Privacy Notice                                                          

Last updated November 20, 2025 

Your privacy and the security of your Personal Data is very important to us. At Arab Bank plc Bahrain, hereinafter referred to as the “Bank”, we ensure that Personal Data you provided to us as Data Managers is always treated as private and confidential, afforded the highest level of security, and is processed in accordance with Bahrain’s Personal Data Protection Law No. 30 of 2018 and Personal Data Protection Authority Executive Decisions/Orders, hereafter referred to as the “Personal Data Protection Requirements”. This Privacy Notice, hereinafter referred to as “Notice”, aims to provide you with information on how we will use your Personal Data, what steps we will take to ensure it stays private and secure and what Personal Data we collect and process about you as well as your data privacy rights and how you can exercise them.

How we collect your data

The Bank collects your data through one of the following methods:

- Directly: we obtain Personal Data directly from you in order to receive a service from the Bank or transacting with the Bank, including without limitation, log a complaint, enter a business relationship, or for other purposes depending on the services requested for or agreed upon.

- Indirectly: we may obtain Personal Data about you indirectly from a variety of sources, including: your broker, intermediaries, Cookies, device ID's, social media, public sources and recruitment services to better understand and serve you, satisfy a legal obligation, or in pursuance of another legitimate interest.   

How we use your Personal Data

We collect your Personal Data for various reasons in relation to our services, products or interacting with us, and for other business purposes, including, but not limited to:

- to provide and manage your account(s) and our relationship with you.

- to give you statements and other information about your account or our relationship.

- to handle enquiries and complaints.

- to provide our services to you.

- to conduct assessment, testing, and analysis for statistical purposes or other analysis for market research purposes.

- to evaluate, develop, and improve our services to you and other customers.

- to protect our business interests and to develop our business strategies.

- to contact you, by post, phone, text, email and other digital methods.

- to collect any debts owing to us.

- to meet our regulatory compliance and reporting obligations in relation to protecting against financial crime.

- to assess any application you make.

- to monitor, record, and analyze any communications between you and us.

- to share your information with the Central Bank of Bahrain and other governmental authorities, credit reference agencies, fraud prevention agencies, and overseas regulators and authorities.

- to share your information with our service providers and external auditors as clarified in the section below (Who has access to your Personal Data and to whom it is disclosed).

- recruitment and vetting agencies for prospective job applicants.  

- for purpose of litigation, consultation, legal advices or documentation of transactions.

- in certain instances, Arab Bank as Data Manager may be Processing your Personal Data jointly with another Data Manager. In such situations, the Bank will continue to be your point of contact in relation to any requests or inquiries concerning your Personal Data.

On what legal grounds do we process your data

We rely on the following lawful reasons when we collect and process your Personal Data to operate our business, transacting with you, provide our products and services:

- Contractual obligation: we process your Personal Data if necessary for the entry and/or implementation of a contract with you, or for the conclusion of a contract at your request.

- Legitimate interests: we rely on legitimate interests based on our evaluation that the Processing is fair, reasonable, and balanced.

- Legal obligations and public interests: we process Personal Data to comply with a legal obligation, to meet regulatory and public interest obligations or mandates.

- Consent: We will only process your Personal Data with your explicit written consent except for reasons permitted under the Personal Data Protection Requirements.

Which Personal Data do we collect and process

The Personal Data we collect includes data provided by you at the start of our relationship or at any time thereafter such as:

- Personal details such as name, date of birth, email, nationality, marital status, and gender and contact information.

- Current residential address and permanent residential address, and proof of address documents.

- Data about your identity including documents, details of ID cards, details of passports.

- Employer, employment status, job title, full name, email, address and telephone number(s) used for work purposes.

- Financial data: income and source of income, source of wealth, average account financial activity, and engagement data.

- Data about your tax status such overseas tax-identification number, FATCA forms, etc.

- Details of transactions done by you or by any of your connected persons including dates, amounts, currencies, and payer and payee details.

- Sound and visual images including CCTV footage.

- Digital identifiers (IP address, email).

- Cookies (please refer to our Cookie Notice).

- Risk rating information, e.g. credit risk rating and data about your ability to manage credit.

- Recruitment information and qualifications for prospective job applicants.

- Due diligence data, e.g. data required to comply with financial crime regulations (anti-money laundering, anti-terrorism financing, etc.) and data we need to fulfil regulatory obligations such as Suspicious Activity Reporting.

