Data protection policies started to emerge in the Middle East in 2015, with Qatar being among the first countries to adopt them. This significant step was achieved through the implementation of Qatari Law No. 13 of 2016, which officially came into effect in 2017. While the primary focus of this law was on addressing various aspects of electronic transactions and e-commerce within Qatar, it also addressed some crucial data protection concerns that naturally arise in such activities. As a result, it marked the inception of Qatar’s first known data protection law.
In December 2020, the Compliance and Data Protection Department (CDP) under the Ministry of Transport and Communications (MOTC) introduced new guidelines to enhance the protection of personal data. These rules have been designed to safeguard any personal information collected, received, extracted, or processed electronically during various transactions or activities. Organizations responsible for handling such data are required to adhere to fundamental principles, including fairness, transparency, and respect for human dignity. These measures aim to ensure the privacy and security of individuals’ data and promote responsible data management practices.
This article will focus on the provisions of this policy in detail to provide you with all relevant information that will help you stay compliant. We will also show you how InCountry helps you stay data sovereignty compliant across the countries your business operates, including Middle East data residency.
Who needs to comply with personal data protection laws in Qatar?
Is data protection applicable in Qatar? Of course. In this section, we will review the organizations and individuals (as the case may be) that need to comply with these provisions.
- Government agencies
As they say, charity begins from home. Government agencies that are involved in processes that include data collection and processing are expected to comply with all the provisions stated in the policy.
- Private companies
This encompasses privately owned companies of all sizes, including small, medium, and large enterprises, that collect and process personal data from individuals in Qatar. These companies typically gather and process such data as part of their business transactions with clients.
- Service providers
Third-party service providers who process personal data on behalf of other organizations must comply with this policy to avoid facing the penalties that come with defying it.
- Individuals
Surprisingly, this policy also extends to individuals who collect and process personal data from others for personal or domestic purposes. If you fall into this group, it’s essential to read the following sections of this article carefully as we explore this policy further.
What Qatar data protection laws do you need to know?
Qatar data protection laws have about 31 articles covering vital areas such as the processing of personal data, its protection, international data transfers, and consent requisites. In this section, we will review these articles in detail:
Data processing requirements
The Personal Data Privacy Protection Law in Qatar imposes specific requirements on the processing agency when managing personal data. They include the following:
- Ensure the processing of personal data is carried out legitimately and honestly.
- When dealing with personal information, consider the rules, structures, and additional services involved.
- Use various methods, including technical, financial, and administrative approaches, to protect the data following the guidelines provided by regulatory authorities.
- Keep personal data as long as needed, and avoid holding onto it longer than necessary.
Moreover, the law requires the person or organization managing the personal data (the controller) to inform individuals about specific details before they start using their personal information. These essential pieces of information include:
- Information about the person or organization in charge (the controller) and any other related parties involved.
- The lawful purpose for processing personal data.
- A comprehensive description of the processing activities and the extent of disclosure involved.
Seeking permission
According to Article 4 of the law, Data controllers must obtain explicit consent from individuals before processing their personal data, except when the processing is necessary for legitimate and lawful purposes.
Additionally, when handling a minor’s personal data, the data controller must obtain explicit permission from the parent or guardian before proceeding. If the guardian wants more information, the data controller should provide details about the data being processed, the purpose, and a copy of the data upon confirming their identity.
Finally, individuals reserve the right to withdraw their consent anytime they are no longer comfortable.
Data protection impact assessment (DPIA)
In article 11, paragraph 1, and article 13, Qatar’s PDPPL requires organizations to conduct data protection impact assessment. Simply put, it means data controllers should evaluate the privacy protection measures they have in place before proceeding with new processing operations. The goal of this evaluation is to identify potential risks that may be associated with processing personal data. Organizations that fail to do this may be penalized with a fine of as much as $275,000! If, for any reason, a controller fails to carry out a DPIA, they are required to record their reasons.
Records of processing activities (RoPA)
Under the PDPPL, data controllers must keep detailed records of all data processing, including lawful personal data disclosures. This includes RoPA reports and compliance with cross-border data transfers, consent management, privacy assessment, and sensitive data handling. The NCGAA also requires data controllers to record marketing activities in their RoPA reports.
Direct marketing obligations
The law prohibits data controllers from sending direct marketing communications to individuals without their explicit consent. Suppose electronic communications are used for direct marketing. In that case, the controller must provide additional information, including their identity and contact details, a clear indication that the communication is for marketing, and a valid address for opting out of future communications or revoking consent.
