Purpose and Scope
The Bahrain Institute for Pearls and Gemstones (DANAT) (the “Company” or “DANAT”) is committed to maintaining the confidentiality, integrity, and security of Personal Data of internal and external parties (“Data Subjects”) whose Data is collected and processed by automated or non-automated means.
Accordingly, this Privacy Notice (the “Notice”) explains how DANAT collects Personal Data, how it uses and shares it as well as the rights of the Data Subjects to which the Data pertains in accordance with the Bahrain Personal Data Protection Law No. 30 of 2018 (the “PDPL”) and associated Executive Orders issued from time to time by the Personal Data Protection Authority (the “Authority”).
This Notice is separate and in addition to any confidentiality obligations stipulated under individual or service specific contractual terms. Consequently, the terms and conditions applicable to such an engagement with DANAT, should also be consulted. The details as to how Personal Data will be processed and which method is used will depend on the services applied for or agreed upon.
Any changes made to this Notice will be posted on DANAT’s website. DANAT reserves the right to modify this Notice at any time.
Authority: the Personal Data Protection Authority of the Kingdom of Bahrain, designated as the Ministry of Justice, Islamic Affairs and Waqf.
Consent: permission granted by the Data Subject for the processing of their Personal Data according to the following criteria: 1) given by a person with full legal capacity, 2) consent is written (including in electronic format), explicit, clear, considered, and specific to the processing of certain Data, and 3) freely given after being advised of the intended purpose or purposes of the processing and consequences of refusing consent.
Personal Data or Data: any information in any form related to an identifiable individual, or an individual who can be identified, directly or indirectly, particularly through his/her personal ID number, or one or more of his/her physical, physiological, intellectual, cultural, or economic characteristics or social identity. Examples include but are not limited to an individual’s name, date of birth, business, or personal contact details (telephone/mobile numbers, fax numbers, email IDs, physical and/or mailing address) bank account details, passport and smart card details including copies, photographs, BIOs/Curriculum Vitae, and personal/educational/employment history.
Sensitive Personal Data: a subset of Personal Data that reveals directly or indirectly an individual’s race, ethnicity, political or philosophical views, religious beliefs, sexual orientation, union affiliation, criminal record, or health record such as medical reports or certificates of good conduct.
Personal Data Breach: a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed and which compromises the confidentiality, integrity, availability and/or security of the Personal Data.
Processing or Process: any operation or set of operations carried out on Personal Data by automated or non-automated means, such as collecting, recording, organising, classifying in groups, storing, modifying, amending, retrieving, using, or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting, or destroying them.
Automatic Processing: when all, or part of, data processing is completed without human intervention/labour.
Non-Automatic Processing: when all the data processing is completed using human labour.
Cookies: simple text files that websites use to carry out technical functions, which are stored on visitor’s browser or the hard drive of their devise including but not limited to phones, tablets, desktops, and laptops, where permitted by applicable law or with the visitor’s permission.
Data Subject: the person or legal entity to whom the Personal Data relates.
Individual: any natural person.
Direct Marketing: communication, by whatever means, of any marketing material or advertisement which is directed to a particular individual.
Transfer: of Personal Data includes transmitting, sending, viewing, or accessing Personal Data in or to a different country (outside the jurisdiction of the Kingdom of Bahrain).
GDPR: the General Data Protection Regulation which applies to all member countries of the European Union (EU) as well countries in the European Economic Area (EEA).
Personal Data Consent for Use
Personal Data is only processed by, or on behalf of, DANAT upon the Consent of the Data Subject, with the exception of the following circumstances when processing necessary for:
Entering into, or the performance of, a contract to which the Data Subject is a party;
Compliance with any legal obligations (excluding contractual terms), as well as compliance with orders issued by a competent court or the Public Prosecution;
Protecting the vital interests of the Data Subject; or
Pursuing the legitimate interests of the DANAT or any third party to whom the Personal Data has been disclosed to, provided that it is not in conflict with the fundamental rights and freedoms of the Data Subject.
