Privacy Policy

1. This Policy
This Policy is issued by the National Bank of Bahrain B.S.C. (“NBB”) on behalf of itself, and its branches, 
and is addressed to individuals outside our organisation with whom we interact, including customers, business partners, vendors, visitors to our websites, and other recipients of our services (together, "you"). 
This Policy may be amended or updated from time to time to reflect changes in our practices with respect to the
Processing of Personal Data, or changes in respect of the Personal Data Protection Law (the “PDPL”). 

2. Processing your Personal Data
This section lists places where we get data that counts as part of your Personal Data.
Collection of Personal Data: We collect Personal Data about you:

  • When you provide it to us (e.g., where you contact us via telephone or by any other means)
  • In the ordinary course of our relationship with you (e.g., in the course of managing your transactions)
  • That you choose to make public, including via social media (e.g., we may collect information from your social media profile(s), to the extent that you choose to make your profile publicly visible)
  • From third parties who provide it to us (e.g., your employer; our customers; credit reference agencies; law enforcement authorities and so forth)
  • When you visit our websites or use any features or resources available on or through our website. When you visit our website, your device and browser may automatically disclose certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connecting to our website and other technical communications information), some of which may constitute Personal Data
  • When you download, register or use our mobile applications we will automatically collect Personal Data, including Device Data, Location Data and Usage Data. We collect this data using cookies and other similar technology

Creation of Personal Data: We create Personal Data about you, such as records of your interactions with us, and details of your accounts, subject to the PDPL.

Unique application number: When you wish to install or uninstall the App containing a unique application number or when such application searches for automatic updates, that number and information about your installation, for example, the type of operating system, may be sent to us.

Relevant Personal and Sensitive Personal Data: 

This section explains what different types of Personal Data mean. 
Pursuant to the PDPL, the categories of Personal Data about you that we Process are as follows:

Type of Personal Data


  • Contact details

Address; telephone number; and email address

  • Personal details

given name(s); preferred name(s); gender; date of birth / age; marital status; Social Security number; passport number(s); driving license number(s); nationality; lifestyle and social circumstances; images of passports, driving licenses, and signatures; authentication data (passwords,
mother's maiden name, challenge/response questions and answers, PINs); photographs; visual images; and personal appearance and behavior

  • Family details

Names and contact details of family members and dependents

  • Financial

Your financial position; financial status; financial history; billing address; bank account numbers; credit card numbers; cardholder or accountholder name and details; instruction records; transaction details; and counterparty details

  • Transactional

Details about payments to and from your accounts with us, and insurance claims you make

  • Behavioral

Details about how you use products and services from us and other organisations

  • Employment details

Industry; role; business activities; names of current and former employers; work address; work telephone number; and work email address

  • Electronic Identifying Data

IP addresses; cookies; activity logs; online identifiers; unique device identifiers; and geolocation data.


Sensitive Personal Data: Any personal information that directly or indirectly discloses any of the following: the ethnic origin of the individual, their ethnic group, political or philosophical views, religious beliefs, trade union affiliation, criminal record, or any data relating to their health or sexual status.

Processing your Sensitive Personal Data: We do not seek to collect or otherwise Process your Sensitive Personal Data, except where:

  1. the Processing is necessary for compliance with a legal obligation;
  2. the Processing is necessary for the detection or prevention of crime (including the prevention of fraud) to the extent permitted by the PDPL;
  3. you have made those Sensitive Personal Data public;
  4. the Processing is necessary for the establishment, exercise or defence of legal rights;
  5. we have, in accordance with the PDPL, obtained your explicit consent prior to Processing your Sensitive Personal Data; or
  6. Processing is necessary for reasons of substantial public interest and occurs on the basis of an applicable law that is proportionate to the aim pursued and provides for suitable and specific measures to safeguard your fundamental rights and interests.

Purposes for which we may Process your Personal Data: 

We will only use your Personal Data when the law allows us to do so, most commonly we will use your Personal Data in the following circumstances:

  • where you have consented before the processing;
  • where we need to perform a contract we are about to enter or have entered with you;
  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and
  • where we need to comply with a legal or regulatory obligation(s).


