1 INTRODUCTION
1.1 Data protection law
This policy describes how personal data must be collected, processed, transferred, handled, and stored at Bahrain Airport Services Company B.S.C (Closed) (BAS) in order to meet the requirements of data protection law, in particular Personal Data Protection Law (Law no 30 of 2018) issued by The Kingdom of Bahrain and the General Data Protection Regulation (GDPR) of European Union.
1.2 Scope of the policy
The policy applies to all employees; fixed-term contract employees; temporary employees; agency staff; and consultants and contractors who are provided with access to any of the BAS files and/or computer systems. Collectively these individuals are hereafter referred to as ‘users’. All users have responsibility for complying with the terms of this policy. Rules in this policy document apply to all data stored in any structured way, including both paper files and electronically.
1.3 Objectives of this policy
This policy provides help and guidance to BAS staff and managers in:
- complying with data protection laws;
- protecting the rights of staff, passengers, clients, vendors, partners, and other business contacts;
- being open about how we use personal data, how we store it, how we secure it and how we delete it; and
- protecting BAS against the risks of both inadvertent and intentional data breaches.
1.4 Definitions
1.4.1 Personal data
Personal data is any information relating to an identified or identifiable living individual. It is information which enables that person to be identified, directly or indirectly, and may include their name, address, telephone number(s), email address (es), age, location data, or online and biometric identifiers.
1.4.2 Sensitive personal data or ‘special category data’
This data concerns a person’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics used for identification purposes, health, sex life or sexual orientation.
There are a number of strict rules about the processing of this kind of data, and the kinds of situations in which it is legitimate to process it, and usually the data controller needs the data subject’s explicit consent to do so or a clear legal basis. We will never disclose such data to any third party unless legally obliged to do so, and then only to appropriate authorities as required by law.
2 PRIVACY FRAMEWORK/GOVERNANCE
2.1 The data protection principles
BAS is responsible for ensuring data is processed in accordance with Data Protection principles
Principles | Requirements |
Lawfulness, fairness and transparency | Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. |
Purpose limitation | Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. |
Data minimisation | Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. |
Accuracy | Personal data shall be accurate and, where necessary, kept up to date. |
Storage limitation | Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. |
Integrity and confidentiality | Personal data shall be processed to ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. |
Accountability | The controller shall be responsible for and be able to demonstrate compliance with the data privacy laws. |
3 DATA PROCESSING
BAS is permitted to process data where one of the following legal bases applies:
- The data subject has given their consent.
- The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at data subject request prior to entering a contract with them.
- The processing is necessary for compliance with a legal obligation where data controller is subject.
- The processing is necessary to protect the vital interests of the data subject or another natural person.
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
- The processing is necessary for the purposes of legitimate interests pursued by a third party or by the data controller, except where those interests are overridden by the fundamental rights and freedoms of the data subject and their right to privacy in relation to their personal data.
4 DATA SUBJECT RIGHTS AND REQUESTS
4.1 Data subject rights
Where BAS holds personal data about them data subjects have the right to:
- obtain confirmation whether their data is processed;
- access their personal data;
- obtain information which is provided in the privacy notice;
- request for amendment when the data is inaccurate or incomplete; and
- request for removal of his/her data.
4.2 Objections to personal data processing
Data subjects have a right to object to us processing their personal data based on our legitimate interests or for direct marketing purposes. Where the data subject notifies us of their objection, we will cease such processing immediately unless our legitimate interests override those of the data subject, or unless we need to continue to process the data in conducting a legal claim. Where the data subject is objecting to direct marketing, we will cease to use the data for this purpose immediately.
4.3 Data retention
BAS retains personal data until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. The personal data shall be destroyed and erased and shall not be retained after exceeding specified retention period or after the purpose of the processing is no longer valid, whichever is later. Use of personal data for research, testing, statistical, historical or training purposes may be kept for longer periods, but shall be kept in an anonymised, unattributable form. If this is not possible, the identity of the data owner must be encrypted.
5 TRANSFER OF PERSONAL DATA OUTSIDE BAHRAIN
BAS may from time to time transfer personal data outside the Kingdom of Bahrain. DPA shall ensure that this will only be done if one or more of the following applies to the transfer:
- Only to the list of approved countries by the Personal Data Protection Authority as having an adequate level of personal data protection;
- it is made with the informed consent of the data subject;
- it is necessary for the performance of a contract between the data subject and the BAS, or for pre-contractual steps taken at the request of the data subject;
- it is necessary for important public interest reasons, or for the conduct of legal claims, or to protect the vital interests of the data subject; or
- it is made from a register that under law is intended to provide information to the public and which is open to the public or to those able to show a legitimate interest in accessing it.
6 IMPLEMENTATION OF THE POLICY
This policy is effective as of 21 June 2022. For more details please contact pdpl@bas.com.bh