- Other people’s information, such as family and household members, emergency contacts, and guardians, which include their signatures, addresses and relationship with you.

- Legal dispute, complaints, and grievance information.

- Agreements, contracts, billing and commissions information.

- Security Information.

- Data about your geographic location, ATMs used, and branches you visit.

How long do we keep your Personal Data

We retain personal information to provide our services, stay in contact with you and to comply with applicable laws, regulations, and professional obligations, which we are subject to. This includes regulatory requirements for record retention applicable to banks, for example, customer identification Personal Data such as your ID, personal and work details, need to be retained for at least 5 years after the business relationship has ended in line with the local regulatory requirements. Sometimes we may need to keep your data for longer. The reasons for this include:

• where we need the data to meet regulatory or legal requirements

• to help detect or prevent fraud and financial crime

 • to answer requests from regulators

We will dispose of your personal information in a secure manner when we no longer need it for the above justifications. Please refer to Privacy Office at Privacy.Office@Arabbank.com.bh for further details on our records retention practices.

Processing Sensitive Personal Data

Personal Data Protection Regulatory Requirements define Sensitive Personal Data as any personal information that reveals, directly or indirectly, the individual's race, ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to his/her health or sexual life. The Bank ensures there is a lawful basis for Processing of Sensitive Personal Data. For example:

• Biometric Data: the Bank shall process your finger vein where you decide to use your finger vein as an authentication method for the Bank such as where you wish to make cash withdrawals from your account or conduct other transactions that require validation. Note that selfie photos are also considered biometric data when used to identify or validate the identify of an individual. As such, the Bank processes your selfie photo (biometric data) as part of authentication when you use the Bank’s digital apps.
• Health Data: we process your health data as part of procedures for granting loans and financial facilities. However, this is conducted following your consent including on the sharing of this data with the insurance company.

Marketing

The Bank may send you marketing messages about our products and services. You have the right to opt-in or out of receiving marketing messages by us at any time. You can also object to your Personal Data being used for marketing purposes at any time by contacting the Bank at Customer Care Center, or via the Bank’s digital channels such as sending a secure mail through Arabi mobile or by visiting the Bank.

How we protect and safeguard your Personal Data

We will take reasonable technical and organizational precautions to prevent the loss, misuse, or alteration of your Personal Data. We aim to ensure that access to your Personal Data is limited only to those who need to access it, and those individuals who have access to the information are required to maintain the confidentiality of such data (for more information please refer to our Security Statement).

If you are using online services from the Bank, you remain responsible for keeping your user ID and password confidential.

Who has access to your Personal Data and to whom it is disclosed

We keep your Personal Data confidential. However, in order to service your needs to the best of our ability, we may share your Personal Data with other parties bound via contractual agreements to safeguard your data and only process it under our strict instructions. We may also transfer your Personal Data to other Arab Bank Group members outside of the Kingdom of Bahrain, as well as third party organizations outside the Kingdom of Bahrain when we have a business reason to engage these organizations. Each organization is required to safeguard Personal Data in accordance with our contractual obligations.

In essence, we may share the Personal Data about you and your dealings with us, in alignment with Personal Data Protection Regulatory Requirements, with: 

- The Bank’s HO, Branches for legitimate business purposes such as data backup processes or for insurance purposes.

- Correspondent banks such as, as part of funds transfers, trade services, and other services and products you may request from the Bank

- Entities involved in cards and digital payments processing including entities outside Kingdom of Bahrain such as VISA and AFS.

- Other Third Party Service Providers including cloud service providers or instant payment providers for legitimate business purposes and in line with applicable laws and regulations

- External Auditors which need to conduct audits of the Bank per applicable laws and regulations and may request sample Bank data for validation and testing purposes.

- Regulatory authorities, governmental bodies, financial crime prevention agencies, and tax authorities.

- Courier and postal services necessary to make deliveries such as for requested Bank cards.

- Printing companies such as cheque printing companies. 

- Credit reference organizations. 

- Law firms, lawyers, or professional advisors where we need to revert to such legal advisors.

- Real Estate Assets Evaluation firms where needed such as were you mortgage a property for the benefit of the Bank.

- Debt collection firms when we revert to such service providers for the collection of outstanding debts.

- Other parties with which you have agreed to share your information with.

Please refer to Privacy Office at Privacy.Office@Arabbank.com.bh for further details and contact details of such third parties as well as their respective Privacy Notices (where applicable).

