Bahrain Data Privacy Laws: PDPL Law No. 30 of 2018 Complete Guide (2026)

Bahrain's Personal Data Protection Law (PDPL), Law No. 30 of 2018, came into force on 1 August 2019 and established the Kingdom as the first Gulf Cooperation Council (GCC) state with a comprehensive standalone data protection statute. The Personal Data Protection Authority (PDPA) supervises compliance, with its functions entrusted to the Ministry of Justice, Islamic Affairs and Waqf under Royal Decree No. 78 of 2019.

Information last verified on 2026-05-19. This article has not yet been reviewed by a licensed lawyer.

Jurisdictional scope: This article addresses data protection law in the Kingdom of Bahrain under Law No. 30 of 2018 (PDPL) and its implementing resolutions. It does not address recording consent law in Bahrain; for that, see Bahrain Recording Laws.

---

Quick Answer: Is Bahrain's Data Protection Law GDPR-Equivalent?

Bahrain's PDPL shares the GDPR's general architecture: lawful bases for processing, data subject rights, breach notification, supervisory authority oversight, and restrictions on cross-border transfers. The core differences are enforcement scale (Bahrain's maximum fines are far lower than the GDPR's EUR 20 million / 4% of global turnover), the absence of a formal adequacy mechanism flowing from the EU to Bahrain, and the PDPL's structure as a single statute supplemented by ten ministerial resolutions rather than a directly applicable regulation. Organizations subject to both the GDPR and the PDPL will generally find that GDPR compliance covers most PDPL obligations, with gaps around DPG registration fees, Bahrain-specific notification procedures, and the Resolution 42/2022 adequacy list.

---

The PDPL: History and Legislative Context

Bahrain enacted Law No. 30 of 2018 with respect to Personal Data Protection on 12 July 2018. The law came into force on 1 August 2019 after a one-year implementation period. It supersedes any prior legislation with contradictory provisions and applies to all natural and legal persons who process personal data in or from Bahrain.

The law draws from the architecture of the EU's General Data Protection Regulation (GDPR) while reflecting Bahrain's legal context as a civil-law-influenced Gulf monarchy. The PDPL does not transplant the GDPR wholesale: it omits the concept of a lead supervisory authority for cross-border processing, sets lower financial penalties, and structures the supervisory authority as a board-based governmental body rather than an independent administrative authority.

On 17 March 2022, the PDPA issued 10 ministerial resolutions (Resolutions 41-50 of 2022) that took effect the following day upon publication in the Official Gazette. These resolutions fill in the operational detail that the PDPL left to secondary legislation.

The PDPL applies to processing carried out by controllers or processors established in Bahrain, and (in a provision consistent with GDPR Article 3(2)) to processing by entities outside Bahrain where the processing relates to personal data of individuals located in Bahrain.

---

The Supervisory Authority: PDPA Structure and Powers

Establishment Under Royal Decree No. 78 of 2019

The PDPL established the Personal Data Protection Authority (PDPA) as the supervisory body under Articles 27-39. Because the independent Authority Board had not yet been constituted when the law came into force, Royal Decree No. 78 of 2019 entrusted the functions and competencies of the PDPA to the Ministry of Justice, Islamic Affairs and Waqf. This arrangement means that in practice the Ministry acts as the supervisory authority, operating through an internal PDPA unit.

The PDPA Board, once fully constituted, includes representatives nominated by:

• The Telecommunications Regulatory Authority (TRA)
• The Central Bank of Bahrain (CBB)
• The Bahrain Chamber of Commerce and Industry (BCCI)
• The most representative body of stakeholders in the financial institutions sector
• The most representative body of IT specialists

Mandate and Enforcement Powers

The PDPA's mandate under the PDPL includes:

• Monitoring compliance with the law and its implementing resolutions
• Receiving and investigating complaints from data subjects (procedures set by Resolution No. 49 of 2022)
• Conducting audits and inspections of data controllers and processors
• Issuing guidance, recommendations, and binding administrative decisions
• Maintaining the official Notifications and Authorizations Register under Article 16
• Referring cases for criminal prosecution where the PDPL provides criminal penalties
• Issuing stop orders halting the collection, processing, or transfer of personal data

The PDPA website (pdp.gov.bh) publishes the full text of the PDPL, all 10 ministerial resolutions in Arabic and English, and guidance documents for organizations.