Here is a list of all the ways that we may Process your Personal Data:

Anti-Money Laundering / KYC

  • fulfilling our regulatory compliance obligations, including 'Know Your Client' checks
  • confirming and verifying your identity (including by using credit reference agencies)
  • screening against government, supranational bodies (including but not limited to the United Nations Security Council, the European Union, the UK HM Treasury, the U.S. Department of the Treasury’s Office of Foreign Asset Control) and/or law enforcement agency sanctions lists as well as internal sanctions lists and other legal restrictions

Client on-boarding

  • on-boarding new clients
  • compliance with our internal compliance requirements, policies and procedures

Credit worthiness

  • conducting credit reference checks
  • conducting other financial due diligence

Providing products and services to you

  • managing relationships and related services
  • performance of tasks necessary for the provision of the requested services
  • communicating with you in relation to our services


  • communicating with you via any means (including via email, telephone, text message, social media, post
    or in person) subject to ensuring that such communications are provided to you in compliance with the PDPL
  • maintaining and updating your contact information where appropriate

Operation of our website and App

  • operation and management of our website and App
  • providing content to you
  • displaying advertising and other information to you
  • communicating and interacting with you via our website and App

Install the App and register you as a new App user

  • process purchases via the App and deliver any services including managing payments and collecting money owed to us
  • manage our relationship with you including notifying you of changes to the App or any services in respect of the App
  • to enable you to participate in a prize draw, competition or complete a survey
  • to administer and protect our business and this App including troubleshooting data analysis and system testing
  • to deliver content and advertising to you
  • to make recommendations about products and services which may interest you
  • to measure and analyze the effectiveness of the advertising we serve you
  • to monitor trends so that we can improve the App

IT operations

  • management of our communications systems
  • operation of IT security
  • IT security audits

Financial management

  • Sales
  • Finance 
  • corporate audit
  • vendor management


  • conducting market or customer satisfaction research
  • engaging with you for the purposes of obtaining your views on our products and services


Detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

Legal compliance 

Compliance with our legal and regulatory obligations under applicable law

Legal proceedings

Establishing, exercising and defending legal rights.

Improving our products and services

  • Identifying issues with existing products and services
  • planning improvements to existing products and services
  • creating new products and services

Risk Management

  • Audit
  • Compliance
  • Controls
  • Other risk management

Fraud prevention

Detecting, preventing and investigating fraud.

3. Disclosure of Personal Data to third parties

We may disclose your Personal Data for legitimate business purposes (including providing services to you), in accordance with the PDPL. In addition, we may disclose your Personal Data to:

  1. you and, where appropriate, your family, your associates and your representatives;
  2. credit reference agencies;
  3. anti-fraud services;
  4. Governmental, legal, regulatory, or similar authorities, regulators, and central and/or local government agencies, upon request or where required, including for the purposes of reporting any actual or suspected breach of applicable law or regulation;
  5. accountants, auditors, financial advisors, lawyers and other outside professional advisors to NBB, subject to binding contractual obligations of confidentiality;
  6. debt-collection agencies;
  7. data aggregation services;
  8. accreditation bodies;
  9. third party Processors (such as payment services providers; shipping companies; etc.), located anywhere in the world, subject to the requirements noted below in this Section 3;
  10. any relevant party, claimant, complainant, enquirer, law enforcement agency or court, to the extent
  11. necessary for the establishment, exercise or defence of legal rights in accordance with applicable law;
  12. any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security in accordance with applicable law;
  13. the press and the media; and
  14. voluntary and charitable organisations.

If we engage a third-party Data Processor to Process your Personal Data, the Data Processor will be subject to binding
contractual obligations to: 

  1. only Process the Personal Data in accordance with our prior written instructions; and 
  2. use measures to protect the confidentiality and security of the Personal Data, together with any additional requirements under applicable law.

4. International transfer of Personal Data

We may need to transfer your Personal Data to third parties as noted in Section 3 above, in connection with the purposes set out in this Policy. For this reason, we may transfer your Personal Data to other countries that may have different laws and data protection compliance requirements, including data protection laws of a lower standard to those that apply in the country in which you are located, in such circumstance we shall ensure that your Personal Data shall be held in a manner consistent with the rules and standards expected in the Kingdom of Bahrain.

If you want to receive more information about the safeguards applied to international transfers of personal data,
please use the contact details provided in Section 10 below.

