Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Qatar is the first gulf country that has passed a national data privacy law and paved the way for all other gulf countries to follow suit. In 2016, Qatar enacted Law no. 13 Concerning Personal Data Protection (the “DPL”). The DPL establishes a certain degree of personal data protection, provides data subject rights, and prescribes the guidelines for organizations for the processing of personal data within Qatar.
Furthermore, on 31 January 2021, the Ministry of Transport and Communications (the “MOTC”) released a new set of guidelines (14 in number) on the DPL for regulated organizations as well as guidelines for data subjects.
The law was passed in 2016 as the Personal Data Protection Law (DPL), and it applies to all the personal data that is electronically processed or subject to process within the territory of Qatar, with the exception of the Financial Center Free Zone in Qatar.
The Personal Data Protection Law defines certain obligations for data controllers with regards to the processing of sensitive personal data, data subject privacy notification, breach notification, data subject rights, and cross-border transfer, to name a few. However, when the law was first enacted in 2016, it didn’t go into more detail regarding how organizations must comply with the law. To overcome that shortcoming, the Compliance and Data Protection (CDP) department at the Ministry of Transport and Communications (MoTC) issued regulatory guidelines, DP Guidelines.
Let’s conduct a quick analysis of the key provisions that the Qatar DPL defines for data controllers and processors.
It defines any competent administration at the Ministry of Transport and Communications.
Any competent entity that regulates the acts or procedures as per the DPL.
Any natural person whose data is subject to processing.
An organization that supervises the processing of personal data as well as the provision of the purpose of any such processing.
Any natural person that processes personal data as per the suggestion or recommendation of a data controller.
Almost every data privacy and protection law defines certain obligations around organizations or entities that are subject to the law, the territorial limitations of the law, and the type of personal data that the law applies to.
Qatar DPL applies to all such personal data that is gathered, obtained, or extracted electronically, including the data that is obtained through a combination of both traditional data processing and electronic data processing means.
However, there are certain exemptions to the type of personal data that is subject to the law. The DPL doesn’t apply to personal data that is used as statistical data, such as the personal data used for the census. Furthermore, the DPL may also not apply to the personal data that is processed in private or family settings.
The Qatar DPL doesn’t explicitly define the territorial scope of the law. However, it is reasonable to assume that the law at least applies to the processing of personal data within the territory of Qatar.
The Qatar DPL lists down 31 Articles and related provisions around the processing of personal data, its protection, international data transfer obligations, or consent requirements. Let’s take a look at some important obligations.
Qatar’s DPL obligates that the controller shall consider the following requirements to perform the processing of personal data or sensitive personal data:
The legislation requires that the controller should inform the individual of the following information before processing their personal data, such as:
The Qatar DPL outlines clear consent requirements. Pursuant to Article 4 of DPL, the data controller is obligated to obtain consent from an individual before processing their personal data. However, the data controller may not be required to obtain consent if the processing is necessary to be carried out for lawful purposes for the data controller or any other recipient of the data.
Data controllers are further required to obtain, either electronically or through any other appropriate means, explicit consent from the guardian of the child whose Personal Data is processed. They should also provide a child's guardian, upon their request and after verifying their identity, with a description of the type of Personal Data processed, along with stating the purpose of the process together with a copy of the data processed or gathered about the child.
An individual whose personal data is subject to processing under the provisions of the DPL has the right to withdraw their prior consent. The DPL Guidelines cite that data controllers are required to keep a record of how the consent was obtained and when it was obtained.
The need for performing a data protection impact assessment (DPIA) was vaguely hinted at in the official text of the Qatar DPL under Article 11, paragraph 1 and Article 13. For instance, the text cites that the controller shall review “privacy protection measures before proceeding with new processing operations.” In the light of this text, the DPL Guidelines recommend data controllers (but not all controllers) conduct an impact assessment to identify any risks associated with processing personal data or if the processing may result in any harm to the personal data or privacy of any individual. Moreover, organizations can be subjected to a fine of QAR 1,000,000 (USD 275,000) for failing to carry out a DPIA.
In any case, if any controller doesn’t carry out a DPIA, they are obliged to keep a record of the reason. It is also to be noted that DPIA is one of the important components of a personal data management system pursuant to Article 11(5). Therefore, it is recommended for the controller to carry out DPIA before conducting any new processing activity or before making any considerable changes to the existing processing activity.
The official text of DPL briefly cites that the controller is obligated to maintain a “comprehensive and detailed” record of all the processing activities and the disclosure of personal data for any lawful purposes. Under the DPL, RoPA reports are maintained along with other compliance requirements like cross-border data transfer, consent management, privacy assessment, and sensitive data management. The CDP further obligates data controllers in the DPL Guidelines to maintain records of marketing activities as well in their RoPA reports.