---

Scope and Key Definitions

Who and What Is Covered

The PDPL covers processing of personal data by any natural or legal person: government agencies, private companies, non-profit organizations, and individuals. There is no "small business" exemption.

Processing means any operation performed on personal data, including: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, and destruction.

A data controller is the natural or legal person who determines the purposes and means of processing. A data processor is a person who processes data on behalf of and under the instructions of a controller.

Personal Data and Sensitive Personal Data

Personal data means any data relating to a natural person who is identified or identifiable, directly or indirectly. This includes names, identification numbers, addresses, telephone numbers, email addresses, IP addresses, and any other information that can be used to identify an individual.

Sensitive personal data under Article 2 of the PDPL includes data relating to:

• Racial or ethnic origin
• Political opinions
• Religious beliefs or philosophical views
• Trade union membership
• Physical or mental health or condition
• Sexual life
• Criminal records or offenses
• Family origins

Resolution No. 45 of 2022 sets out detailed rules and procedures for processing sensitive personal data, including the mechanism for obtaining prior authorization from the PDPA where required.

Data Quality Principles

Article 6 of the PDPL sets out the data quality principles that govern all processing. Personal data must be:

1. Processed lawfully and in a transparent manner
2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed
4. Accurate and, where necessary, kept up to date
5. Kept in a form that permits identification of data subjects for no longer than necessary
6. Processed in a manner that ensures appropriate security

These principles apply regardless of the lawful basis relied upon.

---

Lawful Bases for Processing

Consent as Primary Basis

Consent is the default lawful basis under the PDPL. Under Article 3, the data subject's consent is required unless one of the Article 4 exemptions applies. Resolution No. 48 of 2022 clarifies that where consent is the basis and data is collected directly from the data subject, consent must be express and obtained in writing or by electronic means. Data subjects retain the right to withdraw consent at any time; the PDPL requires that withdrawal be as easy as giving consent.

For sensitive personal data under Article 5, the law requires explicit consent. Explicit consent requires a clear affirmative act; pre-ticked boxes or inferred agreement do not meet the standard.

Article 4 Exemptions from Consent

Processing without consent is lawful where it is necessary for:

1. Performance of a contract to which the data subject is a party, or to take steps at the data subject's request prior to entering into a contract
2. Compliance with a legal obligation to which the controller is subject
3. Protecting the vital interests of the data subject where the data subject is incapable of giving consent
4. Exercising or defending legal claims
5. Pursuing the legitimate interests of the controller or a third party to whom data is disclosed, provided those interests are not overridden by the fundamental rights and freedoms of the data subject (this basis does not apply to processing of children's data)
6. Tasks carried out in the public interest

Article 5 Exemptions for Sensitive Data

Sensitive personal data may be processed without explicit consent where processing:

• Is required to comply with obligations in the field of employment law
• Is necessary to protect a person who is legally incapable of giving consent
• Relates to data that the data subject has manifestly made public
• Is necessary to exercise or defend legal claims
• Is necessary for medical diagnosis, healthcare provision, or health management, carried out by a health professional bound by an obligation of professional secrecy

---

Data Subject Rights

The Rights Granted

The PDPL grants data subjects the following enforceable rights:

• Right to be informed: controllers must provide information about the identity and contact details of the controller, the purposes and legal basis of processing, any recipients or categories of recipients, and planned transfers outside Bahrain.
• Right of access: data subjects may request confirmation of whether their data is processed, and if so, receive a copy of the data and information about the processing.
• Right to rectification: data subjects may request correction of inaccurate, incomplete, or outdated data.
• Right to erasure and blocking: data subjects may request deletion or blocking of data where processing is unlawful or the data is no longer needed.
• Right to object: data subjects may object to processing, including for direct marketing purposes.
• Right to withdraw consent: applicable at any time where consent is the basis of processing.

Response Deadlines

Article 14 of the PDPL requires that the controller respond to a data subject request, free of charge, within 10 working days of receipt of the request accompanied by proof of identity. Where the controller has not complied with the request, it must provide a legally acceptable justification for the refusal within the same period.

Where a controller rectifies, erases, or blocks personal data following a data subject request, it must notify any third party to whom the data was previously disclosed of that action within 15 days of responding to the data subject.

