Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
QFC: Proposed changes to QFC's 2005 Data Protection Regulations and Rules
The Qatar Financial Centre ('QFC') is a global business and financial centre with an independent legal and regulatory infrastructure. It was established by the Qatar Financial Centre Law (Law No. (7) of 2005) ('the QFC Law'), which also provided the QFC Authority ('QFCA') with the power to produce the Data Protection Regulations and the Rules that govern data protection law in the QFC today. About 16 years since the introduction of the QFC's 2005 Regulations ('the Regulations') and 2005 Data Protection Rules ('the Rules'), the QFCA has reviewed each of the regulations and rules in light of global developments in data protection law, and has proposed various changes to each of the same. Moreover, the QFCA announced, on 18 August 2021, its launch of a public consultation on the proposed changes, which ended on 16 September 2021. In this regard, the QFCA noted that it may adopt, in whole or in part, the changes outlined in the consultation paper or may amend the changes in light of the comments received. Notably, the results of the consultation and final draft of the changes have not yet been released. This Insight summarises the proposed changes introduced by the QFCA review and outlines the new provisions that organisations may have to consider in the event that the proposed changes are adopted.
Proposed changes to the Regulations – what's new?
The proposed changes to the Regulations aim to clarify some of the existing provisions under the 2005 Regulations and introduces new provisions in line with global developments in data protection laws.
The changes can be addressed and categorised as changes to each of the general application of the Regulations, changes to its scope, changes to data subject rights, and changes to security measures.
General application
A new article has been introduced to the Regulations that expressly states the purpose of the Regulations are as follows (Article 5 of the Regulations):
- to protect the rights and legitimate interests of individuals in relation to their personal data; and
- to set out principles and rules about protecting and processing personal data.
Moreover, another new article, Article 32 of the Regulations, notes the establishment of an independent body, the Data Protection Office ('the Office') and the Data Protection Commissioner ('the Commissioner'). More specifically, the Office will be managed by the Commissioner, and will have the responsibility of administering the Regulations and all aspects of data protection within the QFC (Article 32(2) and (3) of the Regulations).
Notably, the newly introduced Article 37 of the Regulations empowers the Data Protection Office to impose financial penalties for breaches of the Regulations.
Scope
The newly introduced Article 6 of the Regulations limits the applicability of the Regulations to living natural persons, and excludes personal data processed for purely personal or household activities from the scope of the Regulations.
Furthermore, changes to Article 7 of the Regulations limit its scope to controllers and/or processors operating in the jurisdiction of the QFC, regardless of whether processing of personal data takes place in the QFC.
Principles of processing personal data
The QFCA has added a specific article to outline data processing principles in relation to the processing of personal data in Article 8 of the Regulations. Notably, the following principles have been included:
- lawfulness, fairness, and transparency;
- specific purpose;
- data minimisation;
- accuracy;
- storage limitation; and
- integrity and confidentiality of processing.
Furthermore, Article 9 of the Regulations has been newly introduced and notes data controllers' obligation to demonstrate compliance with the principles outlined in Article 8.
Notably, Article 11 of the Regulations has also been added to clarify how consent can be used as a legal basis for processing personal data pursuant to the lawful bases provided in Article 10 of the same. In particular, Article 11(1) highlights the following conditions in relation to obtaining effective consent from a data subject:
- it must be freely given;
- it must be specific, informed and an unambiguous indication by the data subject that they agree to the processing their personal data; and
- if it was given in a document that also concerns other matters:
- the consent must be clearly distinguishable from the other matters;
- the consent form must be intelligible and easily accessible; and
- the consent form must use clear, unambiguous, and plain language.
Additionally, Article 11 further notes the following in relation to relying on consent as a legal basis for processing:
- data subjects must be able to withdraw their consent as easily as it is given, at any time and in any form, and must be informed of this right before giving their consent;
- withdrawal of consent does not render unlawful any processing based on consent before it was withdrawn; and
- when considering whether consent had been freely given, consideration must be given to whether the performance of a contract was conditional on consent being given to processing personal data that is not necessary for the performance of the contract.
