separate data protection regime.

Frequently Asked Questions

Are cookie walls legal in Bahrain?

No. Bahrain explicitly prohibits cookie walls. Consent obtained through obligated browsing is void under the law.

What are the penalties for corporate entities?

Corporate entities face doubled penalties: up to BHD 40,000 in criminal fines plus imprisonment, and BHD 20,000 administrative fines or BHD 1,000/day for continuing violations.

Does Bahrain have a dedicated data protection authority?

Yes. The Personal Data Protection Authority (PDPA) enforces the law with both criminal and administrative enforcement powers.

Stay compliant with Bahrain PDPL

ConsentStack helps you implement Opt-in consent for Kingdom of Bahrain automatically.

Get started free