IDC Names Securiti a Worldwide Leader in Data PrivacyView
Qatar is the first Gulf country that has passed a national data privacy law and paved the way for all other Gulf countries to follow suit. In 2016, Qatar enacted Law No. 13 Concerning Personal Data Privacy Protection Law (the “PDPPL”). The PDPPL establishes a certain degree of personal data protection, provides data subject rights, and prescribes guidelines for organizations to process personal data within Qatar.
Furthermore, on 31 January 2021, the Ministry of Transport and Communications (the “MOTC”) released a new set of guidelines (14 in number) on the PDPPL for regulated organizations as well as guidelines for data subjects.
The law was passed in 2016 as the Personal Data Privacy Protection Law (PDPPL), and it applies to all personal data that is electronically processed or subject to process within the territory of Qatar, with the exception of the Financial Center Free Zone in Qatar.
The Personal Data Privacy Protection Law defines certain obligations for data controllers regarding the processing of sensitive personal data, data subject privacy notification, breach notification, data subject rights, and cross-border transfer, to name a few. However, when the law was first enacted in 2016, it didn’t go into more detail regarding how organizations must comply with the law. To overcome that shortcoming, the National Cyber Governance and Assurance Affairs (NCGAA) issued a number of guidelines to help organizations meet their compliance with PDPPL.
Let’s conduct a quick analysis of the key provisions that the Qatar PDPPL defines for data controllers and processors.
It defines any competent administration at the Ministry of Transport and Communications.
Any competent entity that regulates the acts or procedures as per the PDPPL.
Any natural person whose data is subject to processing.
An organization that supervises the processing of personal data as well as the provision of the purpose of any such processing.
Any natural person that processes personal data as per the suggestion or recommendation of a data controller.
Almost every data privacy and protection law defines certain obligations around organizations or entities that are subject to the law, the territorial limitations of the law, and the type of personal data that the law applies to.
Qatar PDPPL applies to all such personal data that is gathered, obtained, or extracted electronically, including the data that is obtained through a combination of both traditional data processing and electronic data processing means.
However, there are certain exemptions to the type of personal data that is subject to the law. The PDPPL doesn’t apply to personal data that is used as statistical data, such as the personal data used for the census. Furthermore, the PDPPL may also not apply to the personal data that is processed in private or family settings.
The Qatar PDPPL doesn’t explicitly define the territorial scope of the law. However, it is reasonable to assume that the law at least applies to the processing of personal data within the territory of Qatar.
The Qatar PDPPL lists 31 Articles and related provisions around the processing of personal data, its protection, international data transfer obligations, or consent requirements. Let’s take a look at some important obligations.
Qatar’s PDPPL obligates that the controller shall consider the following requirements to perform the processing of personal data or sensitive personal data:
The legislation requires that the controller should inform the individual of the following information before processing their personal data, such as:
Qatar’s PDPPL outlines clear consent requirements. Pursuant to Article 4 of PDPPL, the data controller is obligated to obtain consent from an individual before processing their personal data. However, the data controller may not be required to obtain consent if the processing is necessary to be carried out for lawful purposes for the data controller or any other recipient of the data.
Data controllers are further required to obtain, either electronically or through any other appropriate means, explicit consent from the guardian of the child whose Personal Data is processed. They should also provide a child's guardian, upon their request and after verifying their identity, with a description of the type of Personal Data processed, along with stating the purpose of the process and a copy of the data processed or gathered about the child.
Individuals whose personal data is subject to processing under the provisions of the PDPPL have the right to withdraw their prior consent. The PDPPL Guidelines cite that data controllers must keep a record of how the consent was obtained and when it was obtained.
The need for performing a data protection impact assessment (DPIA) was vaguely hinted at in the official text of the Qatar PDPPL under Article 11, paragraph 1 and Article 13. For instance, the text cites that the controller shall review “privacy protection measures before proceeding with new processing operations.” In light of this text, the PDPPL Guidelines recommend data controllers (but not all controllers) conduct an impact assessment to identify any risks associated with processing personal data or if the processing may result in any harm to the personal data or privacy of any individual. Moreover, organizations can be subjected to a fine of QAR 1,000,000 (USD 275,000) for failing to carry out a DPIA.
In any case, if any controller doesn’t carry out a DPIA, they are obliged to keep a record of the reason. It is also to be noted that DPIA is one of the important components of a personal data management system pursuant to Article 11(5). Therefore, it is recommended for the controller to carry out DPIA before conducting any new processing activity or before making any considerable changes to the existing processing activity.
The official text of PDPPL briefly cites that the controller is obligated to maintain a “comprehensive and detailed” record of all the processing activities and the disclosure of personal data for any lawful purposes. Under the PDPPL, RoPA reports are maintained along with other compliance requirements like cross-border data transfer, consent management, privacy assessment, and sensitive data management. The NCGAA further obligates data controllers in the PDPPL Guidelines to maintain records of marketing activities as well as in their RoPA reports.
Unlike other privacy laws, Qatar PDPPL Article 15 prohibits the data controller from taking any measures against the cross-border data transfer that could limit the international data flow. However, the legislation does authorize the controller to take measures if the cross-border transfer is in violation of the provisions provided in the PDPPL or the processing of such data may result in serious harm to the personal data or the respective individuals.