DANAT’s intention is not to collect or process Sensitive Personal Data, unless required by applicable laws. In certain circumstances, it may be necessary for DANAT to collect, or request a special category of Personal Data (i.e., Sensitive Personal Data) for employment related purposes to manage security, conflicts of interest, equal opportunities monitoring and to comply with any applicable employment laws and regulations.
By applying for, and accepting a position at DANAT, these Data Subjects typically consent to DANAT collecting, storing, and processing Personal and Sensitive Personal Data in accordance with the Company’s recruitment process and human resource protocols as well as Bahrain Labour Law.
As part of DANAT’s legitimate business use, and for the purpose of providing its products and services, DANAT collects and processes the following categories of Personal Data about past, existing and prospective Data Subjects. This information includes (and is not limited to):
Indicative Data Elements
Name, phone number, address, national ID, passport, email address, politically exposed person (PEP), nationality, employment history, salary information, education, and professional qualifications.
Entity name, commercial registration number, registered address, incorporation information, VAT registration number, shareholder information, management information.
Bank details, debit and credit card information, invoices.
Technical and usage
IP address, browsing actions and patterns, location, browser plug-in types and version, operating system, and platform.
Application forms, service terms and conditions, contracts, curriculum vitaes (CV).
Membership, historic use of products and services, authorised representatives.
Engagement and communications
Emails, SMS and chat application messages, newsletter subscriptions, survey responses, complaints and feedback, social media interactions, communication, and marketing preferences.
CCTV (in DANAT’s permanent and temporary premises)
CCTV visual and audio recordings.
Cookies on DANAT’s Website
DANAT uses strictly necessary cookies that are required for the operation of its website and cookies which are not strictly necessary but are useful for monitoring Data Subject experience and improving the functionality of DANAT’s website. In addition, DANAT may use external party technologies for its website such as Google Analytics. DANAT requests Data Subject consent before using cookies that are not strictly necessary.
Cookies do not give DANAT any directly identifiable information about Data Subjects to its website, such as name or address, however cookies do provide a unique identifier for tracking activities by that Data Subject on DANAT’s website. Cookies do not give DANAT access to a Data Subject’s devise.
Data Subjects can change their DANAT cookie preferences at any time. However, deleting or disabling DANAT cookies may limit access to content, and restrict the functionality of DANAT’s website.
Photographs and Videos
From time to time, DANAT may uses photographs and videos taken at events to publicise the event or promote future events. Such photographs and videos may include a Data Subject’s image when attending an event and DANAT may publish such photographs and videos through any of its marketing channels.
Data Subjects entering DANAT’s premises should be aware that CCTV cameras are installed in DANAT’s premises. CCTV footage is processed for security purposes only and is share with the relevant local authorities in the event of any security related concerns or incidents.
DANAT may process Personal Data for following activities, which are necessary for the Company’s legitimate interests:
- Providing DANAT’s products or services to clients (as an individual and/or legal entity).
- Administering and maintaining contractual relationships.
- Billing, accounting, and tax purposes.
- Processing and responding to requests, enquiries, and complaints.
- Enhancing DANAT’s products and services.
- Research, analysis, and statistical purposes.
- Marketing and business development.
- Complying with legal and regulatory obligations.
- Reporting to governmental institutions, regulatory bodies, or law enforcement agencies.
- Establishing, exercising, or defending DANAT’s legal rights or for the purposes of legal proceedings.
- Auditing and quality control.
Security, Integrity, and Confidentiality of Personal Data
DANAT uses appropriate technical, physical, and organisational security measures to protect Personal Data against accidental or unlawful manipulation, loss, and destruction as well as access by unauthorised persons. These security measures are aligned with the nature of the Personal Data being collected and processed, the security technologies available, and the risks that may arise from this processing.
The confidentiality of Personal Data is controlled by only granting access privileges to internal and external parties who require access to perform their jobs or a contractual agreement.
DANAT only appoints external parties that can provide sufficient assurance that the rights of Data Subjects will be upheld and protected under the PDPL or similar equivalent law (such as GDPR).
However, despite DANAT’s best efforts, security of Personal Data cannot be absolutely guaranteed against all threats, particularly in relation to data transmission over the internet and World Wide Web. Accordingly, Data Subjects using DANAT’s website and other applications as well as electronic forms of communications do so at their own risk.