Data subjects who consider that their rights have been violated may lodge a complaint with the PDPA under the procedures established in Resolution No. 49 of 2022.

---

Data Breach Notification

72-Hour Notification to the PDPA

Ministerial Resolution No. 44 of 2022 establishes the breach notification framework. A data controller that becomes aware of a personal data breach must notify the PDPA within 72 hours of becoming aware of the breach. Where notification is not made within 72 hours, the controller must include in its notification to the PDPA a documented justification for the delay.

The notification must describe:

• The nature of the breach and the categories of data affected
• The approximate number of data subjects and records involved
• The name and contact details of the data protection guardian or other contact point
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

Notification to Data Subjects

Where a breach is likely to result in a high risk to the rights and interests of data subjects, the controller must also notify the affected individuals without undue delay. Notification to data subjects is not required where the controller has implemented appropriate technical and organizational protection measures (such as encryption) that render the data unintelligible to any person not authorized to access it, or where subsequent measures have been taken to ensure that the high risk is no longer likely to materialize.

Data Processor Obligations

Where a data processor becomes aware of a breach affecting data it processes on behalf of a controller, it must notify the controller without undue delay so the controller can meet its 72-hour obligation.

---

Data Protection Guardian (DPG)

The Role

Bahrain's PDPL uses the term "Data Protection Guardian" (DPG), which is functionally equivalent to the GDPR's "Data Protection Officer" (DPO). Under Article 15 of the PDPL and Resolution No. 46 of 2022, the DPG:

• Assists the controller in complying with the PDPL
• Acts as the primary liaison with the PDPA
• Monitors processing activities and keeps the required registers
• Reports violations to the controller and, where violations are not corrected within 10 days, reports directly to the PDPA
• Performs duties independently and impartially

The DPG may be an employee of the controller (internal DPG) or an external entity (external DPG). External DPGs must hold a degree or certification in IT, information security, audit, or a related field, or have at least two years of relevant experience.

When a DPG Is Mandatory

Under the PDPL, appointment of a DPG is optional for data controllers generally unless the PDPA Board determines that specific categories of controller must designate one. The PDPA has exercised this power through sector-specific directives:

Financial sector (CBB, March 24, 2025): The Central Bank of Bahrain issued a directive to all CBB licensees requiring financial sector entities that are Data Controllers to appoint a DPG. Financial institutions may appoint an internal or external guardian and must notify the PDPA of the appointment within three working days.

Telecommunications (TRA): The Telecommunications Regulatory Authority has directed all licensed operators to appoint a DPG, following classification of the sector as high-risk for personal data processing.

Private healthcare (NHRA): The National Health Regulatory Authority has mandated all private healthcare facilities (hospitals, medical centers, and laboratories) to appoint a DPG.

Registration and Fees

All appointed DPGs must be registered with the PDPA. Controllers must notify the PDPA of any DPG appointment within 3 working days. The PDPA maintains two public registers: one for internal DPGs and one for external DPGs.

Resolution No. 47 of 2022 sets registration fees:

• External DPG (legal entity): up to BD 500 (approximately USD 1,326)
• Internal DPG: up to BD 100 (approximately USD 265)

Renewal fees apply. Controllers must notify the PDPA of any changes to DPG information within 30 days. All DPGs must declare any circumstances that could cause a conflict of interest affecting their independence or impartiality.

---

The Ten Ministerial Resolutions (2022)

The PDPA issued 10 ministerial resolutions on 17 March 2022, effective from 18 March 2022. They are:

---

Cross-Border Data Transfers

The Restriction

The PDPL restricts transfers of personal data outside Bahrain. Article 28 provides that a data controller may not transfer personal data to another country unless the receiving country provides an adequate level of protection for personal data, or the controller has obtained prior authorization from the PDPA, or the data subject has given explicit consent to the transfer.

Resolution No. 42 of 2022: The Adequacy List

Resolution No. 42 of 2022, issued under Article 28 of the PDPL, establishes a list of approximately 83 countries and territories that the PDPA has determined provide adequate protection. Transfers to countries on the adequacy list may proceed without prior PDPA authorization.

