Introduction  

As one of the first Gulf countries to pass a national data privacy law, Qatar became a pioneer in its pursuit of data privacy protection. Qatar enacted Law No. 13 concerning the Personal Data Privacy Protection law (the “PDPPL”) in 2016. This legislation lays down the groundwork and sets standards for personal data protection. The scope of this legislation extends to all personal data that is electronically processed or subject to process within the territory of Qatar. An exception to the application is the Financial Center Free Zone in Qatar. The Ministry of Transport and Communications (“MOTC”) released a new set of guidelines in January 2021. These guidelines, which were 14 in number, were for regulated organizations and also had guidelines for data subjects. Further, in September 2022, the National Cyber Security Agency issued Guidelines for Regulated Entities in consonance with the Principles of Data Privacy.  

Principles underlying the Law 

The PDPPL sets out a number of principles for the processing of personal data. These principles lie at the heart of controllers’ approach to processing personal data. These are: 

1. Transparency, honesty and respect for human dignity; 

2. Data minimisation; 

3. Accuracy; 

4. Storage limitation; 

5. Integrity and confidentiality; 

6. Purpose limitation; 

7. Accountability. 

Scope of the Law 

The PDPPL governs all personal data gathered, obtained, or extracted electronically. This includes data obtained through a combination of electronic and traditional data processing. There are some exceptions to this rule. Personal data that is used for statistical data has been left out of the scope. Application is also restricted from personal data that is processed in private or family settings.  

While there is nothing in the law to indicate its territorial application, it is reasonable to assume that the law is applicable to the processing of personal data within the political boundaries of Qatar.  

Obligations under the Law 

1. General requirements  

The obligations are contained in the 31 articles of the law, and allied provisions must be read in conjunction to understand the application.  

When the controller processes personal or sensitive personal data, she must fulfil certain requirements. First, the data must be processed in an honest and legitimate manner. Second, the controller must consider controls, designs, and other services. Third, the controller is obligated to ensure that the administrative, financial, and technical measures to protect the data are fulfilled. Lastly, data must only be kept with the processor for as long as necessary.  

Further, before the personal data is processed, the legislation requires the controller to convey certain information to the individual. This includes a comprehensive description of the processing activities and the level of disclosure, the lawful purpose for processing the personal data, and details of the controller of any associated third parties.  

2. Consent requirements  

Article 4 of the PDPPL outlines clear consent requirements. While the data controller is obligated to obtain consent, this requirement can be done away with if the processing of the data is to be carried out for lawful purposes.  

When the individual is a minor, data controllers are required to obtain explicit consent from the guardian of the minor individual. Upon request, the controllers must also provide the guardian with a description of the type of personal data processed.  

3. Data Protection Impact Assessment (DPIA) 

The PDPPL guidelines recommend that data controllers (but not all controllers) conduct an impact assessment to identify risks and harms that may be caused to individuals. Organizations that fail to carry out a DPIA can be fined as high as QAR 1,000,000 (USD 2,000,000 approx). If DPIA is not carried out, the controller is obliged to record reasons for the same.  

4. Cross-Border Data Transfer Requirements  

Article 15 of the legislation restricts the data controller from carrying out any cross-border data transfer activities, which can potentially limit international flow. This is unlike most other privacy laws. However, if the cross-border data transfer is in violation of the provisions of PDPPL, the controller is empowered to take measures. Further, the controller can also take measures if the processing of such data has the potential to cause serious harm to the individual whose data is being processed.  

5. Personal Data Management Systems (PDMS) 

The PPDL guidelines provide comprehensive details regarding added information that the PDMS should include. First, various measures for personal data protection must be strictly implemented. Second, the processes for consent management, DSR fulfilment, and breach notification must be streamlined. Third, there must be accountability for compliance.  

6. Right of the individuals  

There are a set of varied rights guaranteed to an individual under PDPPL. These are: 

1. Right to withdraw consent  

2. Right to object to the processing of personal data  

3. Right to omit or erase personal data 

4. Right to correction  

5. Right to access  

7. Important exemptions 

Competent authorities have been given some leeway to process personal data without having to abide by certain provisions if the processing is in the larger interest of protecting financial or economic interests, national security, or international relations. In such cases, the competent authority must create a separate record. The data controller is also exempt in the following cases: 

1. Performing a task related to the public interest  

2. Implementing a legal obligation or an order rendered by a competent court 

3. Protecting the vital interest of the individual  

4. Processing the personal data for scientific research purposes 

5. Processing information necessary for an investigation into criminal defence through an official request of investigative bodies 

8. Breach notification requirements  

The data processor is obligated to notify the controller of any breach if the breach may “cause serious damage” to personal data or an individual’s privacy. The controller must also inform the impacted individual and the NCGAA. The PDPPL guidelines place a 72-hour window within which the notification regarding the same is to be made. According to the guidelines, a serious can be said to have occurred when circumstances include: 

1. Processing sensitive data 

2. Performing automated-decision making 

3. Collection of personal data via third parties 

4. Direct marketing  

5. Processing of employees’ data 

6. Cross-border transfer  

9. Penalties  

Qatar data protection law imposes severe financial penalties for legislative violations and non-compliance, but it does not impose criminal liability. Depending on the nature of the violation, the penalties range from QAR 1,000,000 (USD 200,000 approx) to QAR 5,000,000 (USD 1,000,000 approx).  

10. Special Nature Processing Permission  

The request to receive special nature processing is submitted via a form. By submitting the form, the organization agrees to use the data only for the stated purposes and confirms the accuracy of the provided information. Failure to comply or misuse of data could lead to significant repercussions, including legal actions or reputational damage. The declaration requires the organization to seek additional permissions if data processing needs change. This highlights the critical need for adherence to data protection regulations under the PDPPL, ensuring transparent and responsible handling of special nature data. 

11. Regulating Authority  

National Cyber Governance and Assurance Affairs (NCGAA) is empowered by the National Cyber Security Agency (NCSA) for administering and enforcing PDPPL as well as developing controls around its provisions. 

Conclusion  

Qatar’s Personal Data Privacy Protection Law (PDPPL) marks a significant milestone as the Gulf region’s first national data privacy legislation. Enacted in 2016, it sets a high standard for personal data protection and establishes comprehensive guidelines for data processing, including specific provisions for consent, cross-border data transfers, and breach notifications. The PDPPL emphasizes transparency, requiring data controllers to provide detailed information about data processing activities and to conduct Data Protection Impact Assessments (DPIAs) where necessary. 

While the law does not impose criminal penalties, it enforces stringent financial penalties for non-compliance, ranging from QAR 1,000,000 (USD 200,000 approx) to QAR 5,000,000 (USD 1,000,000 approx). The law’s provisions, including its scope, obligations, and exemptions, reflect Qatar’s commitment to safeguarding personal data and ensuring responsible data management practices. Organizations must navigate these requirements carefully to avoid severe repercussions and maintain compliance. 

Overall, the PDPPL sets a robust framework for data privacy in Qatar, influencing other Gulf nations to enhance their data protection measures. Its implementation highlights Qatar’s role as a pioneer in data privacy, establishing a precedent for comprehensive data protection legislation in the region.