The legislation prohibits data controllers from sending direct marketing communications to individuals unless the individual has provided them with explicit and unambiguous consent. The legislation further elaborates on what added information needs to be added by the controller should they send electronic communications for direct marketing purposes. The communication should mention the data controller’s identity and contact details. The communication must also mention that it is sent for direct marketing purposes clearly. In addition, it shall include a valid address for easy access thereto and through which an individual can send a request to the originator to stop such communications or revoke the consent on the sending thereof.
Although the PDPPL provides certain regulations where data controllers are obliged to verify the compliance level of their processors, the text doesn’t explicitly hint at any contract. However, the PDPPL Guidelines deliver added obligations to data controllers mandating them to sign a contract with their processors regarding data processing. The contract should mention the nature of the processing, its purpose, the duration, security measures, and individuals’ rights.
Moreover, controllers and processors shall take the precautions necessary to protect personal data against loss, damage, change, disclosure, illegal access, or use. The processor should also notify the controller of the existence of any breach of the precautions referred to in the law or where any risk arises threatening personal data in any way.
The PDPPL introduces a separate category of personal data, Personal Data with Special Nature, which includes data related to children, criminal activities, health, ethnicity, religion, and marital relations. However, processing of such sensitive nature data is only permitted if the data controller obtains permission from the Competent Department.
The PDPPL obligates the data controllers to create an internal system to effectively manage personal data, breach notification, and individual rights fulfillment. The PDPPL Guidelines terms such an internal system as Personal Data Management System (PDMS) that includes the added core components: RoPA and DPIAs.
The PDPPL Guidelines provide further details regarding the added information that PDMS should include, such as:
The PDPPL outlines a set of rights that the legislation provides to individuals whose personal data is subject to processing, such as:
An individual has the right to withdraw their prior consent from further processing.
An individual has the right to object to processing their personal data if such processing isn’t necessary or if the data is collected through illegal or unfair means.
An individual has the right to request the erasure or deletion of their personal data if the processing is not necessary or the data is collected through unfair means, or the purpose of the processing ceases to exist.
Individuals have the right to request corrections to their personal data through a verified and accurate request.
An individual has the right to request access to the personal data that is collected on them. The PDPPL obligates data controllers to notify the individual about the processing of their personal data or the purpose of processing it. Moreover, the individual has a right to be notified of any disclosure of inaccurate personal data and obtain a copy of their personal data upon paying a service charge amount.
The legislation allows the Competent Authority to process some personal data without abiding by the provisions of certain provisions of the law if the processing is in the interest of protecting international relations, national security, or economic and financial interests. In such cases, the Competent Authority must create a separate record of the processing of such personal data. Similarly, a data controller is exempted from certain provisions in the following cases:
Articles (13) and (14) give references regarding the breach notification requirements under the Qatar PDPPL. In case of a data breach that may “cause serious damage” to personal data or an individual’s privacy, the data processor must notify the controller of the breach. The controller will be responsible for further notifying the impacted individual and NCGAA.
It is to be noted that the PDPPL main legal text doesn’t elaborate on the time window concerning the breach notification. However, the PDPPL Guidelines introduce a 72-hour deadline within which the notification needs to be made as soon as an occurrence of a breach is detected. Apart from the deadline, the Guidelines also elaborate on the circumstances that may lead to “serious harm” to an individual’s privacy, such as:
Financial and criminal penalties against violation and non-compliance are common components in many data protection and privacy laws. However, the Qatar data protection law imposes only severe financial penalties for legislative violations and non-compliance but no criminal penalties, such as imprisonment. The penalties range from QAR 1,000,000 to QAR 5,000,000, depending on the Article that has been violated.
National Cyber Governance and Assurance Affairs (NCGAA) is empowered by the National Cyber Security Agency (NCSA) for administering and enforcing PDPPL as well as developing controls around its provisions.
Compliance with data privacy and protection laws, such as the Qatar PDPPL, comes with a certain set of challenges and compliances. For instance, data sprawl and unstructured data cause organizations to lose sight of personal data and sensitive personal data. The lack of visibility into such insights becomes a challenge for organizations to operationalize individuals’ rights management, consent management, or breach notification management.
In our years of experience in enabling organizations to streamline their business processes around data privacy laws, we’ve found the following best practices highly effective and efficient:
Securiti is the leader in data privacy management. Securiti enables organizations with its AI/ML automation to simplify and streamline privacy management, data governance, data protection, and compliance processes. By leveraging Securiti, you can bolster and speed up your DPIA assessments, sensitive data discovery, personal information linking to the data owner, breach notification, privacy notification, consent management, and RoPA requirements.
Request a demo to learn how Securiti can help you operationalize Qatar PDPPL for data protection and compliance.
Qatar enacted Law No. 13 Concerning Personal Data Privacy Protection Law (PDPPL). It applies to all personal data obtained or extracted electronically, including the data obtained through a combination of traditional and electronic data processing.
GDPR applies to organizations outside the European Union (EU) if they process the personal data of EU residents. However, Qatar's primary data protection law is the Qatar Personal Data Privacy Protection Law.
The PDPPL obligates the data controllers to create an internal system to effectively manage personal data, breach notification, and individual rights fulfillment.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128