Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Qatar - Data Protection Overview
January 2024
1. Governing Texts
1.1. Key acts, regulations, directives, bills
Qatar
Law No. 13 of 2016 Concerning Privacy and Protection of Personal Data ('PDPPL') governs personal data in Qatar. In addition, the National Cyber Governance and Assurance Affairs, a division of the National Cyber Security Agency ('NCSA') released guidelines on the PDPPL for the Qatari.
Qatar Financial Centre
Personal data in Qatar Financial Centre ('QFC') is regulated by QFC Law (Law No. (7) of 2005) ('the QFC Law') and QFC Data Protection Rules ('QFC Rules').
1.2. Guidelines
Qatar
The NCSA has issued guidelines to the PDPPL.
Qatar Financial Centre
The Data Protection Office within the Qatar Financial Centre (QFC) Authority ('the QFC Authority') has published various guidance on its website.
1.3. Case law
We are not aware of any case law. It should be noted that as a civil law jurisdiction, there is no concept of judicial precedent in Qatar. At best the decision of any case amounts to no more than obiter dicta.
2. Scope of Application
2.1. Personal scope
Qatar
The PDPPL applies to the personal data of individuals unless such personal data is being processed by individuals within a personal or family context or personal data is processed for obtaining official statistical data in accordance with applicable law in Qatar. The PDPPL does not apply to deceased individuals.
Qatar Financial Centre
The QFC Law applies to the personal data of living individuals and does not apply to deceased individuals.
2.2. Territorial scope
Qatar
The PDPPL does not have applications outside Qatar. It only applies to data controllers that are located in Qatar.
Qatar Financial Centre
The QFC Law and QFC Rules apply to the processing of personal data by a data controller, or a data processor incorporated or registered in the QFC. In addition, the QFC Law and QFC Rules apply to data controllers and data processors that are not incorporated or registered in the QFC, if they are processing personal data as part of ongoing arrangements for data controllers and data processors that are incorporated or registered in the QFC. This will therefore bring third-party contractors and related companies within the scope of the QFC's Data Protection Office supervision.
2.3. Material scope
Qatar
The PDPPL applies to any processing of personal data, whether processed electronically or through a combination of electronic and other methods.
Qatar Financial Centre
The QFC Law relates to the processing of personal data of living individuals. Such processing may be by automated means or non-automated means.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
Qatar
The National Cyber Governance and Assurance Affairs division of the NCSA regulates data privacy in Qatar. They oversee compliance with the PDPPL and offer advice and guidance, promote good practices, carry out audits and advisory visits, consider complaints, monitor compliance, and support enforcement action. They may impose penalties on the violating entity. We are not aware of any enforcement actions being taken so far. However, the same would not be publicly announced in the same manner they would in other countries.
Qatar Financial Centre
The Data Protection Office administers the QFC Law and all aspects of data protection within the QFC. It is managed by the Data Protection Commissioner who will determine its procedures and management.
The Data Protection Office has the following investigative powers:
- to order a data controller or a data processor to provide any information that the Data Protection Office requires for the performance of its duties;
- to carry out investigations, on its own initiative or based on information received from third parties;
- to notify a data controller or a data processor of an alleged infringement of the QFC Law; and
- to obtain access to any premises of a data controller or a data processor.
The Data Protection Office has the following corrective powers:
- to issue a warning to a data controller or a data processor that the intended processing is likely to infringe QFC Law;
- to issue orders to rectify any infringements to a data controller or a data processor;
- to order a data controller or a data processor to comply with the data subject's requests to exercise its rights;
- to order a data controller or a data processor to process personal data in a specified manner and within a specified period;
- to order a data controller to notify a data subject of a personal data breach;
- to impose a temporary or permanent limitation, including a ban, on the processing of personal data;
- to order a data controller to rectify or erase personal data and to notify these actions to recipients to whom personal data have been disclosed;
- to impose penalties in accordance with the QFC Law;
- to suspend cross-border data transfers; and
- to order a data controller to undertake the Data Protection Impact Assessment ('DPIA').
The Data Protection Office has the following authorization and advisory powers, subject to the approval of the QFC Authority:
- to issue, on its own initiative or on request, opinions, interpretations, guidance, and training on any issue related to the QFC Law;
- to publish a list of adequate jurisdictions for data transfers; and
- to grant permits to process sensitive personal data and for transfers of personal data.