Data controller & processor contract
The PDPPL mandates data controllers to ensure their processors’ compliance. Controllers must sign a contract with processors, specifying the processing details, security measures, and individual rights. Both parties must protect personal data from loss or unauthorized access. If any breach occurs, the processor must inform the controller promptly.
Processing sensitive data
The policy includes a special category of personal data called “Personal Data with a Special Nature,” covering information about children, criminal activities, health, ethnicity, religion, and marital relations. However, processing such sensitive data is allowed only with permission from the Competent Department.
Individual rights
The individual rights covered by this policy include the following:
- Right to withdraw consent.
- Right to object to the processing of personal data.
- Right, to request the permanent deletion of personal data.
- Right to correct personal data.
- Right, to access personal data in the possession of a controller.
Personal data management system
The law mandates data controllers to have an internal management system that improves their efficiency in managing the personal data of clients, breach notifications, etc.
Breach notification
According to articles 13 and 14 of the PDPPL, a data processor is expected to immediately notify the controller of any breach if one occurs. The data controller, in turn, is mandated to notify the NCGAA within 72 hours of the time the data breach occurred.
Noncompliance penalties
Violation or non-compliance to the PDPPL will only attract hefty financial penalties. No jail term is included. The financial penalty for noncompliance starts at $275,000 to $1,375,000, depending on the severity of the offense committed.
Note that the National Cyber Governance and Assurance Affairs (NCGAA) is empowered by the National Cyber Security Agency (NCSA) of Qatar to oversee and implement the PDPPL and also establish regulations to support its provisions.
Data residency requirements in Qatar
Data residency in Qatar is quite straightforward. According to the Cloud Regulatory Authority (CRA), data storage no longer needs to be limited to “on-premises” or local locations. Instead, organizations can use secure hubs (regions/availability zones) and implement encryption, anonymization, and aggregation for better efficiency. The Cloud Policy Framework in Qatar supports this approach, stating that data residency is no longer mandatory due to advanced data classification, security measures, and encryption technologies ensuring robust protection controls.
However, highly regulated industries such as financial services and healthcare fall under effective data residency, where regulators mandate data residency when approving new systems. InCountry’s Data Residency-as-a-Service solution will help your organization stay data compliant and avoid unnecessary penalties.
Cross-border data transfer requirements
Article 15 of the Qatar PDPPL addresses cross-border data transfers. Unlike some other privacy laws, the PDPPL does not generally restrict the data controller from engaging in international data flow. In other words, it does not impose blanket limitations on transferring personal data across borders.
However, there are certain circumstances under which the data controller is allowed to take measures to limit or prevent cross-border data transfers. These circumstances include situations where the cross-border transfer would violate the provisions outlined in the PDPPL or when processing such data could cause serious harm to the personal data or the individuals to whom the data pertains.
Essentially, the PDPPL permits cross-border data transfers but with the condition that the data controller can intervene if it is necessary to protect the privacy and security of personal data or to ensure compliance with the law. This approach aims to strike a balance between enabling international data flow and safeguarding the rights and interests of individuals and their data.
It is important to note that Data Residency requirements by country vary and may become confusing if your operations span across several countries. That is why the right tool is required to help you stay compliant.
How to comply with data protection laws in Qatar — InCountry’s approach
Data compliance can be smooth with the right help. At InCountry, we understand that no company wants to spend time and resources struggling to navigate the waters of data compliance; that’s why we are here to help. With our Data Residency-as-a-Service solution, staying compliant across all your locations becomes super easy. It allows your organization to focus on the important aspects of your business while we take care of your data compliance. Here are a few reasons why you should work with us:
- InCountry’s robust global infrastructure ensures the secure management of your regulated data.
- Collaborating with InCountry provides the quickest path to adhere to data residency regulations, expanding into new territories seamlessly.
- By leveraging InCountry’s services, you can reduce the time spent on infrastructure and software management, allowing you to prioritize core customer and product experiences.
- Enable your custom applications to meet data residency requirements effortlessly, with minimal to no development work, whether they are in IaaS clouds or on-premises.
- InCountry empowers real-time data residency compliance in over 90 countries, facilitating local regulatory adherence effectively.
Contact us today and let’s discuss your data compliance needs and show you how much value we can contribute to your business.