Data protection: Qatar's New Protection of Personal Data Privacy Law

Edited by Bachir El Nakib

Have you ever filed taxes or made a phone call? Do you own a smartphone? Have you ever used the internet? Do you have a social media account or wear a fitness tracker?

If you answered yes to any of these questions, you have been sharing your personal information, either online or off, with private or public entities — including some that you may never have heard of.

Sharing data may bring benefits, and it has often also become necessary for us to do everyday tasks and engage with other people in today’s society. But it is not without risks. Your personal data reveals a lot about you, your thoughts, and your life. These data can easily be exploited to harm you, and that’s especially dangerous for vulnerable individuals and communities, such as journalists, activists, human rights defenders, and members of oppressed and marginalized groups. That is why these data must be strictly protected.

In the European Union, data protection is a fundamental right, and the General Data Protection Regulation (GDPR) is the new framework for protecting that right. It is not without flaws, but it represents a very positive framework for users, enabling Europeans to take back control of their personal information. Even as the law is still being implemented — it will come into force in May 2018 — other countries are looking to the GDPR as they develop or implement their own laws to protect data.

Following is information on the meaning and purpose of data protection, and why we need laws to protect it.

What is data protection?

Personal data is any information relating to you, whether it relates to your private, professional, or public life. In the online environment, where vast amounts of personal data are shared and transferred around the globeinstantaneously, it is increasingly difficult for people to maintain control of their personal information. This is where data protection comes in.

Data protection refers to the practices, safeguards, and binding rules put in place to protect your personal information and ensure that you remain in control of it. In short, you should be able to decide whether or not you want to share some information, who has access to it, for how long, for what reason, and be able to modify some of this information, and more.

Governments also have a security interest in ensuring the protection of personal data. In 2015, criminals stole 21.5 million records from the US Office of Personnel Management that contained the highly sensitive personal data of federal employees and their family members. This type of attack is happening more frequently across the globe, and countries must take action to better protect individuals’ information.

Why do we need data protection laws?

There are two main reasons that governments should pursue comprehensive data protection frameworks:

  • Laws need to be updated to address today’s reality. Ever since the internet was created, people have been sharing more and more of their personal information online. In many countries, privacy rules exist and remain important to help protect people’s information and human rights, but they are not adapted to suit the challenges of today’s connected world.


  • Corporate co- and self-regulation is not working to protect our data. Around the world, companies and other entities that collect people’s data have long advocated for regulation of privacy and data protection not through binding frameworks but rather through self- or co-regulation mechanisms that offer them greater flexibility. However, despite several attempts, we have yet to see examples of non-binding regimes that are positive for users’ rights (or, indeed, for business as a whole).

If you are a lawmaker or a citizen contributing to domestic discourse on data protection, make sure you are equipped with the right tools for the creation of a positive framework protecting users’ data and information.


Qatar’s New Protection of Personal Data Privacy Law #13

The New Law

Law No. (13) of 2016 on the Protection of Personal Data and Privacy (the “New Law”) came into force on January 29, 2017. Individuals and entities subject to the New Law were initially required to comply with its provisions by July 29, 2017. However, we understand that this compliance deadline has been extended until January 29, 2018. 

Who is Covered?

The New Law imposes obligations on any individual or entity collecting and electronically processing personal data. “Personal data” is defined broadly as “any information relating to an individual identified or reasonably identifiable by reference to such information or by combining such information with any other information.”

As such, the New Law impacts employers, healthcare providers, universities and B2C entities, along with any entity or individual supporting them in the collection and/or processing of personal data.

Those supplying cloud or other remote data processing services are also covered under the law. 

What is the Risk?

Failure to follow the New Law can lead to fines of up to QR5 million (US$1.3 million). To the extent of its violation, any contract or agreement concluded in violation of the New Law shall be considered null and void.

New Categories

The New Law creates the categories of “controllers,” defined as the entity who “determines the means and purposes of processing personal data” and “processors,” defined as the entity who “processes personal data on behalf of a controller."


Key Provisions

The New Law has several provisions that will have a far-reaching effect on how a company collects, processes and stores personal data.

Individual Rights – The New Law establishes the right of an individual to privacy over his or her personal data. The individual is granted rights to:

– Review, alter or delete their personal data at any time. An individual may request a copy of their personal data after making a payment that does not exceed the value of the service provided.