3.2. Main powers, duties and responsibilities
Please see the section on the main regulator for data protection above.
4. Key Definitions
Data controller: The natural or legal person who alone or jointly with others determines the means and purposes of the processing of personal data.
Data processor: The natural or legal person who processes personal data on behalf of the data controller.
Personal data: Any information relating to an individual who is identified or can potentially be identified either from such data or from such data in conjunction with any other data.
Sensitive data: Data relevant to racial origin, children, health or physical or psychological status, religious beliefs, marital relationship, and criminal offenses.
Health data: There is no definition in the PDPPL.
Biometric data: There is no definition in the PDPPL.
Pseudonymization: There is no definition in the PDPPL.
Data subject: The natural person whose personal data is being processed.
Qatar Financial Centre
Personal data: Any information relating to a data subject.
Sensitive personal data: Personal data revealing or relating to race or ethnicity, political affiliation, opinions, religious or philosophical beliefs, trade union or organizational membership, criminal records, health or sex life, and genetic and biometric data used to identify an individual.
Data subject: A natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject.
Data controller: An individual or entity that determines the purposes and means of the processing of personal data.
Data processor: An individual or entity that undertakes the processing of personal data on behalf of a data controller.
Biometric data: There is no definition in the QFC Law.
Health data: There is no definition in the QFC Law.
Pseudonymization: The QFC Law provides a definition of de-identification which is confirmed to be the processing of personal data in such a manner that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical or organizational measures to ensure that personal data is not attributed to an identified or identifiable natural person.
5. Legal Bases
5.1. Consent
In both jurisdictions consent is one of the legal bases for lawful processing.
5.2. Contract with the data subject
Qatar
This is not expressly addressed as a legal basis.
Qatar Financial Centre
This is one of the legal bases for lawful processing.
5.3. Legal obligations
In both jurisdictions, this is one of the legal bases for lawful processing.
5.4. Interests of the data subject
In both jurisdictions, the vital interests of data subjects are one of the legal bases for lawful processing.
5.5. Public interest
Qatar
Carrying out a task related to the public interest in accordance with the law is one of the legal bases for lawful processing.
Qatar Financial Centre
In the QFC, the necessity to process personal data to perform a task carried out in the public interest or for the performance of its functions by the relevant QFC regulatory bodies is one of the legal bases for lawful processing.
5.6. Legitimate interests of the data controller
In both jurisdictions legal interest of the data controller is one of the legal bases for lawful processing.
5.7. Legal bases in other instances
Qatar
Data controllers may also rely on the following legal bases:
- processing is necessary for achieving the purposes of scientific research conducted for public benefit; or
- processing is necessary for collecting information concerning criminal offenses based on an official request from the investigating organization.
6. Principles
Qatar
The PDPPL provides the following principles that govern the processing of personal data:
- transparency, honesty, and respect for human dignity;
- data minimization;
- accuracy;
- storage limitation;
- integrity and confidentiality;
- limitation of purpose; and
- accountability.
Qatar Financial Centre
- Lawfulness, fairness, and transparency;
- specific purpose;
- data minimization;
- accuracy;
- storage limitation; and
- integrity and confidentiality of processing.
7. Controller and Processor Obligations
7.1. Data processing notification
Qatar
Article 16 of the PDPPL provides that sensitive personal data may only be processed after obtaining permission from the regulator.
Qatar Financial Centre
There is no obligation to notify processing activities.
7.2. Data transfers
Qatar
The PDPPL states that data controllers should not take any decisions or measures that may limit the transborder data flow unless such processing is in breach of said law or may cause serious damage to personal data or an individual's privacy.
In general, there are no personal data localization requirements. However, according to the Law No. 11 of 2004 issuing the Penal Code any information that would be considered as a strategic defense, security, or equivalent secret of Qatar would not be allowed to be stored outside of Qatar. The following data is considered a defense secret under the Penal Code. 'Military, political, and economic information known, due to its nature, only by authorized persons since the defense of the country requires such information to remain secret. Correspondence, written documents, deeds, drawings, maps, plans, pictures, and other such items, the disclosure of which may lead to revealing the information mentioned above should also be considered since the defense of the country requires them to be kept secret except to those in charge of maintaining and using them.'
Having said that, the PDPPL gives a right to restrict the processing of personal data for the following purposes:
- protection of national and public security;
- protection of the international relations of Qatar;
- protection of the economic or financial interests of Qatar; and
- prevention of any criminal offense, collection or information, or investigation of the same.
