There is currently no modern data protection law in Kuwait, and there is accordingly no Data Protection Authority. There are Kuwait law considerations that could be material in the context of considering personal data processing activities, either in an HR context or more broadly. These have not been prepared with GDPR in mind. Of specific relevance is the Electronic Transactions Law (Law No. 20 of 2014), which includes the following:
‘Other than in cases set forth by law, state bodies, authorities, public institutions, companies or non-state bodies or those working there-in shall not have the right to peruse, disclose, or publish any data or personal information registered in the electronic processing records or systems pertaining to the professional affairs or social status, medical status, or financial dues of persons or other personal information registered at one of the bodies stated therein unless by the consent of the person whom such information or data are related. Further, the bodies stated above shall set forth the necessary procedure for protecting the personal information and data from loss, damage, disclosure or invalid information or providing in-valid information. In addition, the aforementioned bodies, shall be bound to state the purpose for collecting the data and the collection of the data should be within the limits of such purpose.’
Additionally, there are general provisions in Kuwaiti law protecting privacy and providing for remedies where someone causes damage to another. Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.