The proposed changes to the Regulations also introduce new transparency obligations in Article 13. Particularly, Article 13(1) notes that in relation to the duty to inform data subjects under Articles 14 and 15 of the Regulations and any communication under Articles 16 to 22 regarding data subject rights, data controllers must give information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
Furthermore, Article 13(2) notes that any communication made must be given in writing, or by other means, including where appropriate, by electronic means.
Further details in relation to controllers' responses to data subject requests, timeframes, and identity verification of data subjects are provided in Articles 13(3) to (6) of the Regulations.
Lastly, Article 25 of the Regulations is another new article that requires controllers to implement appropriate technical and organisational measures, that must be reviewed and kept up to date, to ensure and enable controllers to demonstrate that their processing activities are carried out in accordance with the Regulations.
Data subject rights
The proposed changes have expanded on some of the existing data subject rights and have added articles to cater to new data subject rights in the Regulations.
Article 17 of the Regulations expands on data subjects' right to rectify inaccurate data and provides that a data subject has the right to have a data controller complete personal data that is incomplete (Article 17(2) of the Regulations).
Similarly, Article 20 of the Regulations expands on data subjects' right to restriction of processing. In this regard, Article 20(1) states that this right is available to data subjects when:
- the data subject contests the accuracy of the personal data, for a period enabling the data controller to verify the accuracy of that data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests its restriction instead;
- the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims; or
- the data subject has objected to processing pending the verification whether the legitimate grounds of the data controller override those of the data subject.
Furthermore, Article 20(2) of the Regulations notes that, with the exception of storage, where processing has been restricted, data can only be processed:
- with the data subject's consent;
- for the establishment, exercise or defence of legal claims;
- for the protection of the rights of another natural or legal person; or
- for reasons of public interest.
Additionally, the proposed changes to the Regulations also bring to light new data subject rights including:
- the right to data portability in Article 21;
- the right not to be subject to automated decision-making in Article 22; and
- the right to effective judicial remedy enforceable against controllers and processors in Article 35.
Data Protection by Design and by Default
Article 26 of the Regulations introduces an obligation, both at the time of the determination of the means for processing and at the time of the processing itself, on data controllers to implement appropriate technical and organisational measures to (Article 26(1) of the Regulations:
- integrate the necessary safeguards into the processing to meet the requirements of the Regulations;
- implement the data protection principles in Article 8; and
- protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access; and all other unlawful forms of processing.
Moreover, Article 26(2) of the Regulations highlights that the data controller must implement technical and security measures to ensure that, by default, only personal data that is necessary for each specific purpose is processed, noting that these must ensure that personal data:
- is not made accessible to an indefinite number of recipients; or
- is made accessible only to individuals who need to process the personal data for their role, functions, or tasks.
Data Protection Impact Assessment
Another newly introduced article is Article 27 of the Regulations, which introduces the requirement to undertake a Data Protection Impact Assessment ('DPIA') for data controllers. In particular, Article 27(1) notes that a data controller must undertake a DPIA where processing is likely to result in a high risk to the rights and legitimate interests of data subjects. More specifically, the DPIA requires the data controller to carry out an assessment of the impact that the envisaged processing has on the protection of personal data. Notably, the assessment must contain, as a minimum, the information set out in the amended Rules.
Article 27(2) notes that DPIAs are required where:
- there is automated processing, including profiling, which leads to decisions that significantly affect the data subject;
- processing of sensitive personal data is on a large scale; or
- there is systematic monitoring of a publicly accessible area on a large scale.
In this regard, Article 27(5) notes that data controllers must review their processing activities to assess whether they are performed in accordance with the DPIA, particularly when there is a change of risk presented by processing operations.
