Bahrain’s Personal Data Protection Law — Law No. 30 of 2018, in force since 1 August 2019 — is one of the most GDPR-like regimes in the Gulf, and it has teeth most of its neighbours lack: it carries criminal penalties, not just fines. If your online form collects data from people in Bahrain, here is what it has to do.
1. Stand on a lawful basis
Processing needs the data subject’s consent unless it is necessary for a contract, a legal obligation, vital interests, or the controller’s legitimate interests (where those do not override the individual’s rights). For a public form, that usually means consent — a clear, affirmative act, given before you collect.
2. Treat sensitive data as a separate gate
Sensitive personal data — race, ethnicity, political or philosophical views, religious beliefs, union membership, criminal record, health and sexual life — is prohibited without consent except in narrow cases. And processing of certain data (biometric, genetic, and some automated processing) needs prior written authorisation from the Authority. A form using fingerprint or face data, or one that profiles people automatically, is not a build-and-launch job in Bahrain.
3. Where your submissions live actually matters here
This is Bahrain’s most form-relevant rule. Transfers outside the Kingdom are allowed to countries on the Authority’s adequacy whitelist — around 83 of them, governed by Ministerial Order No. 42 of 2022. Saudi Arabia, the UAE, the UK, and Singapore are on it. That last one matters: a platform that stores submissions in Singapore is transferring to a whitelisted destination, which is the clean, low-friction path. Off the list, you need the Authority’s permission or the data subject’s consent. So the question to ask any form vendor is simply: which country are submissions stored in, and is it on the list?
4. Name the controller and honour data-subject rights
The form must tell the individual who is collecting their data and why. And Bahraini residents can access, correct, delete, and object to processing — including direct marketing and automated decision-making. A form needs a real channel for those requests, not a dead support inbox.
5. Register and notify
Bahrain expects controllers to notify the Authority of their processing activities, and a registered Data Protection Officer where required. This is an organisational obligation rather than a per-form one, but it is the backdrop every form you publish sits against.
6. 72 hours on a breach
A breach that affects data subjects’ rights has to be reported to the Authority within 72 hours of discovery. For a form, that clock starts at the submission store and at every integration a submission flows into.
What this costs to get wrong
Bahrain is the Gulf regime that can put a person in prison: violations carry up to one year’s imprisonment and/or a fine of BHD 1,000 to BHD 20,000. The amounts are smaller than Saudi or UAE fines, but the criminal exposure changes how seriously a Bahraini buyer treats the question of where their respondents’ data ends up.
Where SahlForm fits
SahlForm stores submissions in Singapore (ap-southeast-1) — a destination on Bahrain’s adequacy whitelist, so the cross-border path is the clean one rather than a permission request. Add the controller notice on every public form, consent recorded as an affirmative act, separate marketing consent, and an Arabic-first interface, and the form-level obligations are the default rather than extra work.