Privacy Policy
Following the introduction of the Bahrain Personal Data Protection Law No. 30 on the 1st August 2019, GEMS is committed to ensure that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with the Bahrain Personal Data Protection. we outline the roles and responsibilities in complying with the law in terms of the use, transmittal, sharing and storage of Personal Data and Sensitive Data of an individual.
1. Definitions:
- PDPL shall mean the Bahrain Law No. 30 (2018), Personal Data Protection Law.
- Personal & Sensitive Data shall include any information of any form related an individual who can be identified through his/her personal ID number, or one or more of his/her physical, physiological, intellectual, cultural or economic characteristics or social identity, race, ethnicity, or any data related to his/her health or sexual life.
- Processing shall mean any operation or set of operations carried out on personal data by automated or non- automated means, such as collecting, recording, organizing, classifying in groups, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or destroying them.
- Data Owner shall mean the individual, physical or legal person, subject of the data. E.g. the insured member or patient.
2. In the context of the Law, GEMS is classified as the Data Processor, i.e. the person or entity that processes the data for and on behalf of the Data Manager. The Data Manager is the Insurance Company or Reinsurer whose scheme members are entitled to the benefits of the Medical Insurance Scheme. Under PDPL it is the Data Manager’s responsibility to have obtained the consent from the Data Owner (member) to use their data for the processing of any medical claim.
3. The provisions of this Law shall apply to every physical person residing normally in the Kingdom of Bahrain or having a workplace therein, and all physical persons not normally residing in the Kingdom of Bahrain and not having a workplace therein, however their data is processed using means available in the Kingdom.
4. The processing or use of data shall be fair and for a legitimate purpose such as for medical claims processing, subsequent processing can be carried out thereto in a way that is not inconsistent with the purpose of collected data. The subsequent processing of the data carried out for historical, statistical or scientific research purposes shall not be considered inconsistent with the purpose of collection, provided that it is not carried out to support taking any decision or action concerning a specific individual.
5. Data stored for long periods for historical, statistical or scientific research purposes shall be kept in an anonymized form, not being able to be attributed to the owner thereof. However, if this was not possible, the identity of the Data Owner shall be encrypted.
6. The processing of personal data shall be prohibited without the consent of the owner thereof, it is therefore the responsibility of the Insurer (Data Manager) to obtain the consent of the Insured Member (Data Owner), unless such processing is the implementation of a contract to which the Data Owner is a party.
7. Processing sensitive personal data shall be prohibited without the consent of the owner thereof, it is therefore the responsibility of the Insurer (Data Manager) to obtain the consent of the Insured Member (Data Owner), unless such processing is necessary processing for the purposes of preventive medicine, medical diagnosis, provision of healthcare, treatment or management of healthcare services by a person licensed to exercise any of the medical practices or any person legally bound to maintain confidentiality. GEMS ensures that they protect the confidentiality of the personal and sensitive data of the member and only to use the data as defined by PDPL.