Where necessary, the data controller must carry out a review to assess whether processing is performed in accordance with the DPIA. In particular, the data controller must do so when there is a change of the risk represented by processing operations.
Data processors
Article 28(1) of the Regulations provides that in engaging data processors to process personal data on their behalf, data controllers must only engage data processors that provide sufficient guarantees:
- to implement technical and organisational measures to comply with the Regulations; and
- to ensure that data subjects' rights are protected.
Notably, as per Article 28(3), a written contract between the data controller and the data processor must be in place and it should set out, at a minimum, the information contained in the Rules.
Moreover, the data processor must immediately inform the data controller if, in their opinion, an instruction contravenes the Regulations or any other applicable legal requirement, and/or if it is obliged by law to process personal data otherwise than on the written instructions of the data controller (Articles 28(5) and (6) of the Regulations). Additionally, Article 31(7) provides that data processors must notify the data controller without undue delay after becoming aware of a personal data breach.
Further details relating to data processors' obligations are provided in Articles 28(4) and (7) to (9) of the Regulations, including obligations attached to engaging subprocessors.
Breach notification
Data controllers are required to notify a personal data breach to the Data Protection Office ('the Office') without undue delay and, where feasible, not later than 72 hours after having become aware of it, where it has determined that the personal data breach is likely to result in a risk to the rights and legitimate interests of data subjects (Article 31(1) and (2) of the Regulations). In this regard, Article 31(3) of the Regulation notes that such a notification should include at a minimum, the information set out in the Rules.
Moreover, Article 31(5) notes that the data controller must document any personal data breaches, including the facts relating to breach, its effects, and the remedial action taken to enable the Office to verify compliance with Article 31.
Article 31(6) further highlights the data controller's obligation to consider notifying personal data breaches to affected data subjects, taking into account the risk to their rights and legitimate interests. Where such a notification is made it should contain at least:
- the nature of the breach;
- the likely consequences of the breach; and
- a description of the measures taken or proposed to be taken by the data controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
Proposed changes to the 2005 Data Protection Rules – what's new?
The changes to the Rules are substantive in nature and correspond and supplement some of the changes introduced in the Regulations.
Transparency
The newly introduced Article 3 of the Rules highlights the information to be provided to data subjects pursuant to Articles 14 and 15 of the Regulations. In particular, the data controller must provide:
- the name and contact details of the data controller;
- the purposes of the intended processing and the legal basis for that processing, as set out in Article 10 of the Regulations;
- whether the data subject is obliged to provide the personal data and the possible consequences of failing to do so;
- the categories of personal data concerned;
- if the data are to be, or may be, disclosed to one or more other individuals or entities, their names or a description of their categories;
- if the data controller intends to transfer the data to another jurisdiction, a statement of that fact, setting out a description of the applicable safeguards put into place and, if applicable, how and where to obtain a copy;
- if the processing is based on the legitimate interests of the data controller or another person to whom the data are disclosed or to comply with an obligation imposed on the data controller by law, the data controller shall state clearly what those legitimate interests or compliance obligations are;
- the period for which the data will be retained, or how to determine that period;
- that the data subject has the right to:
- ask the data controller to give access to the data;
- rectify the data;
- erase the data;
- restrict the Processing of the data;
- object to the Processing of the data; and
- data portability;
- whether automated decision-making will be used, and if so:
- meaningful information about the logic applied; and
- the significance, and the likely consequences, of the automated decision-making for the data subject;
- if the processing is based on consent, that the data subject has the right to withdraw that consent at any time, but that withdrawing the consent does not affect the lawfulness of processing based on consent before the withdrawal; and
- that under Article 34 of the Regulations, the data subject has the right to lodge a complaint with the Office if the data subject considers that the processing of personal data relating to them infringes the Regulations.
