Qatar Data Privacy Law ( Law No 13): A Detailed Guide (2024)

Qatar passed a national data privacy law in 2016 – Qatar Law No. 13, the Personal Data Privacy Protection Law, to protect personal data. The Qatar data privacy law recommends steps that organizations must take while processing personal data within Qatar and also gives rights to the data subjects. 14 new guidelines were announced in 2021 by the Ministry of Transport and Communications for data subjects along with the regulated organizations.

The PDPPL applies to all personal data processed or subject to processing electronically in Qatar, barring the Financial Center Free Zone in Qatar.

The NCSA or National Cyber Security Agency has put the NCGAA or National Cyber Governance and Assurance Affairs in charge of administering and implementing the PDPPL and developing security controls to fulfil its provisions.

Table of Contents

Who Has to Comply with Qatar Data Protection Law?

The Qatar data privacy and protection law defines the entities to whom the law applies, the type of personal law it’s appliable to, and its territorial boundaries:

Material Scope

The Qatar PDPPL applies to all the personal data that is collected or electronically extracted, including data collected through a combination of electronic and conventional data processing methods. The exception is for data collected for use as statistical data, like for the census and data collected in private settings.

Territorial Scope

The territorial scope has not been overtly defined; we assume that it applies to all personal data being processed within Qatar.

What Measures Must Organizations Take Under Qatar Data Privacy Law?

There are 31 Articles and corresponding provisions related to personal data. Let’s check out the most important requirements.

General Data Processing

Under the PDPPL, the data controller must ensure the following while handling personal data:

• The personal data must be handled honestly and legitimately
• The controller must consider the designs, controls, and other services during data handling
• The technical, administrative, and financial measures as prescribed by the Qatar Data Privacy Law 2024 should be fulfilled
• No personal data should be maintained by the controller beyond the period necessary for collection and processing
• The controller must inform the subjects about the following details prior to processing their data:
  • Details of the controller and related third parties
  • The legal reasons for handling their personal data
  • A detailed description of the disclosure level and processing activities.

  Consent

  Article 4 of the Qatar Data Protection Law 2020 explicitly mentions that the controller must get the individual’s consent before processing their personal data, unless the processing is such that is mandated by law, for the controller or any other recipient.

  Where the personal data is that of a child, explicit consent must be obtained from the guardian through an appropriate method. After the identity verification of the guardian, if they request, the controller must provide a description of the kind of data processed and the reason for such processing, along with a copy of that data.

  Individuals whose data is being processed have the right to withdraw the consent given previously; data controllers must maintain a record of obtaining the consent.

  Data Protection Impact Assessment

  Articles 11 and 13 of the Qatar PDPPL have vaguely mentioned the requirement to conduct a DPIA. The controller must review the measures for privacy protection before processing new data.

  Therefore, the new guidelines recommend that data controllers carry out an evaluation to identify risks related to personal data processing and whether such processing could harm the individual’s data or privacy. Failure to conduct the DPIA can subject the organizations to fines of up to USD 275,000 or QAR 1,00,000.

  Entities unable to conduct the DPIA for any reason must maintain detailed records of those reasons, as it is a critical component of the personal data management system under Qatar data privacy law.

  Records of Processing Activities

  The PDPPL mentions that the controller must maintain a thorough and detailed record of personal data disclosures and processing carried out for lawful purposes. The RoPA reports, cross-border data transfer, assessing privacy, and managing consent and sensitive data, are the compliance requirements that must be maintained. Additionally, they are mandated to maintain records of marketing activities.

  Cross-Border Data Transfer

  The PDPPL does not allow the data controller to take steps against cross-border data transfer that may hinder the flow of international data; however, they can step in if the transfer violates the provisions of the Qatar data privacy law, or the processing can cause harm to the individuals or their data.

  Direct Marketing Obligations

  Data controllers cannot directly send marketing communications to individuals without clear and express consent. Such electronic communication must mention details like the identity and contact information of the data controller, and that this material is sent for marketing purposes. A valid address must also be mentioned so that the individual can withdraw their consent.

  Data Controller & Processor Contract

  Data controllers must check their processors’ compliance level and must sign a data processing contract with their processors, stating the type of processing, duration, purpose, individual rights, security measures, etc.

  Data controllers and processors must take precautions to ensure that personal data is protected from alteration, loss, theft, damage, or illegal use. The controller must be informed of any breach in the precautions as mentioned in the law or where any risk surfaces to threaten personal data.

  Sensitive Personal Data Processing

  Personal Data with Special Nature, including data corresponding to health, children, religion, ethnicity, marital relations or criminal activities is in a separate category under the Qatar data privacy law. The data controller must get the necessary permission from the relevant department to process this data.