Qatar Financial Centre
According to the QFC Rules transfers of personal data outside of the QFC must take place only when:
- the country or jurisdiction is on the QFC list of adequate jurisdictions;
- transfers are made using the appropriate safeguards, such as the QFC's Standard Contractual Clauses ('SCCs');
- one of the following derogations apply:
- the data subject concerned has been informed of the risks and has given their explicit consent to the transfer;
- the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and a third party;
- the transfer is necessary to comply with a legal obligation of the data controller or the data processor;
- the transfer is necessary to protect the vital interests of the data subject or another individual;
- the transfer is necessary to perform a task carried out in the public interest or by any of the following in the performance of its functions:
- the QFC Authority;
- the Qatar Financial Centre Authority ('QFC Regulatory Authority');
- the Civil and Commercial Court;
- the Regulatory Tribunal; or
- a QFC Institution;
- the transfer is necessary for the establishment, exercise, or defense of a legal claim; or
- if none of the above applies, the transfer may only take place, if:
- the transfer:
- is not repetitive or is not part of a repetitive course of transfers; concerns only a limited number of data subjects;
- does not contain any sensitive personal data;
- is for the purposes of the legitimate interests of the data controller or another entity to which the data is disclosed;
- and the data controller has competed for the DPIA; or
- a permit for the transfer has been obtained from the Data Protection Office.
- the transfer:
There are no specific data localization requirements.
7.3. Data processing records
Qatar
The PDPPL does not expressly require data controllers to maintain a register of processing activities. However, records of processing activities ('ROPA') are a key component of the Personal Data Management System ('PDMS') and an appropriate administrative precaution that ensures compliance with the PDPPL.
Qatar Financial Centre
Data controllers must make and maintain written records (including in electronic form) of all processing activities. In addition, the same obligation applies to the data processors concerning processing activities carried out on behalf of the data controller. Such records must be available to the Data Protection Office on request.
7.4. Data protection impact assessment
Qatar
Data controllers should carry out a DPIA before beginning any new activity that involves processing personal data or before making significant changes to an existing activity. Data controllers should determine whether the DPIA is required in line with the principle of accountability.
Qatar Financial Centre
A data controller must carry out the DPIA if processing is likely to result in a high risk to the rights and legitimate interests of data subjects. There is no explanation of what would be considered as 'high risk.' In particular, the DPIA must be carried out if:
- there is automated processing, including profiling, which leads to decisions that have a legal effect or could otherwise significantly affect data subjects;
- processing of sensitive personal data on a large scale; or
- in cases of systematic monitoring of a publicly accessible area on a large scale.
Moreover, the Data Protection Office may provide a non-exhaustive list of processing operations where the DPIA is required. Currently, no such list has been issued.
7.5. Data protection officer appointment
There is not requirement to appoint a Data Protection Officer ('DPO').
7.6. Data breach notification
Qatar
A data controller is obliged to inform the regulator and the individual if a data breach is likely to cause serious damage to the individual's personal data.
Qatar Financial Centre
The data controller must notify the Data Protection Office of a personal data breach within 72 hours after having become aware of the same if such a personal data breach is likely to result in a risk to the rights or legitimate interests of data subjects. In addition, the data controller must consider notifying any personal data breach to data subjects, taking into account the risk to their rights and legitimate interests.
7.7. Data retention
Personal data should not be kept longer than necessary to achieve the purpose for which such personal data was collected.
7.8. Children's data
Qatar
Individuals who are younger than 18 years old are considered to be minors under Qatar law. To process the personal data of a minor, consent of a parent or guardian is required.
Qatar Financial Centre
This is not specifically mentioned. However, the same obligation as above would apply.
7.9. Special categories of personal data
Qatar
To lawfully process sensitive personal data, data controllers should:
- complete a DPIA;
- request permission from the regulator; and
- identify both a permitted reason for processing and any additional condition for processing.