The adequacy list includes all EU member states, the European Economic Area (EEA) states (Iceland, Liechtenstein, Norway), the United Kingdom, the United States, Switzerland, Canada, Australia, Japan, and all other GCC states (Saudi Arabia, the United Arab Emirates, Qatar, Kuwait, and Oman), which is notable for regional commerce. The full list in English is published on the PDPA website at pdp.gov.bh.

Transfers to Non-Listed Countries

Transfers to countries not on the adequacy list require one of the following:

1. Prior PDPA authorization: the controller submits a request demonstrating that the receiving organization has implemented adequate security measures and that appropriate contractual arrangements protect the transferred data.
2. Explicit consent of the data subject: the data subject is informed of the possible risks of the transfer due to the absence of an adequacy determination.
3. Performance of a contract between the data subject and the controller where the transfer is necessary.
4. Vital interests: the transfer is necessary to protect the vital interests of the data subject.
5. Publicly available sources: the transfer is from a register that is open to public inspection.

Where PDPA authorization is sought and the transfer is pursuant to a contract with the receiving organization, a copy of the agreement must be provided.

---

Penalties and Enforcement

Criminal Penalties

Article 54 of the PDPL establishes criminal penalties. Any natural person who violates the PDPL is subject to imprisonment of up to one year, a fine of BD 1,000 to BD 20,000 (approximately USD 2,650 to USD 53,000), or both.

Specific criminal offenses include:

• Processing personal data without the required consent or without notifying the PDPA
• Transferring personal data outside Bahrain without PDPA authorization or data subject consent
• Providing inaccurate or misleading information to the PDPA or to data subjects
• Blocking, concealing, or destroying information requested by the PDPA
• Creating hindrances in the course of an PDPA investigation
• Using information obtained through the PDPA's processes for personal gain

Corporate Liability

Where a legal person (company, institution, or other corporate body) commits an offense under the PDPL, the fine applicable to natural persons may be doubled. This means corporate entities face maximum fines of BD 40,000 (approximately USD 106,000). The corporate penalty does not replace individual liability: officers and employees within the organization who are personally responsible for the violation remain subject to imprisonment and individual fines.

Civil Compensation

Article 57 of the PDPL provides that any person who suffers harm as a result of a violation of the law may seek compensation before the civil courts. This creates a civil cause of action parallel to criminal enforcement, distinct from PDPA administrative action.

Administrative Enforcement

The PDPA exercises administrative enforcement powers independently of the criminal process. These include:

• Stop orders requiring the immediate cessation of collection, processing, or transfer
• Corrective orders requiring rectification, erasure, or blocking of data
• Compliance directions requiring the implementation of specific organizational or technical measures
• Referral for criminal prosecution

---

Security Requirements and Privacy by Design

Technical and Organizational Measures

The PDPL requires data controllers to implement technical and organizational measures appropriate to the risk posed by the processing. Resolution No. 43 of 2022 specifies that measures must address:

• Access controls limiting processing to authorized persons
• Encryption of personal data in storage and transit
• Backup and recovery procedures
• Procedures for regularly testing, assessing, and evaluating the effectiveness of security measures
• Procedures for restoring access to personal data in the event of an incident

Measures must be proportionate to the nature, scope, and purposes of processing and the likelihood and severity of risks to data subjects.

Privacy by Design and by Default

Resolution No. 43 of 2022 introduces privacy by design and privacy by default as compliance expectations. Data controllers are required to implement data protection principles from the earliest stage of system design, and to ensure that by default only personal data necessary for each specific purpose is processed.

Data Protection Impact Assessments (DPIAs)

Resolution No. 43 of 2022 requires controllers to carry out a Data Protection Impact Assessment before commencing processing that is likely to result in a high risk to the rights and interests of data subjects. A DPIA must describe the envisaged processing, assess its necessity and proportionality, assess the risks to data subjects, and set out the measures envisaged to address those risks.

Where a DPIA indicates a high residual risk that cannot be mitigated, the controller must consult the PDPA before proceeding.

---

Registration and Notification Obligations

Notification Register

Article 16 of the PDPL requires data controllers to maintain a notifications and authorizations register. Controllers must notify the PDPA before commencing processing activities. The notification must contain:

• The controller's and processor's names and addresses
• The purposes for which data is being processed
• A description of the categories of data subjects and data
• Any proposed transfers outside Bahrain
• A description of security measures sufficient to permit an initial adequacy assessment by the PDPA

Resolution No. 50 of 2022 specifies the required content of the processing register that controllers must maintain internally.

