Qatar is the first Gulf country to pass a national data privacy law, paving the way for all other Gulf countries to follow suit. In 2016, Qatar enacted Law No. 13 Concerning Personal Data Privacy Protection Law (the “PDPPL”). The PDPPL establishes a certain degree of personal data protection, provides data subject rights, and prescribes guidelines for organizations to process personal data within Qatar.
Furthermore, on January 31, 2021, the Ministry of Transport and Communications (the “MOTC”) released a new set of guidelines (14 in number) on the PDPPL for regulated organizations as well as guidelines for data subjects. The law was passed in 2016 as the Personal Data Privacy Protection Law (PDPPL), and it applies to all personal data that is electronically processed or subject to processing within the country, except the Financial Center Free Zone in Qatar.
The Personal Data Privacy Protection Law defines certain obligations for data controllers regarding the processing of sensitive personal data, data subject privacy notification, breach notification, data subject rights, and cross-border transfer, to name a few. However, when the law was first enacted in 2016, it didn’t go into more detail regarding how organizations must comply with the law. To overcome that shortcoming, the National Cyber Governance and Assurance Affairs (NCGAA) issued several guidelines to help organizations meet their compliance with PDPPL.
Who Needs to Comply with Qatar’s PDPPL
Almost every data privacy and protection law defines certain obligations for organizations or entities that are subject to the law, the territorial limitations of the law, and the type of personal data that the law applies to.
The Qatar PDPPL applies to all such personal data that is gathered, obtained, or extracted electronically, including the data that is obtained through a combination of traditional data processing and electronic data processing means.
Exceptions
However, there are certain exemptions to the type of personal data that is subject to the law. The PDPPL doesn’t apply to personal data that is used as statistical data, such as the personal data used for the census. Furthermore, the PDPPL may also not apply to personal data that is processed in private or family settings.
Obligations for Organizations Under Qatar’s PDPPL
General Data Processing Requirements Qatar’s PDPPL obligates that the controller consider the following requirements to perform the processing of personal data or sensitive personal data:
- The personal data must be processed in a legitimate and honest manner.
- The controller should take into account the controls, designs, and other services while processing personal data.
- The controller should ensure technical, financial, and administrative measures to protect the data are met as set forth by the regulatory authorities;
- The controller shall not keep any personal data for a period that exceeds the necessary period of collection.
- The legislation requires that the controller inform the individual of the following information before processing their data, such as:
Data Protection Impact Assessment (DPIA)
The need for performing a data protection impact assessment (DPIA) was vaguely hinted at in the official text of the Qatar PDPPL under Article 11, paragraph 1, and Article 13. For instance, the text states that the controller shall review “privacy protection measures before proceeding with new processing operations.” In light of this text, the PDPPL Guidelines recommend data controllers (but not all controllers) conduct an impact assessment to identify any risks associated with processing personal data or if the processing may result in any harm to the personal data or privacy of any individual. Moreover, organizations can be subjected to a fine of QAR 1,000,000 (USD 275,000) for failing to carry out a DPIA.
Rights of Individuals
The PDPPL outlines a set of rights that the legislation provides to individuals whose personal data is subject to processing, such as:
- Right to Withdraw Consent An individual has the right to withdraw their prior consent from further processing.
- Right to Object to Processing of Personal Data, An individual has the right to object to processing their personal data if such processing isn’t necessary or if the data is collected through illegal or unfair means.
- Right to Omission or Erase of Personal Data An individual has the right to request the erasure or deletion of their data if the processing is not necessary the data is collected through unfair means, or the purpose of the processing ceases to exist.
- Right to Correction Individuals have the right to request corrections to their personal data through a verified and accurate request.
- Right to Access An individual has the right to request access to the personal data that is collected on them.
Important Exemptions
The legislation allows the Competent Authority to process some personal data without abiding by the provisions of certain provisions of the law if the processing is in the interest of protecting international relations, national security, or economic and financial interests. In such cases, the Competent Authority must create a separate record of the processing of such personal data. Similarly, a data controller is exempted from certain provisions in the following cases:
- Performing a task related to the public interest;
- Implementing a legal obligation or an order rendered by a competent court;
- Protecting the vital interest of the individual;
- Processing personal data for scientific research purposes;
- Processing information necessary for an investigation into a criminal defense through an official request of investigative bodies.
Breach Notification Requirements
The PDPPL Guidelines introduce a 72-hour deadline within which the notification needs to be made as soon as an occurrence of a breach is detected. Apart from the deadline, the Guidelines also elaborate on the circumstances that may lead to “serious harm” to an individual’s privacy, such as:
- Processing of sensitive data.
- Performing automated-decision making.
- Collection of personal data via third parties.
- Direct marketing.
- Processing of employees’ data.
- Cross-border transfer.
Penalties for Non-Compliance
Financial and criminal penalties against violation and non-compliance are common components in many data protection and privacy laws. However, the Qatar data protection law imposes only severe financial penalties for legislative violations and non-compliance but no criminal penalties, such as imprisonment. The penalties range from QAR 1,000,000 to QAR 5,000,000, depending on the Article that has been violated.