Qatar Financial Centre
Data controllers will not be allowed to process sensitive personal data unless one of the following grounds apply:
- explicit consent of the data subject is obtained to process that personal data;
- processing is necessary for carrying out the obligations and specific rights of the data controller in the field of employment law;
- processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent;
- processing is carried out by an insurance firm to provide a policy for life or health insurance;
- processing is carried out by a non-profit seeking body in the course of its legitimate activities with appropriate guarantees that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed to a third party without the consent of the data subjects;
- processing relates to personal data which is manifestly made public by the data subject;
- processing is necessary to establish, pursue, or defend a legal claim or when a court is acting in its judicial capacity;
- processing is necessary for compliance with any legal obligation to which the data controller is subject;
- processing is necessary to perform a task carried out by any of the following in the performance of its functions:
- the QFC Authority;
- the QFC Regulatory Authority;
- the Civil and Commercial Court;
- the Regulatory Tribunal; or
- a QFC institution;
- processing is necessary for substantial public interest reasons; or
- processing is required for preventive medicine, medical diagnosis, the provision of care or treatment, or the management of health-care services, and where that personal data is processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
The abovementioned reasons do not apply if data controllers obtain a permit from the Data Protection Office and apply adequate safeguards in the processing.
7.10. Controller and processor contracts
Qatar
When data controllers appoint data processors to process personal data on their behalf both a data processor and a data controller should enter into a written agreement to set out their various obligations. In general, a written contract must cover:
- the subject and duration of processing;
- the nature and purpose of the processing;
- types of personal data and duties and rights of data controllers;
- duty of confidentiality;
- use of appropriate security measures;
- use of sub-processors;
- individuals' rights;
- the assistance that data processors should provide to data controllers;
- rights regarding audits and inspections; and
- what will happen at the end of the agreement?
Qatar Financial Centre
If the data controller engages the data processor to process personal data on its behalf, it must enter into a written contract. According to the QFC Rules, a written contract must at the minimum set out the following:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subjects; and
- the obligations and rights of the data controller.
In addition, the contract must also set out that the data processor:
- may not process personal data or transfer it outside of the QFC without being instructed in writing by the data controller to do so, or required by law to do so;
- must ensure that persons authorized to process personal data have undertaken to maintain its confidentiality or are under an appropriate statutory obligation of confidentiality;
- must take all the applicable measures;
- must comply with the conditions referred to in the QFC Law in relation to the use of sub-processors;
- must assist the data controller in fulfilling its obligation to respond to requests by data subjects to exercise their rights, by implementing appropriate technical and organizational measures;
- must assist the data controller in complying with the data controller's obligations under the QFC Law (the DPIA, security of processing, and data breach notifications)
- must delete or return personal data at the end of the contract, unless an applicable law requires it to be retained;
- must make available to the data controller all information necessary to show compliance with the QFC Law; and
- must allow for, and assist with, audits and inspections by the data controller or an auditor appointed by the data controller.
8. Data Subject Rights
Qatar
The PDPPL provides the following rights to data subjects:
- right to protection and lawful processing;
- right to withdraw consent;
- right to object to processing in certain circumstances;
- right to erasure;
- right to request correction;
- right to be notified of the processing;
- right to be notified of inaccurate disclosure; and
- right to access their personal data.
In addition, Article 26 of the PDPPL gives a right to data subjects to file a complaint with the regulator in case of violation of any of the provisions of the PDPPL.
Qatar Financial Centre
Data subjects have the following rights:
- a right to access;
- a right to rectification;
- a right to erasure;
- a right to object;
- a right to restriction of processing;
- a right to data portability; and
- a right to not be subject to automated individual decision-making, including profiling.
8.1. Right to be informed
Please see the section on data subject rights above.
8.2. Right to access
Please see the section on data subject rights above.
8.3. Right to rectification
Please see the section on data subject rights above.
8.4. Right to erasure
Please see the section on data subject rights above.
8.5. Right to object/opt-out
Please see the section on data subject rights above.
8.6. Right to data portability
Please see the section on data subject rights above.
8.7. Right not to be subject to automated decision-making
Please see the section on data subject rights above.
8.8. Other rights
Please see the section on data subject rights above.
9. Penalties
Qatar
Penalties up to QAR 5,000 (approx. $1,370) may be imposed for certain violations (not implementing security measures, not obtaining permission for processing sensitive personal data, non-compliance with regulations on processing personal data of children). Furthermore, the PDPPL imposes a fine of up to QAR 1 million (approx. $274,730) for non-compliance with other provisions of the said law.
Qatar Financial Centre
Non-compliance with the QFC Law or any orders imposed by the regulator may lead to a fine of up to $1.5 million.
9.1 Enforcement decisions
We are not aware of any enforcement actions being taken so far. However, the same would not be publicly announced in the same manner as may occur in other countries.