| Version | Description of Revision | Prepared / Reviewed by | Approved by | Date Approved | Next Review Date |
|---|---|---|---|---|---|
| 1.2 | Policy based on Indian IT Act | Niraj Desai | Mukund Malani | 01/04/2021 | 31/03/2025 |
| 2.0 | Major revision to comply with Bahrain PDPL (Law 30 of 2018). Added DPO, Data Subject Rights, Cross-Border Transfer rules, Lawful Bases, and Breach Notification. | [Name] | [Name] | [Date] | [Date + 1 Year] |
The aim of this policy is to ensure that Tasheel Healthcare handles all personal data in full compliance with Bahrain's Personal Data Protection Law (PDPL), Law No. (30) of 2018, and that everyone processing such data is aware of and adheres to the required data protection procedures.
This policy applies to all staff employees, business partners, implementers, consultants, and any third parties processing personal data on behalf of Tasheel Healthcare.
Bahrain's Personal Data Protection Law (PDPL), Law No. (30) of 2018, mandates the secure, fair, and lawful processing of personal information. Tasheel Healthcare processes personal data of clients, business partners, and employees to carry out its operations and comply with legal obligations.
The organization is committed to ensuring that all personal data is processed in line with the PDPL. Information will be collected and used fairly, stored safely, and not disclosed unlawfully.
Personal Data: Any data relating to an identified or identifiable natural person.
Sensitive Personal Data: Includes data related to children, health, genetics, biometrics, beliefs, and offences.
Processing: Any operation performed on Personal Data (e.g. collection, storage, disclosure, deletion).
Data Subject: The natural person to whom the Personal Data relates.
Data Protection Officer (DPO): Responsible for overseeing compliance with data protection laws.
Tasheel Healthcare processes information such as name, contact details, designation, company, financial data, and sensitive personal data with explicit consent.
Tasheel Healthcare, as the Data Controller, is responsible for the distribution and access to personal data, delegating day-to-day matters to the DPO.
We ensure personal data is collected lawfully, used fairly, stored securely, and rights of data subjects are respected.
All employees receive training on data protection during induction and regular awareness programs.
We collect only necessary information for legitimate business purposes.
Only authorized individuals have access to personal data, based on necessity.
Data may be disclosed to group companies, auditors, banks, third-party processors, or regulators as required.
Transfers outside Bahrain are made only under PDPL-compliant conditions such as adequate protection or explicit consent.
Data is retained only as long as necessary and securely deleted thereafter.
Appropriate security measures including encryption, access control, and secure storage are applied.
Data subjects are responsible for notifying changes to ensure accuracy.
Breaches are reported to the PDPA within 72 hours and to data subjects when high risk exists.
Top management is responsible; the DPO oversees compliance, training, and acts as contact for the authority.
This policy is shared with employees, partners, and published on the website.
Reviewed annually by the DPO and related teams to ensure effectiveness.
Non-compliance may result in disciplinary action, up to termination as per HR Security Policy.