5. Data Security

We have implemented appropriate technical and organizational security measures designed to protect your
Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised
access, and other unlawful or unauthorised forms of Processing, in accordance with the PDPL.

6. How long we keep your Personal Data

This section explains how long we may keep your Personal Data for and why.

  1. We will keep copies of your Personal Data for as long as you are a customer of NBB.
  2. We may keep your data for up to 10 years after you stop being a customer. The reasons we may do this are:
  3. To respond to a question or complaint, or to show whether we gave you fair treatment
  4. To study customer data as part of our own internal research
  5. To comply with any data retention rules that apply to us about keeping records. For example, the Central Bank of   Bahrain requires us to retain certain data for a minimum of 5 years.
  6. We may also keep your data for longer than 10 years if we cannot delete it for legal, regulatory or technical reasons.
  7. We will only use your Personal Data for those purposes and will make sure that your privacy is protected.

7. Your legal rights

Subject to the PDPL, you may have a number of rights regarding the Processing of your Personal Data, including:

  1. the right to request access to your Personal Data, together with information regarding the nature, Processing and disclosure of your Personal Data;
  2. the right to request rectification of any errors in your Personal Data;
  3. the right to request, on legitimate grounds:
    • erasure of your Personal Data; or
    • restriction of Processing of your Personal Data; and
  4. where we Process your Personal Data on the basis of your consent, the right to withdraw that consent.
  5. This does not affect your statutory rights.
  6. Subject to the PDPL, you may also have the following additional rights regarding the Processing of your Personal Data:
  7. the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf; and
  8. the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.

To exercise one or more of these rights, or to ask a question about these rights or any other provision of this Policy, or about our Processing of your Personal Data, please use the contact details provided in Section 10 below.

8. Cookies

A cookie is a small file that is placed on your device when you visit a website. It records
information about your device, your browser and, in some cases, your preferences and browsing habits. We may
Process your Personal Data through cookie technology. We use cookies and / or other tracking technology to distinguish you from other users of the App, App Site, the distribution platform or Services Site and to remember your preferences. This helps us to provide you with a good experience when you use the App or browse any of our Sites and also allows us to improve the App and our Sites.

9. Direct Marketing 

We may Process your Personal Data to contact you so that we can provide you with information on our products and services that may be of interest.

If you do not wish to receive marketing communications from us you can opt out at any time by contacting your
regular NBB contact. After you unsubscribe, we will not send you further promotional text messages, but we may continue to contact you to the extent necessary for the purposes of any services you have requested.

We may ask you to confirm or update your choices, if you take out any new products or services with us in future. We will also ask you to do this if there are changes in the law, regulation, or the structure of our business.

As NBB continues to update and improve its internal processes, systems and controls, we may notify you in the future about the best way for you to update your Personal Data and your preferences.  

10. Contacting us 

If you have any comments, questions or concerns about any of the information in this Policy, or any other issues
relating to the Processing of Personal Data by NBB, please contact your regular NBB client service contact, or:

National Bank of Bahrain
12th Floor Old Tower, P.O Box 106, Manama, Kingdom of Bahrain
Email: [email protected]

11. Defined terms

Defined Term



An independent public authority established under the provisions of the PDPL that is legally tasked with overseeing compliance with the PDPL.

Data Processor

Any person or entity that Processes Personal Data on behalf of the Data Protection Controller (other than employees of the Data Manager or Data Protection Controller).

Device Data

includes the type of mobile device you use, a unique device identified (e.g. your device's IMEI number, MAC address of your Device's wireless network interface, or the mobile number used by your Device, mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting, from the following parties: analytics providers, advertising networks, search information providers.

Location Data

includes your current location disclosed by GPS technology

Personal Data

Information that is about any individual, or from which any individual is identifiable.

Process or Processed or Processing

Anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, classification, storage, modification, alteration, retrieval, use or disclosure by transmission, publishing, transferring, dissemination or otherwise making available to third parties, merging, blocking, wiping, restriction, erasure or destruction.

Sensitive Personal Data

Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or any other information that may be deemed to
be sensitive under applicable law.

Usage Data

includes details of your use of any of our Apps or your visits to any of Our Sites including, but not limited to, traffic data and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.