The Qatari government has passed a law requiring a minimum level
of protection for personal data within the State of Qatar. It is
the first GCC member state to issue a generally applicable data
protection law. The law will be of particular interest to Qatar
based employers given it introduces new requirements in relation to
how employers maintain and manage their employee's information.
It will require prompt action to ensure compliance, both for
governance reasons and given the law introduces material fines for
breach. Law No. 13 of 2016 Concerning Personal Data Protection (the
Data Protection Law) was issued on 3 November 2016. It will come
into full effect in six months' time (3 May 2016), unless this
period is extended. The Data Protection Law will help build
consumer trust in Qatar in the online environment and may encourage
consumers to engage with innovative technologies in confidence that
their data will be protected. It comes at a time when the rapid
pace of technological change means that more personal data than
ever before is being processed electronically, including due to the
advance of big data and internet of things technologies.
Some of the highlights from the new law that employers should be
aware of are:
The vast majority of personal data processing
activities are likely to be caught - The new law will
apply in most instances where personal data is handled. Article 2
provides that the requirements shall apply where personal data
(being data which identifies an individual or which can be used in
combination with other data to identify an individual) is
electronically processed, or obtained, gathered or extracted in
preparation for electronic processing, or where a combination of
electronic and traditional processing is used.
You must have lawful grounds for processing -
Personal data should not be processed without first obtaining the
approval of the data subject, unless the processing is necessary to
achieve a legitimate purpose. The legitimate purpose referred to
may be satisfied by reference to the purpose of the data controller
or a third party to whom the personal data is sent. It is unclear
at this time how narrowly the term 'necessary' will be
interpreted by the Qatari Courts.
Individuals have the right to access their personal
data - The rights given to individuals include the right
to consent to any processing of their personal data, and to
withdraw consent at any time. An individual will also have a right
to review any personal data being stored in relation to him or her,
and to ask for it to be corrected where it is inaccurate.
Responsible information handling practices are now
mandatory - The law introduces minimum standards and
overarching principles with which organisations must comply when
handling personal data, including that staff must be provided with
appropriate training on the subject of privacy and that measures
must be taken to protect personal data from loss, damage,
unauthorised modification or unauthorised disclosure.
Additional safeguards will apply to special personal
data - The law creates a class of personal data known as
'special personal data', which warrants a greater degree of
protection. This category of data includes data relating to
children, race, health, religious beliefs and criminal records and
may only be processed with the prior permission of the relevant
unit of the Ministry of Transport and Communications (MoTC).
Data breaches may trigger statutory reporting
obligations - Any company who suffers a data security
breach which would cause 'gross harm' to the individuals
concerned must notify both as the regulator, the MoTC as regulator
and the affected individuals. Based on the language used, it is
likely that any breach in which children's data was compromised
would trigger the data breach notification requirements in the
High financial penalties will be imposed for breach of certain
provisions of the Data Protection Law. For example, a fine of up to
QR1 million may be levied for a failure to notify the MoTC or an
individual affected in the event of a data breach referred to
above. A fine of up to QR5 million may be levied for a failure to
secure approval from the MoTC before processing special personal
The level of fines is undoubtedly designed to drive compliance
and to deter irresponsible personal data handling practices. It
also highlights how seriously the Qatari government is taking the
protection of an individual's right to privacy.
The concepts and requirements of the Data Protection Law will be
clarified in further ministerial decisions. However, early
indications are that the Data Protection Law is likely to transform
the regulatory landscape for privacy in Qatar.
If collection and processing of personal data pertains to private or family life, the individual's consent is required.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).