– Withdraw approval at any time.

– Object to the processing of their personal data, if it is unnecessary for the purposes for which it was given or is


Controller Duties – A controller must do the following:

Notification/Communication Requirements:

– Obtain the approval of the individual before processing their personal data, unless they can show it is necessary to achieve the controller’s (or the 3rd party to whom the personal data is sent) legitimate purpose.

– Obtain explicit consent from the parent before processing any personal data of a child.

– Obtain approval of the Ministry of Transport and Communications (MTC) before processing any “personal data of a special nature,” which includes ethnic origin, health, physical/psychological state, religious beliefs, marital relationships and criminal offenses.

– Notify the individual before processing (or allowing a 3rd party to process) personal data. This notice shall include the legitimate purposes for the processing, a description of the processing activities and the degrees of disclosure to be made.

– Conduct direct marketing only after approval of the individual, which can be withdrawn, and must include the identity/address of the sender. (See also the Anti-Spam regulations issued by the Communications Regulatory Authority in November 2017).

– Notify the individual and the government of any breach of personal data that would result in serious damage to the privacy of the individual.

– Notify the individual of a disclosure of any inaccurate personal data.


Implement Data Privacy Protection Procedures:

– Take “necessary and appropriate precautions” to protect personal data from incidental or illegitimate loss, damage, modification, disclosure, access or use. This includes complying with privacy protection policies issued by the government.

– Train, educate and conduct comprehensive security reviews on any staff or 3rd party processors handling personal data.

– Delete personal data after it is no longer needed to achieve the legitimate purposes.

– Implement a system to effectively manage personal data breaches.

– Make available a method to receive and handle an individual’s complaints, data access, correction or deletion requests.

Note: Trans-border data flows are encouraged, but must only be done in compliance of the New Law. Also, there is a broad carve-out to following the above rules when processing data for government or other civic purposes.

Processor Duties – In addition to the items applicable above, the processor must:

– Notify the controller immediately after it becomes aware of a breach or threat.

– Take necessary and appropriate precautions to protect personal data from incidental or illegitimate loss, damage, modification, disclosure, access or use.

Complaint Process – An individual may lodge a complaint with the MTC’s privacy department, who will render a decision and, as needed, require corrective action. That decision may be appealed within 60 days. MTC’s minister will have 60 days to either grant the appeal, or failing response, the decision is determined final.

What to Do

It is important for companies to prepare for the New Law to able to comply with many of the new provisions. Below is an overview of some of the projects that we can work with your team to implement.

Preliminary Due Diligence – Start gathering information and assessing what steps your organization needs to take to become compliant. We can provide a gap assessment to identify what obligations you are under, whether in Qatar, Europe or elsewhere.

Many countries are passing new data privacy laws which are applying to data held cross-border.

• Data Mapping – You can only protect what you know you have.

Review and map your internal and external data flows and ensure appropriate privacy mechanisms are in place.

• Consent-Based Data Uses, Special Data Processing – The New Law requires valid consent and, in some cases, contains additional obligations/authorization from the government before processing personal data of a special nature. All processing activities should be reviewed and made to conform with the regulation.

• Privacy Notices and Consents – In order to ensure proper consent is obtained, privacy notices, consent forms and processes should be reviewed and amended accordingly.

• Individuals Rights – The New Law introduces new rights for individuals. Organizations must put in place procedures allowing individuals to effectively exercise their rights.

• Privacy by Design – Compliance with the New Law requires precautions be built-in to products and systems to protect

individual’s personal data. Procedures should be reviewed and amended, if existing, or developed and formalized, as necessary.

• International Data Transfers – Trans-border data flows may only be carried out in compliance with the New Law. Processor agreements and controller-to-controller agreements/clauses should be reviewed and updated.

• Data Security Management Process – Organizations must take appropriate technical and organizational data security measures, including comprehensive security reviews, training and testing/auditing of anyone handling Personal Data (including 3rd parties).

It is important that businesses understand the required security measures and, if necessary, modify their breach management process to become compliant.

• Breach Notification: The New Law requires the reporting of data breaches to the individual and supervisory authority. Businesses must implement an appropriate breach notification plan.