Qatar Personal Data Privacy Protection Law (PDPPL)

I. Introduction

Qatar is the first Gulf country that has passed a national data privacy law and paved the way for all other Gulf countries to follow suit. In 2016, Qatar enacted Law No. 13 Concerning Personal Data Privacy Protection Law (the “PDPPL”). The PDPPL establishes a certain degree of personal data protection, provides data subject rights, and prescribes guidelines for organizations to process personal data within Qatar.

Furthermore, on 31 January 2021, the Ministry of Transport and Communications (the “MOTC”) released a new set of guidelines (14 in number) on the PDPPL for regulated organizations as well as guidelines for data subjects.

The law was passed in 2016 as the Personal Data Privacy Protection Law (PDPPL), and it applies to all personal data that is electronically processed or subject to process within the territory of Qatar, with the exception of the Financial Center Free Zone in Qatar.

The Personal Data Privacy Protection Law defines certain obligations for data controllers regarding the processing of sensitive personal data, data subject privacy notification, breach notification, data subject rights, and cross-border transfer, to name a few. However, when the law was first enacted in 2016, it didn’t go into more detail regarding how organizations must comply with the law. To overcome that shortcoming, the National Cyber Governance and Assurance Affairs (NCGAA) issued a number of guidelines to help organizations meet their compliance with PDPPL.

Let’s conduct a quick analysis of the key provisions that the Qatar PDPPL defines for data controllers and processors.

II. Definitions of Key Terms

a. Competent Department

It defines any competent administration at the Ministry of Transport and Communications.

b. Competent Authority

Any competent entity that regulates the acts or procedures as per the PDPPL.

c. Individual

Any natural person whose data is subject to processing.

d. Data Controller

An organization that supervises the processing of personal data as well as the provision of the purpose of any such processing.

e. Data Processor

Any natural person that processes personal data as per the suggestion or recommendation of a data controller.

III. Who Needs to Comply with Qatar’s PDPPL

Almost every data privacy and protection law defines certain obligations around organizations or entities that are subject to the law, the territorial limitations of the law, and the type of personal data that the law applies to.

a. Material Scope

Qatar PDPPL applies to all such personal data that is gathered, obtained, or extracted electronically, including the data that is obtained through a combination of both traditional data processing and electronic data processing means.

Exceptions

However, there are certain exemptions to the type of personal data that is subject to the law. The PDPPL doesn’t apply to personal data that is used as statistical data, such as the personal data used for the census. Furthermore, the PDPPL may also not apply to the personal data that is processed in private or family settings.

b. Territorial Scope

The Qatar PDPPL doesn’t explicitly define the territorial scope of the law. However, it is reasonable to assume that the law at least applies to the processing of personal data within the territory of Qatar.

IV. Obligations for Organizations Under Qatar’s PDPPL

The Qatar PDPPL lists 31 Articles and related provisions around the processing of personal data, its protection, international data transfer obligations, or consent requirements. Let’s take a look at some important obligations.

a. General Data Processing Requirements

Qatar’s PDPPL obligates that the controller shall consider the following requirements to perform the processing of personal data or sensitive personal data:

• The personal data must be processed in a legitimate and honest manner;
• The controller should take into account the controls, designs, and other services while processing personal data;
• The controller should ensure technical, financial, and administrative measures to protect the data are met as set forth by the regulatory authorities;
• The Controller shall not keep any personal data for a period of time that exceeds the necessary period of collection.

The legislation requires that the controller should inform the individual of the following information before processing their personal data, such as:

• Details of the controller or any associated third parties;
• The lawful purpose for processing the personal data;
• A comprehensive description of the processing activities and the level of disclosure.

b. Consent Requirements

Qatar’s PDPPL outlines clear consent requirements. Pursuant to Article 4 of PDPPL, the data controller is obligated to obtain consent from an individual before processing their personal data. However, the data controller may not be required to obtain consent if the processing is necessary to be carried out for lawful purposes for the data controller or any other recipient of the data.

Data controllers are further required to obtain, either electronically or through any other appropriate means, explicit consent from the guardian of the child whose Personal Data is processed. They should also provide a child's guardian, upon their request and after verifying their identity, with a description of the type of Personal Data processed, along with stating the purpose of the process and a copy of the data processed or gathered about the child.

