Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Qatar Financial Centre: Data Processing Notification
1. Governing Texts
1.1. Legislation
- Data Protection Regulations 2005 ('the Regulations')
- Data Protection Rules 2005 ('the Rules')
The above will be collectively referred to as 'the 2005 Legislation'.
Notably, the 2005 Legislation has been amended following a public consultation in 2021, and will be replaced by the 2021 Data Protection Regulations ('the 2021 Regulations') and 2021 Data Protection Rules ('the 2021 Rules') (collectively 'the 2021 Legislation') (available to access here).
The 2021 Regulations and 2021 Rules will repeal the 2005 Rules and the 2005 Regulations 180 days after its date of issuance, i.e. 21 May 2022.
1.2. Regulatory authority guidance
The Qatar Financial Centre Regulatory Authority ('QFCRA') and the Data Protection Office (newly established by the 2021 Legislation) have not issued any guidance.
2. Definitions
Data controller: Any person in the QFC who alone, or jointly with others, determines the purposes and means of the processing of personal data (Article 26 of the 2005 Regulations).
Data processor: Any person who processes personal data on behalf of a data controller (Article 26 of the 2005 Regulations).
3. Notification
The data controller must notify the QFCRA of any processing operations undertaken, with the exception of the cases where a permit is issued by the QFCRA in relation to (Rule 4.2.1 of the 2005 Rules):
- the processing of sensitive personal data (see section 4 below); or
- data transfers to a recipient outside the QFC who is not subject to laws that ensure an adequate level of protection (see also Rule 3 of the Rules).
The notification must be provided to the QFCRA (Rule 4.2.3 of the 2005 Rules):
- immediately upon commencing of the personal data processing;
- on an annual basis where the personal data processing is to continue in the subsequent year (within four months of the controller's financial year-end); and
- immediately upon any personal data being processed in a manner that is different from the one described in the initial notification.
The notification must contain the following information (Rule 4.2.2 of the 2005 Rules):
- the name of the data controller;
- the address of the data controller;
- the name, address, telephone number, fax number, and email address of the person within the data controller responsible for making the application for the permit;
- the reason for which the notification is being provided;
- a general description of the personal data processing being carried out;
- an explanation of the purpose of the personal data processing;
- the data subjects or class of data subjects whose personal data is being processed;
- a description of the class of personal data being processed; and
- a statement of the jurisdictions to which personal data will be transferred by the data controller, along with an indication as to whether the particular jurisdiction has been assessed as having an adequate level of protection for the purposes of Articles 9 and 10 of the 2005 Regulations.
Notably, the 2021 Rules repealing the 2005 Rules by 21 May 2022, do not specify a notification requirement for controllers.
4. Other Requirements
Processing of sensitive personal data
Article 8(1) of the 2005 Regulations provides for the only cases where the processing of sensitive personal data may be carried out by the controller. However, the prohibition under Article 8(1) of the 2005 Regulations does not apply if a permit has been obtained to process sensitive personal data from the QFCRA (Article 8(2)(A) of the 2005 Regulations).
A controller which seeks a permit from the QFCRA to process sensitive personal data pursuant to Article 8(2) of the Regulations must apply in writing to the QFCRA setting out the following (Rule 2.1.1 of the 2005 Rules):
- the name of the data controller;
- the address of the data controller;
- the name, address telephone number and email address of the person within the data controller responsible for making the application for the permit;
- a description of the processing of sensitive personal data for which the permit is being sought, including a description of the nature of the sensitive personal data involved;
- the purpose of the processing of personal data;
- the identity of the data subjects to whom the relevant sensitive personal data relates, or in the event of classes of data subjects being affected, a description of the class of data subjects;
- the identity of any person to whom the data controller intends disclosing the sensitive personal data;
- to which jurisdictions, if known, such sensitive personal data must be transferred outside of the QFC; and
- a description of the safeguards put into place by the data controller, to ensure the security of the sensitive personal data.
Furthermore, the data controller must provide the QFCRA with such further information as may be required by the QFCRA in order to determine whether to grant a permit in accordance with Article 8(2) of the 2005 Regulations (Rule 2.1.2 of the 2005 Rules).
In this regard, an appeal against a decision of the QFCRA to refuse to issue a permit to process sensitive personal data may be made to the Tribunal (as defined by Article 26 of the Regulations) (Article 8(3) of the 2005 Regulations).
Notably, the 2021 Rules maintain the requirement to seek a permit from the newly established Data Protection Office in Rule 2.
5. Exemptions
The data controller does not need to notify the QFCRA of the processing operations where it has obtained a permit for the relevant processing operation from the QFCRA (Rule 4.2.1 of the 2005 Rules) (see sections 3 and 4 above).
6. Penalties
If the QFCRA believes that a data controller has contravened or is contravening the Regulations or the Rules, it may issue a direction to the data controller requiring him/her to do either or both of the following (Article 22(1) of the 2005 Regulations):
- to do or refrain from doing any act or thing within such time as may be specified in the direction; or
- to refrain from processing any personal data specified in the direction or to refrain from processing personal data for a purpose or in a manner specified in the direction.
7. How To
The QFCRA has provided the following forms:
- Form Q10: notification of personal data operations; and
- Form Q08: application for a permit to process sensitive personal data.
Forms may be submitted to the QFCRA via email to [email protected] or as a hard copy to Reception on Floor 20, QFCA Tower 1, Diplomatic Area, PO Box 23245, Doha, Qatar.
Authored by OneTrust DataGuidance
DataGuidance's Privacy Analysts carry out research regarding global privacy
developments, and liaise with a network of lawyers, authorities and professionals to gain
insight into current trends. The Analyst Team work closely with clients to direct their
research for the production of topic-specific Charts.