What are your rights and how you can exercise them

- Right to request notification of Processing: you can ask us to verify whether we are Processing Personal Data about you, and if so, provide you with specific details regarding your information and the Processing activities.

- Right to obtain a copy of the Personal Data: you can ask us to provide you with a copy of your Personal Data which you have provided to us for Processing. And it shall be provided to you in a structured, commonly used, and machine-readable format.

- Right to Personal Data portability: in some circumstances, where you have provided Personal Data to us, you can ask us to transmit that Personal Data (in a structured, commonly used, and machine-readable format) directly to another Data Manager if technically feasible.

- Right to object to automated decision-making: you can ask us to review any decisions made about you, which we made solely based, on automated Processing, including profiling, that produced legal effects concerning you or significantly affected you. Furthermore, you have the right to request another method be adopted that does not rely on automated Processing.

- Right to withdraw consent: you can withdraw your consent that you have previously given to one or more specified purposes to process your Personal Data. This will not affect the lawfulness of any Processing carried out before you withdrew your consent. It could mean we are not able to provide certain products or services to you and we will advise you if this is the case.

- Right to lodge a complaint: you have the right to lodge a complaint to the Bahrain Personal Data Protection Authority if you believe the Processing of your Personal Data was against the provisions of the Personal Data Protection Requirements.

- Right to be informed: you have the right to be informed of certain information at the time of information collection, such as details of the Bank, the purpose of Processing, and any other necessary information.

- Right to object to Processing that causes harm or distress: you have the right to object to any Processing, which may cause material or immaterial harm or distress to you, or others, the Bank shall investigate and provide you with a response.

- Right to object to direct marketing including profiling: you can object to our use of your Personal Data for direct marketing purposes, including profiling. We may need to keep some minimal information to comply with your request to cease marketing to you.

- Right to demand rectification, blocking, or erasure: you have the right to submit an application to rectify, block, or erase your Personal Data, if the Processing is done in contravention of the Law, and in particular if the data is incorrect, incomplete, or not updated, or if the Processing is illegal.

Please note that our fulfillment to your requests may be subject to limitations, in certain circumstances, in accordance with the Personal Data Protection Requirements. For example, a request to erase your Personal Data in the custody of the Bank may not apply where we are required to retain this data under regulatory requirements on data retention.

To submit a request to exercise any of these rights, please send an email to Privacy.Office@Arabbank.com.bh

Contact information

- Arab Bank plc Bahrain (Wholesale and Retail Branches)

Diplomatic Area, Manama, Kingdom of Bahrain, Street :1706, Block: 317 

(Retail Branch - P.O. Box 395 / Wholesale Branch - P.O. Box 813)

For More Information

Should you have any questions regarding this Notice or want to learn more about our security practices, please read our Security Statement section posted on the website (Click to view the security-statement), or contact us at: Privacy.Office@Arabbank.com.bh

Arab Bank Supplier Privacy Notice

Arab Bank also maintains a dedicated Supplier Privacy Notice which aims to clarify how we collect, use, store, share, and protect Personal Data of individuals who are officers, directors, contractors, agents, or representatives of our current, prospective, and former Suppliers. Click to view Notice.

Changes to this Notice

We reserve the right to update this Notice to reflect changes to our information practices in alignment with the Personal Data Protection Requirements.  Any updates will become effective immediately after posting the updated Notice on our website.

Key Definitions:

• Automated Decision Making: is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data.
• Cookies: cookies are data generated by a website and saved by your web browser. Its purpose is to remember information about you.
• Data Manager: a person who, either alone or jointly with other persons, determines the purposes and means of processing any particular personal data.
• Personal Data: any information in any form concerning an identified individual, or an individual who can, directly or indirectly, be identified by reference, in particular, to his or her personal identification number, or by reference to one or more factors specific to his or her physical, physiological, intellectual, cultural, economic, or social identity.
• Processing: any operation or set of operations which is performed upon personal data, whether or not by automatic means, including collecting, recording, organizing, classifying into groups, storing, adapting, altering, retrieving, using, disclosing by transmission, dissemination, transference or otherwise making available for others, or combining, blocking, erasing or destructing such data.
• Sensitive Personal Data: any personal data revealing – directly or indirectly- an individual’s race, ethnic origin, political or philosophical opinions, religious beliefs, union affiliations, personal criminal record, or any information in relation to his health or sexual status. For example, the reasons recognized by the PDPL as allowing businesses to collect and use the sensitive personal data of individuals are stricter than non-sensitive personal data.