Individuals whose personal data is subject to processing under the provisions of the PDPPL have the right to withdraw their prior consent. The PDPPL Guidelines cite that data controllers must keep a record of how the consent was obtained and when it was obtained.

c. Data Protection Impact Assessment (DPIA)

The need for performing a data protection impact assessment (DPIA) was vaguely hinted at in the official text of the Qatar PDPPL under Article 11, paragraph 1 and Article 13. For instance, the text cites that the controller shall review “privacy protection measures before proceeding with new processing operations.” In light of this text, the PDPPL Guidelines recommend data controllers (but not all controllers) conduct an impact assessment to identify any risks associated with processing personal data or if the processing may result in any harm to the personal data or privacy of any individual. Moreover, organizations can be subjected to a fine of QAR 1,000,000 (USD 275,000) for failing to carry out a DPIA.

In any case, if any controller doesn’t carry out a DPIA, they are obliged to keep a record of the reason. It is also to be noted that DPIA is one of the important components of a personal data management system pursuant to Article 11(5). Therefore, it is recommended for the controller to carry out DPIA before conducting any new processing activity or before making any considerable changes to the existing processing activity.

d. Records of Processing Activities (RoPA)

The official text of PDPPL briefly cites that the controller is obligated to maintain a “comprehensive and detailed” record of all the processing activities and the disclosure of personal data for any lawful purposes. Under the PDPPL, RoPA reports are maintained along with other compliance requirements like cross-border data transfer, consent management, privacy assessment, and sensitive data management. The NCGAA further obligates data controllers in the PDPPL Guidelines to maintain records of marketing activities as well as in their RoPA reports.

e. Cross-Border Data Transfer Requirements

Unlike other privacy laws, Qatar PDPPL Article 15 prohibits the data controller from taking any measures against the cross-border data transfer that could limit the international data flow. However, the legislation does authorize the controller to take measures if the cross-border transfer is in violation of the provisions provided in the PDPPL or the processing of such data may result in serious harm to the personal data or the respective individuals.

f. Direct Marketing Obligations

The legislation prohibits data controllers from sending direct marketing communications to individuals unless the individual has provided them with explicit and unambiguous consent. The legislation further elaborates on what added information needs to be added by the controller should they send electronic communications for direct marketing purposes. The communication should mention the data controller’s identity and contact details. The communication must also mention that it is sent for direct marketing purposes clearly. In addition, it shall include a valid address for easy access thereto and through which an individual can send a request to the originator to stop such communications or revoke the consent on the sending thereof.

g. Data Controller & Processor Contract

Although the PDPPL provides certain regulations where data controllers are obliged to verify the compliance level of their processors, the text doesn’t explicitly hint at any contract. However, the PDPPL Guidelines deliver added obligations to data controllers mandating them to sign a contract with their processors regarding data processing. The contract should mention the nature of the processing, its purpose, the duration, security measures, and individuals’ rights.

Moreover, controllers and processors shall take the precautions necessary to protect personal data against loss, damage, change, disclosure, illegal access, or use. The processor should also notify the controller of the existence of any breach of the precautions referred to in the law or where any risk arises threatening personal data in any way.

h. Sensitive Personal Data Processing Requirements

The PDPPL introduces a separate category of personal data, Personal Data with Special Nature, which includes data related to children, criminal activities, health, ethnicity, religion, and marital relations. However, processing of such sensitive nature data is only permitted if the data controller obtains permission from the Competent Department.

V. Personal Data Management System (PDMS)

The PDPPL obligates the data controllers to create an internal system to effectively manage personal data, breach notification, and individual rights fulfillment. The PDPPL Guidelines terms such an internal system as Personal Data Management System (PDMS) that includes the added core components: RoPA and DPIAs.

The PDPPL Guidelines provide further details regarding the added information that PDMS should include, such as:

• Implementation of various measures for personal data protection;
• Streamlined processes for breach notification, DSR fulfillment, and consent management;
• Accountability for compliance.

