Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Qatar: An overview of the developments on the QFC Data Protection Regulations and Rules

The Qatar Financial Centre (QFC) as an independent regulatory jurisdiction has undergone a transformative journey to safeguard personal data in the developing landscape of finance and technology sectors over the years. In the initial regulations that were enacted in 2005, the scope was relatively broad, but this has since been refined in the 2021 amendments that came into force on June 19, 2022 (New DPR).

The amendments in the New DPR aim to bring the existing Data Protection Regulations (the 2021 Regulations) to the standards of the General Data Protection Regulations (GDPR), which ultimately obliges businesses operating from the QFC to be more diligent in their data compliance practices. The New DPR also ensures proper monitoring and regulation of QFC firms in the context of data protection. Dorina Drowniak, from Dentons, reviews the most recent amendments to the 2021 Regulations and how firms can ensure they stay compliant.  

Deejpilot / Signature collection / istockphoto.com

Under the New DPR, the key terms are defined as follows: 

  • personal data: any information relating to a data subject; 
  • processing: any operation or set of operations that is performed (whether or not by automatic means) on personal data or on sets of personal data, and includes collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing, and destroying the personal data;
  • data subject: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject;
  • data controller: an individual or entity that determines the purposes and means of the processing of personal data; 
  • data processor: an individual or entity that undertakes the processing of personal data on behalf of a data controller;
  • personal data breach: any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed;
  • sensitive personal data: personal data revealing or relating to race or ethnicity, political affiliation or opinions, religious or philosophical beliefs, trade union or organizational membership, criminal records, health or sex life, and genetic and biometric data used to identify an individual; and
  • recipient: any person, or a legal person, public authority, agency, or other body, whether a third party or not, to whom personal data, including sensitive personal data is disclosed. 

The New DPR principles 

The New DPR introduced six principles in relation to processing of personal data, which are very similar to GDPR. These principles are as follows: 

  • Principle 1: Lawfulness, fairness, and transparency - Personal data of a data subject must be processed lawfully, fairly, and transparently. 
  • Principle 2: Specific purpose - Personal data must be processed only for specific, explicit, and legitimate purposes and only in accordance with the relevant data subject's rights set out in these regulations. A data processor must not further process personal data in a way that is incompatible with those purposes or those rights.  
  • Principle 3: Data minimization - Personal data that is processed must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.  
  • Principle 4: Accuracy - Personal data may be processed only if the data is accurate and up to date. Reasonable efforts must be made to ensure that personal data that is inaccurate is erased or corrected without undue delay, taking into account the purposes for which the data was processed.  
  • Principle 5: Storage limitation - Personal data must be kept in a form that permits data subjects to be identified, but only for as long as is necessary for the purposes for which the data was processed. 
  • Principle 6: Integrity and confidentiality of processing - Personal data must be processed in a way that ensures that the data is appropriately secure, using appropriate technical and organizational measures. In particular, the data must be protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage. 

The QFC emphasizes the principle of obtaining clear and informed consent for data processing activities. Entities within the QFC are required to be transparent about the purposes for which data is collected and processed, ensuring individuals have a clear understanding of how their information will be used. In addition, in order to mitigate risks and enhance privacy, the QFC encourages entities to only collect the personal data necessary to achieve its intended purpose.

Further, the QFC mandates robust security measures to protect personal data from unauthorized access, disclosure, and alteration. Entities within the QFC are required to implement technical and organizational measures to ensure the confidentiality and integrity of the information they handle. The QFC also empowers individuals by granting them certain rights over their personal data. These rights include the right to access, erase, rectify, object, restrict, right to data portability, and the right not to be subjected to a decision that is based on automated processing or profiling to ensure transparency and control over the handling of their personal data. 

The role of data controllers 

Data controllers must implement appropriate and effective technical and organizational measures to ensure, and to be able to demonstrate, that processing is performed in accordance with the New DPR. Such measures must be reviewed and updated where necessary. Data controllers must implement the data protection principles introduced by the New DPR and protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and all other unlawful forms of processing.

Data controllers must implement appropriate measures to ensure that, by default, only personal data that is necessary for each specific purpose is processed. Such measures should, by default, ensure that the subjected personal data is not made accessible to an indefinite number of recipients, but instead is made accessible only to individuals who, for their role, function, or task, need to process the personal data in question. If personal data is to be processed on behalf of a data controller, the data controller must only engage a data processor that can provide sufficient guarantees to implement technical and organizational measures to comply with the New DPR and to ensure that data subjects' rights are protected. 

Cross-border data transfers 

In line with international data protection standards, the QFC has implemented specific provisions governing cross-border data transfers. QFC entities must ensure that personal data transfers outside the QFC jurisdiction comply with the established safeguards to maintain a high level of protection relating to the personal data being processed. The appropriate safeguards referred to above may be provided by:  

  • a legally binding and enforceable arrangement between public authorities or bodies;  
  • a legally binding and enforceable agreement between the parties that includes standard data protection clauses adopted by the Data Protection Office; 
  • if the data controller has completed a documented assessment of the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data; or  
  • a permit for the transfer has been obtained from the Data Protection Office and the data controller applies adequate safeguards with respect to the protection of the personal data. 

QFC SCCs 

The issuance of the QFC Standard Contractual Clauses (SCCs) is a significant step in enhancing data protection within the jurisdiction. These clauses serve as a standardized instrument to facilitate the secure transfer of personal data from QFC entities to recipients outside the QFC jurisdiction. The QFC SCCs provide a framework that ensures the continued compliance of data transfers with strict privacy and security requirements. The SCCs set out appropriate safeguards, including enforceable data subject rights and sufficient remedies, pursuant to Article 24(1) and 24(2) of the New DPR with respect to data transfers within different scenarios. The SCCs consist of four modules:  

  • transfer between data controller to data controller;  
  • transfer between data controller to data processor;  
  • transfer between data processor to data processor; and  
  • transfer between data processor to data controller to be used upon establishing the basis of which the transfer of the personal data is being made.  

By using the SCCs pursuant to Article 28(3) of the New DPR, Section 7 of the QFC Data Protection Rules (the 2021 Rules), and provided that they are not modified except for inserting the relevant module that applies to the context of the data transfer, the adequate safeguards mandated within the New DPR and the 2021 Rules would be complied with. 

Compliance 

Additionally, the New DPR introduced the establishment of a Data Protection Office and the appointment of a data protection commissioner which is dedicated to QFC firms' compliance with the New DPR and is responsible for monitoring such activities. The commissioner, who has the power to determine the procedures and overall management of the independent QFC institution, has wide investigative powers in instances where QFC firms fail to comply with the New DPR.

The Data Protection Office frequently issues guidance notes and is dedicated to providing training and useful tools on the New DPR, which QFC firms can benefit from by accessing the relevant materials from the data. The Data Protection Office is also responsible for regularly updating the list of jurisdictions which have been designated as having an adequate level of protection. The Data Protection Office may make its decision based on adequacy decisions made by other competent data protection authorities where those decisions have taken into account the same factors and shall publish details of such decisions. 

In conclusion, the QFC's 2021 Regulations and 2021 Rules reflect a commitment to providing a secure and transparent business environment. By aligning with international best practices, the QFC not only strengthens its position as a global financial hub but also ensures the protection of individuals' privacy in an increasingly data-driven world. 

Dorina Drowniak Paralegal 
[email protected]  
Dentons, Doha