Data subject rights
In relation to data subject requests, Article 4 of the Rules has been introduced and provides that for the purposes of Article 16 of the Regulations, a data subject has the right to obtain from the data controller a statement including the following information (Article 4(1) of the Rules):
- the legal basis and purposes of the processing;
- the categories of personal data concerned;
- the recipients, or categories of recipient, to which the personal data have been or will be disclosed;
- the period for which the data controller intends to retain the personal data, or the criteria used to determine that period;
- a statement of the data subject's rights to:
- rectify the data;
- erase the data;
- restrict the processing of the data;
- object to the processing of the data; and
- data portability;
- a statement of the data subject's right under Article 34 of the Regulations to lodge a complaint with the Office if they consider that the processing of personal data relating to them infringes the Regulations;
- if the personal data were collected otherwise than from the data subject, any available information about their source; and
- whether automated decision-making will be used, and if so:
- meaningful information about the logic applied; and
- the significance, and the likely consequences of the automated decision-making for the data subject.
Moreover, Article 4(2) notes that a data controller must communicate any action carried out in accordance with Articles 17 and 18 of the Regulations to each recipient to whom the personal data has been disclosed, unless it is impossible or would involve disproportionate effort.
DPIAs
Corresponding to the newly introduced requirement for data controllers to undertake DPIAs in Article 27 of the Regulations, Article 6 of the Rules details what should be included in DPIA and notes that it must at least contain the following:
- a systematic description of the envisaged processing operations and the purposes of the processing, including:
- identification and consideration of the lawful basis for the processing;
- if the processing is necessary for the purposes of the legitimate interests of the data controller or another person in accordance with Article 10(6) of the Regulations, the reasoning according to which the data controller believes that the rights or legitimate interests of the data subject do not override its interests or those of the other person; and
- if processing is based on consent:
- validation that consents will be or have been validly obtained;
- the impact of the withdrawal of consent to that processing; and
- how the data controller will ensure that it can comply with any exercise by the data subject of their right to withdraw consent;
- an assessment as to how the processing operations are adequate, relevant, and limited to what is necessary in relation to the purposes for which the personal data are processed;
- an assessment of the risks to the rights and legitimate interests of data subjects; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with the Regulations.
Contracts between controllers and processors
Corresponding to Article 28 of the Regulations, Article 7 of the Rules outlines that a contract between a data controller and a data processor must set out that the latter:
- may process the personal data, or transfer it outside the QFC, only as instructed in writing by the data controller, or if required by law to do so;
- must ensure that persons authorised to process the data have undertaken to maintain its confidentiality or are under an appropriate statutory obligation of confidentiality;
- must take all the measures required by Article 29 of the Regulations;
- must comply with the conditions referred to in Article 28(2) and (6) of the Regulations for engaging another data processor;
- taking into account the nature of the processing, must assist the data controller to fulfil the its obligation to respond to requests by data subjects to exercise their rights, by implementing appropriate technical and organisational measures;
- must assist the data controller to comply with its obligations under Articles 27, 29, and 31 of the Regulations, taking into account the nature of the processing and the information available to it;
- after completing the services relating to processing, must delete all the personal data or return it to the data controller (at the data controller's choice), and must delete any copy unless an applicable law requires it to be retained;
- must make available to the data controller all information necessary to show that the it has complied with the obligations laid down in the Regulations; and
- must allow for, and assist with, audits and inspections by the data controller or an auditor appointed by it.
Lodging complaints
Article 10 of the Rules outlines a new provision on lodging complaints with the Office established by Article 32 of the Regulations. In particular, Article 10 outlines that a data subject, i.e. complainant, who makes a complaint to the Office must give the following information in the complaint:
- the complainant's full name and address;
- the full name and address of the data controller whom the complainant believes has contravened the Regulations;
- a detailed statement of facts that the complainant believes gives rise to the relevant contravention of the Regulations;
- a statement of the relief that the complainant seeks; and
- a declaration that they have provided the Office with accurate information and that they understand that any information provided will be processed by the Office in accordance with Article 34 of the Regulations.
Alice Muasher Privacy Analyst
[email protected]