VI. Rights of Individuals

The PDPPL outlines a set of rights that the legislation provides to individuals whose personal data is subject to processing, such as:

a. Right to Withdraw Consent

An individual has the right to withdraw their prior consent from further processing.

b. Right to Object to Processing of Personal Data

An individual has the right to object to processing their personal data if such processing isn’t necessary or if the data is collected through illegal or unfair means.

c. Right to Omission or Erase of Personal Data

An individual has the right to request the erasure or deletion of their personal data if the processing is not necessary or the data is collected through unfair means, or the purpose of the processing ceases to exist.

d. Right to Correction

Individuals have the right to request corrections to their personal data through a verified and accurate request.

e. Right to Access

An individual has the right to request access to the personal data that is collected on them. The PDPPL obligates data controllers to notify the individual about the processing of their personal data or the purpose of processing it. Moreover, the individual has a right to be notified of any disclosure of inaccurate personal data and obtain a copy of their personal data upon paying a service charge amount.

VII. Any Important Exemptions

The legislation allows the Competent Authority to process some personal data without abiding by the provisions of certain provisions of the law if the processing is in the interest of protecting international relations, national security, or economic and financial interests. In such cases, the Competent Authority must create a separate record of the processing of such personal data. Similarly, a data controller is exempted from certain provisions in the following cases:

• Performing a task related to  the public interest;
• Implementing a legal obligation or an order rendered by a competent court;
• Protecting the vital interest of the individual;
• Processing personal data for scientific research purposes;
• Processing information necessary for an investigation into a criminal defense through an official request of investigative bodies.

VIII. Breach Notification Requirements

Articles (13) and (14) give references regarding the breach notification requirements under the Qatar PDPPL. In case of a data breach that may “cause serious damage” to personal data or an individual’s privacy, the data processor must notify the controller of the breach. The controller will be responsible for further notifying the impacted individual and NCGAA.

It is to be noted that the PDPPL main legal text doesn’t elaborate on the time window concerning the breach notification. However, the PDPPL Guidelines introduce a 72-hour deadline within which the notification needs to be made as soon as an occurrence of a breach is detected. Apart from the deadline, the Guidelines also elaborate on the circumstances that may lead to “serious harm” to an individual’s privacy, such as:

• Processing of sensitive data.
• Performing automated-decision making.
• Collection of personal data via third parties.
• Direct marketing.
• Processing of employees’ data.
• Cross-border transfer.

IX. Penalties for Non-Compliance

Financial and criminal penalties against violation and non-compliance are common components in many data protection and privacy laws. However, the Qatar data protection law imposes only severe financial penalties for legislative violations and non-compliance but no criminal penalties, such as imprisonment. The penalties range from QAR 1,000,000 to QAR 5,000,000, depending on the Article that has been violated.

X. Regulatory Authority

National Cyber Governance and Assurance Affairs (NCGAA) is empowered by the National Cyber Security Agency (NCSA) for administering and enforcing PDPPL  as well as developing controls around its provisions.

XI. How Organizations Can Operationalize Qatar PDPPL

Compliance with data privacy and protection laws, such as the Qatar PDPPL, comes with a certain set of challenges and compliances. For instance, data sprawl and unstructured data cause organizations to lose sight of personal data and sensitive personal data. The lack of visibility into such insights becomes a challenge for organizations to operationalize individuals’ rights management, consent management, or breach notification management.

In our years of experience in enabling organizations to streamline their business processes around data privacy laws, we’ve found the following best practices highly effective and efficient:

• Maintain personal and sensitive personal data cataloged with granular classification. It is imperative to automate the data discovery, classification, and cataloging process to save time, cost, and potential errors that could be caused by manual data discovery approaches.
• Data subject rights management and fulfillment is a time-consuming process, especially when you have a high volume of personal data. With AI-driven automation and personal data linking to its respective owner, organizations can speed up the process as well as make timely and accurate DSR fulfillment and breach notifications.
• It is imperative that organizations must conduct routine data protection impact assessment (DPIA) to monitor and assess risk to the cataloged personal data as well as to the data elements that are routinely or sporadically updated.
• By automating privacy notices, notifications, and records of processing activities (RoPA) reports, organizations can enable personnel to let automation tools take care of such micro-level tasks while they spend their time more on business-critical operations.

XII. How Securiti Can Help

Securiti is the leader in data privacy management. Securiti enables organizations with its AI/ML automation to simplify and streamline privacy management, data governance, data protection, and compliance processes. By leveraging Securiti, you can bolster and speed up your DPIA assessments, sensitive data discovery, personal information linking to the data owner, breach notification, privacy notification, consent management, and RoPA requirements.

Request a demo to learn how Securiti can help you operationalize Qatar PDPPL for data protection and compliance.