Breaches of Personal Data
- DANAT maintains suitable processes to identify, monitor, and report Personal Data breaches in line with the requirements of the PDPL and associated Executive Orders.
- DANAT will communicate without undue delay and take necessary action to mitigate risks should a Personal Data breach occur that is likely to result in a high risk to the rights and freedoms of the Data Subjects affected.
Links to External Party Websites and External Files
The information and content of a linked website are not controlled, reviewed, or approved by DANAT. Accordingly, DANAT is not responsible for the content, privacy, protection, or practices of any external. Party websites.
Transfer of Personal Data Outside the Kingdom of Bahrain
Personal Data may be transferred to, and stored at, locations outside the Kingdom of Bahrain when relevant service providers engaged by DANAT reside in overseas jurisdictions.
DANAT ensures an adequate level of protection for the Personal Data transferred overseas through appropriate due diligence with the external party and only completes such transfers in accordance with the PDPL.
Retention and Disposal of Personal Data
Personal Data is stored in physical and digital formats, as applicable. DANAT only retains Data for as long as necessary to fulfil the purpose for which it was collected and to satisfy any legal and regulatory requirements.
Personal Data is disposed of in a way that protects the rights and privacy of Data Subjects and accordance with any prevailing contractual, legal, and regulatory requirements at the time of disposal.
Rights of Data Subjects
Data Subjects whose Personal Data is being processed by, or on behalf of DANAT, have the legal rights listed below.
Data Subjects that wish to use their rights must provide proof of identity before DANAT can evaluate and respond to a request.
All responses to Data Subject requests are made within ten (10) working days of the request’s receipt. On occasion, it may take longer than this if the request is particularly complex or several requests have been made. DANAT provides updates in such scenarios.
- Right to be informed: Data Subjects have the right to be informed about the processing of their Personal Data, the scope and purpose of DANAT’s processing of Data and their rights as a Data Subject. This is achieved through DANAT’s Privacy Notice and relevant service terms and conditions.
- Right to request: Data Subjects have the right to request confirmation regarding the processing of their Personal Data including but not limited to the Data being processed, source of the Data, purpose of the processing and how it’s being processed. DANAT will respond to a right to request within fifteen (15) working days.
- Right to object / opt-out: Data Subjects have the right to object to the use of their Personal Data for Direct Marketing or making the Data publicly available and to object to Data processing that causes material or psychological damage to the Data Subject or others, including processing that is conducted on a solely automated basis. Relevant marketing databases are updated to reflect the Data Subjects opt-out request. Withdrawal of Consent through objections or opt-out requests is only applicable to the future use of Personal Data and does not impact legitimate use of the Data prior to the withdrawal of the Consent. As per the PDPL, DANAT may have legitimate reasons to continue the processing of Personal Data even when the Data Subject has an objection. Legitimate reasons include Personal Data processing is completed under the Data Subject’s explicit Consent, when it is required to perform contractual obligations to which the Data Subject is party to, implementation of an obligations prescribed by Law, protection of the Data Subject’s vital interests, or exercising the legitimate interests of DANAT or any external party involved. DANAT will respond to a right to opt out of Direct Marketing within ten (10) working days.
- Right to rectification, blocking or erasure: such requests are undertaken if the processing of Data is done in contravention of the provisions of the PDPL, or if the Data is incorrect, incomplete, or out of date. DANAT will respond to such requests within ten (10) working days. DANAT will notify any external parties to whom the Personal Data has been disclosed to of the rectification, erasure or blocking within fifteen (15) calendar days of DANAT’s response date to the Data Subject.
- Right to object to decisions based on automated decisions: DANAT will hear all such requests and consider the same and any consent obtained by way of a “cookie wall”.
- Right to complain: complaints regarding a breach of privacy may be directed to email@example.com Data Subjects may also submit a complaint to the Authority if there is reason to believe that DANAT has violated or is processing Personal Data in contravention to the requirements the PDPL.
Questions about this Notice, or requests to exercise any rights regarding Personal Data should be directed to DANAT via email: firstname.lastname@example.org.