Processing Register

Controllers must keep an internal register of processing activities. Resolution No. 50 sets out mandatory fields including: data type, purpose of collection, legal basis, categories of recipients, retention periods, and the date of the most recent update to the register.

---

GCC Context: Bahrain's Regional Position

Bahrain's PDPL came into force in August 2019 as the first comprehensive standalone data protection law in the GCC. The regional picture has since changed significantly:

Bahrain's adequacy list (Resolution 42/2022) includes all other GCC states, meaning intra-GCC transfers of personal data to Saudi Arabia, UAE, Qatar, Kuwait, and Oman proceed without prior PDPA authorization, providing a practical advantage for regional business operations.

---

Sector-Specific Considerations

Financial Services

Bahrain's role as a GCC financial hub means the PDPL has its deepest practical impact in financial services. Banks, insurance companies, investment firms, and other CBB licensees must comply with both the PDPL and the CBB's sector-specific data requirements.

The CBB's March 2025 directive requires all CBB-licensed Data Controllers to appoint a DPG and notify the PDPA within three working days of appointment. This directive makes DPG appointment mandatory for all licensed financial institutions, even where they might otherwise have been exempt under the general PDPL framework.

Healthcare

Private healthcare facilities regulated by the National Health Regulatory Authority are required to appoint a DPG under the NHRA directive. Processing of health data requires explicit consent under Article 5 of the PDPL, and Resolution No. 45 of 2022 sets specific authorization procedures for health data processing.

Telecommunications

TRA-licensed operators must appoint a DPG. The telecoms sector processes large volumes of personal data (subscriber data, call records, and location data), making DPG oversight particularly important for compliance with the PDPL's data quality and security requirements.

Technology and Fintech

Bahrain's growing fintech and technology sector operates under the PDPL's general framework. The Bahrain FinTech Bay and other innovation sandbox initiatives exist alongside PDPL compliance obligations; entities operating in innovation sandboxes are not exempt from PDPL requirements.

---

Recent Developments (2024-2026)

AI Regulation

In April 2024, Bahrain's Shura Council unanimously approved a draft standalone AI regulation law comprising 38 articles. The draft would create an AI oversight unit, establish licensing requirements for AI system developers and deployers, and impose civil liability and administrative penalties for AI-related harms.

The draft law intersects directly with the PDPL: Article 57 of the PDPL already permits civil compensation for data mishandling, including harm caused by automated decision-making. Officials have signalled preference for refining existing legislation rather than creating overlapping rules.

In July 2025, the Information and eGovernment Authority (iGA) published the Kingdom's General Policy for the Use of Artificial Intelligence (Version 1.0). The policy names PDPL compliance as one of four foundational pillars for public-sector AI deployment and mandates alignment with the GCC "Guiding Manual on the Ethics of Artificial Intelligence Use."

Sector Mandate Expansion

The March 2025 CBB directive on DPG appointment follows earlier mandates by the TRA and NHRA. The pattern of sectoral regulators using PDPL-aligned powers to expand DPG obligations suggests that further sector-specific mandates in energy, education, or retail are possible.

Proposed Cybercrime Amendment

In late 2025, members of the Shura Council proposed an amendment to Bahrain's Cybercrime Law to add a new article addressing data privacy in digital communications. As of May 2026, the proposal had been approved by the Shura Council's Legislative and Legal Affairs Committee and referred for further review; it had not yet been enacted.

GCC Harmonization

With all six GCC states now having data protection frameworks in force or imminent (Oman from February 2026), regional discussion has shifted to interoperability. The GCC adequacy list in Resolution 42/2022 is one step; formal mutual recognition of adequacy determinations or a GCC-level data transfer framework has been discussed but not yet formalized.

---

Compliance Checklist for Organizations

Organizations processing personal data in Bahrain should work through the following steps, referenced to the specific PDPL provisions and resolutions:

---

---

Disclaimer

This article provides general legal information about data protection law in the Kingdom of Bahrain as of 19 May 2026. It does not constitute legal advice and should not be relied upon as such. Data protection laws are subject to amendment, and the implementing resolutions issued by the Personal Data Protection Authority may be updated. Organizations and individuals should consult a lawyer licensed in Bahrain for advice specific to their circumstances.