  Personal Data Management System

  Under the PDPPL, data controllers must formulate a system for effective management of personal data, notifying breaches, and fulfilling individual rights. This internal system is called the Personal Data Management System and includes DPIA and RoPA, as discussed above.

  • Under the law, the PDMS must include:
  • Taking requisite steps to protect personal data
  • Streamlining processes to manage consent, notify breaches, and fulfill DSR
  • Accountability for adhering to the PDPPL

  Rights of Individuals

  Under the Qatar data privacy law, individuals whose personal data is being processed have the following rights:

  • To withdraw the consent given previously and stop additional processing
  • To object to their personal data being processed if it’s unnecessary or obtained unfairly or illegally
  • To request to delete or omit their personal data if the processing is unnecessary, the purpose is completed, or the data was obtained unfairly or illegally.
  • To request alterations to personal data through a proper request
  • To access their personal data collected, be notified of inaccurate disclosure, and obtain a copy of such data on payment of the prescribed fee.

  Breach Notification

  Breach notifications are covered by Articles 13 and 14 of the Qatar PDPPL. The data processor is mandated to notify the data controller whenever a data breach that could cause “serious damage” to an individual’s privacy or their data. The controller has to notify the NCGAA and the affected individual.

  The PDPPL guidelines state that the notification must be made within 72 hours of the breach happening or being detected. Additionally, the guidelines mention these circumstances as being reasons of causing serious harm to the privacy of an individual.

  • Sensitive data processing
  • Automated decision-making
  • Using third parties to collect personal data
  • Cross-border transfer
  • Direct marketing
  • Employee data processing

  Penalties for Non-Compliance with Qatar Date Privacy Law?

  The PDPPL imposes stringent penal fines for non-compliance and legislative violations. However, it doesn’t impose criminal penalties like prison time. Based on the severity of the violation, the penalty can be anything between QAR 1,000,000 to 5,000, 000.

  How Can You Ensure Adherence to the PDPPL?

  When you have disorganized and unstructured data, you make yourself vulnerable to damage or unauthorized access to data; lack of security controls leave you open to breaches. Follow these best practices to avoid violations and protect sensitive data:

  • Carry out regular DPIAs to evaluate the risk to personal data and data elements updated routinely
  • Automate notifications, privacy notifications, and RoPA so that your staff can focus on core business tasks
  • Automate DSR fulfillment to quicken the process and link personal data to the owner accurately when you deal with huge data volumes
  • Ensure granular classification for records of personal and sensitive data
  • Automate and speed up processes like discovering, classifying, and cataloging data, saving time and expenses and minimizing errors.

  Or, you could simply engage the services of a reputed and experienced compliance consultant in the GCC like Wattlecorp and do focus on your core business while we ensure that your organization achieves compliance with Qatar PDPPL.

  How can Wattlecorp Help you Achieve Compliance with Qatar PDPPL?

  • Data Mapping – our team will inventory all the personal data you hold, and get an understanding of why you hold it. This includes structured and unstructured data, conventional data, Hadoop clusters, in motion, or at rest. We will identify exactly where all your data is stored and where it’s not. We will analyse this data to check what kind of personal data is stored in each – contact information, sensitive financial information etc., categorize it, standardize it, and ensure data quality through the proper tools.
  • Gap Assessment – We will identify the gaps in your security measures by comparing them against the standards prescribed by the PDPPL.
  • Risk Assessment and Treatment – Our team will identify the risks to data security and privacy and formulate a plan to bridge the gaps in security as specified by the PDPPL and bring down the risks to a manageable level. This includes guiding you to formulate and disseminate privacy rules across the organization, setting access control, setting roles and governance, etc.
  • Implementation – Our team will implement the security policies defined at the outset, define the KPIs, implement technical controls, and the procedures required to achieve data protection and be in compliance with Qatar PDPPL. We use methods like encryption, firewalls, etc. to protect your sensitive data, without impacting your ability to analyse, forecast, query, or report on your data.
  • Testing – this is the process of checking that your data is properly protected and that the measures implemented are working. Brute force vulnerability testing is one of the methods used
  • Audit – the audit report should be able to show that you know where your data is, what it is, how it is used and for what, that you get consent for the use, and that you have processes to manage security incidents.

  With governments and individuals becoming increasingly concerned about the privacy of personal information and the need to protect sensitive information, it is imperative that organizations take cognizance of this. Adhering to compliance requirements is not optional, it is mandatory. Not complying can result in hefty fees, loss of reputation, and loss of customers.

  Don’t delay – a breach can happen any second. Ensure compliance with Wattlecorp.