Unlike other privacy laws, the Qatar DPL Article 15 prohibits the data controller from taking any measures against the cross-border data transfer that could limit the international data flow. However, the legislation does authorize the controller to take measures if the cross-border transfer is in violation of the provisions provided in the DPL or the processing of such data may result in serious harm to the personal data or the respective individuals.
The legislation prohibits data controllers from sending direct marketing communications to individuals unless the individual has provided them with explicit and unambiguous consent. The legislation further elaborates on what added information needs to be added by the controller should they send electronic communications for direct marketing purposes. The communication should mention the data controller’s identity and contact details. The communication further needs to mention that it is sent for direct marketing purposes clearly. In addition, it shall include a valid address for easy access thereto and through which an individual can send a request to the originator to stop such communications or revoke the consent on the sending thereof.
Although the DPL provides certain regulations where data controllers are obliged to verify the compliance level of their processors, the text doesn’t explicitly hint at any contract. However, the DPL Guidelines deliver added obligations to data controllers mandating them to sign a contract with their processors regarding the processing of data. The contract should mention the nature of the processing, its purpose, the duration, security measures, and individuals’ rights.
Moreover, controllers and the processors shall take the precautions necessary to protect personal data against loss, damage, change, disclosure, illegal access, or use. The processor should also notify the controller of the existence of any breach of the precautions referred to in the law or where any risk arises threatening personal data in any way.
The DPL introduces a separate category of personal data, Personal Data with Special Nature, which includes data related to children, criminal activities, health, ethnicity, religion, and marital relations. However, processing of such sensitive nature data is only permitted if the data controller obtains permission from the Competent Department.
The DPL obligates the data controllers to create an internal system to effectively manage personal data, breach notification, and individual rights fulfillment. The DPL Guidelines terms such an internal system as Personal Data Management System (PDMS) that includes the added core components: RoPA and DPIAs.
The DPL Guidelines provide further details regarding the added information that PDMS should include, such as:
The DPL outlines a set of rights that the legislation provides to individuals whose personal data is subject to processing, such as:
The legislation allows the Competent Authority to process some personal data without abiding by the provisions of certain provisions of the law if the processing is in the interest of protecting international relations, national security, or economic and financial interests. In such cases, the Competent Authority must create a separate record of the processing of such personal data. Similarly, a data controller is exempted from certain provisions in the following cases:
The Article (13) and (14) give references regarding the breach notification requirements under the Qatar DPL. In case of a data breach that may “cause serious damage” to personal data or an individual’s privacy, the data processor must notify the controller of the breach. The controller will be responsible for further notifying the impacted individual and the Competent Department, which is the Compliance and Data Protection (CDP).
It is to be noted that the DPL main legal text doesn’t elaborate on the time window concerning the breach notification. However, the DPL Guidelines introduce a 72-hour deadline within which the notification needs to be made as soon as an occurrence of a breach is detected. Apart from the deadline, the Guidelines also elaborate on the circumstances that may lead to “serious harm” to an individual’s privacy, such as:
Financial and criminal penalties against violation and non-compliance are common components in many data protection and privacy laws. However, the Qatar data protection law imposes only severe financial penalties for legislative violations and non-compliance but no criminal penalties, such as imprisonment. The penalties range from QAR 1,000,000 to QAR 5,000,000, depending on the Article that has been violated.
The DPL guidelines cite that the Compliance and Data Protection (CDP) department at the Ministry of Transport and Communications (MoTC) is designated for implementing and enforcing the Data Protection Law (DPL) as well as developing controls around its provisions.
Compliance with data privacy and protection laws, such as the Qatar DPL, comes with a certain set of challenges and compliances. For instance, data sprawl and unstructured data cause organizations to lose sight of personal data and sensitive personal data. The lack of visibility into such insights becomes a challenge for organizations to operationalize individuals’ rights management, consent management, or breach notification management.
In our years of experience in enabling organizations to streamline their business processes around data privacy laws, we’ve found the following best practices highly effective and efficient:
Securiti is the leader in data privacy management. Securiti enables organizations with its AI/ML automation to simplify and streamline privacy management, data governance, data protection, and compliance processes. By leveraging Securiti, you can bolster and speed up your DPIA assessments, sensitive data discovery, personal information linking to the data owner, breach notification, privacy notification, consent management, and RoPA requirements.
Request a demo to learn how Securiti can help you operationalize Qatar DPL for data protection and compliance.