---

Authorities Cited

1. Law No. 30 of 2018 with Respect to Personal Data Protection (PDPL). Official text: https://www.pdp.gov.bh/en/assets/pdf/regulations.pdf
2. Royal Decree No. 78 of 2019 (entrusting Ministry of Justice with PDPA functions). See: https://www.akingump.com/en/insights/blogs/ag-data-dive/bahrain-ministry-of-justice-to-act-as-data-protection-authority
3. Ministry of Justice Order No. 42 of 2022 (Adequacy List). Official English text: https://www.pdp.gov.bh/assets/pdf/executive-decisions/eng/trans-order-countries-and-territories-with-adequate-protection-en.pdf
4. Ministry of Justice Order No. 43 of 2022 (Technical Measures, DPIA, Privacy by Design). See: https://www.clydeco.com/en/insights/2022/04/bahrain-issues-new-privacy-guidelines
5. Ministry of Justice Order No. 44 of 2022 (Breach Notification). See: https://www.clydeco.com/en/insights/2022/04/bahrain-issues-new-privacy-guidelines
6. Ministry of Justice Order No. 45 of 2022 (Sensitive Personal Data). See: https://www.trowers.com/insights/2022/may/bahrain-enhances-its-data-protection-regime
7. Ministry of Justice Order No. 46 of 2022 (Data Protection Guardians). See: https://resourcehub.bakermckenzie.com/bg-bg/resources/global-data-and-cyber-handbook/emea/bahrain/topics/dpos-and-notification-requirements
8. Ministry of Justice Order No. 47 of 2022 (DPG Registration Fees). See: https://resourcehub.bakermckenzie.com/bg-bg/resources/global-data-and-cyber-handbook/emea/bahrain/topics/dpos-and-notification-requirements
9. Ministry of Justice Order No. 48 of 2022 (Consent). See: https://www.clydeco.com/en/insights/2022/04/bahrain-issues-new-privacy-guidelines
10. Ministry of Justice Order No. 49 of 2022 (Complaint Procedures). See: https://www.trowers.com/insights/2022/may/bahrain-enhances-its-data-protection-regime
11. Ministry of Justice Order No. 50 of 2022 (Processing Register). See: https://raeesandco.com/thoughts/legal-update-10-ministerial-resolutions-for-elements-of-the-pdpl/
12. Personal Data Protection Authority, Kingdom of Bahrain: https://www.pdp.gov.bh/en/index.html
13. CBB Directive on DPG Appointment (March 24, 2025). See: https://www.asarlegal.com/data-protection-officers-now-required-across-finance-telecom-and-health-sectors-in-bahrain/
14. Al Tamimi: Ministry of Justice entrusted with PDPA tasks: https://www.tamimi.com/news/ministry-of-justice-islamic-affairs-and-awqaf-entrusted-with-the-tasks-and-competences-of-personal-data-protection-authority/
15. Al Tamimi: 10 Ministerial Decisions for the PDPL: https://www.tamimi.com/news/the-bahrain-personal-data-protection-authority-issues-10-ministerial-decisions-with-respect-to-the-personal-data-protection-law/
16. DLA Piper: Data Protection Laws of the World, Bahrain: https://www.dlapiperdataprotection.com/index.html?t=law&c=BH
17. Clyde and Co: Bahrain issues new privacy guidelines (2022): https://www.clydeco.com/en/insights/2022/04/bahrain-issues-new-privacy-guidelines
18. Trowers and Hamlins: Bahrain enhances its data protection regime (2022): https://www.trowers.com/insights/2022/may/bahrain-enhances-its-data-protection-regime
19. Baker McKenzie: DPOs and Notification Requirements, Bahrain: https://resourcehub.bakermckenzie.com/bg-bg/resources/global-data-and-cyber-handbook/emea/bahrain/topics/dpos-and-notification-requirements
20. ASAR Legal: DPOs now required across Finance, Telecom and Health: https://www.asarlegal.com/data-protection-officers-now-required-across-finance-telecom-and-health-sectors-in-bahrain/
21. iGA: General Policy for the Use of AI (July 2025): https://www.bahrain.bh/wps/wcm/connect/57fd391d-3cb9-42d4-bfbf-a42325bf41ce/General+Policy+for+the+Use+of+AI+-++Final+30+Jul+2025.pdf