Qatar’s Data Privacy Law: What GCC organisations need to know

Law No. 13 of 2016 Concerning Personal Data Protection (the DPL) has been in place in Qatar since the end of 2016. If you’re still unsure about the requirements of the DPL and how your organisation can comply, we’ve created a summary for you below.

What does the law state?

Under the DPL, organisations must adhere to the principles of transparency, fairness and respect for human dignity.

The law applies to “personal data that is electronically processed, or obtained, gathered or extracted in preparation for electronic processing, or when a combination of electronic and traditional processing is used”.

The DPL has six key categories of requirements:

  1. Lawful grounds for processing: Consent must be provided before an individual’s personal information can be used by an organisation, unless processing is necessary to achieve a legitimate purpose.
  2. Fair processing notices: Notifications must be sent to individuals whose data you are processing, which specifies the identity of the data controller, purpose of processing and a description of the processing activities.
  3. Compliant information handling practices: There are a further six key practices to abide by:
    1. Process personal data honestly and according to the law.
    2. Safeguard the data using appropriate measures.
    3. Comply with privacy protection policies issued by the MOTC (Ministry of Transport and Communications).
    4. Review data protection measures before releasing new products/services.
    5. Ensure relevance and accuracy of personal data.
    6. Do not keep personal data for longer than required.
  4. Effective management of third parties and employees: Take necessary steps to protect data from loss, damage, alteration, disclosure or from being accessed or used accidentally or unlawfully.
  5. Efficient handling of subject access requests: Data subjects have the right to access and review their personal data and receive information about how their data is being processed.
  6. Data breach notification: Organisations that suffer a data breach that would cause ‘gross harm’ to the individuals concerned must notify the MOTC and any data subjects affected.

Why do Qatari organisations need to comply?

The grace period for Qatari organisations to comply with the DPL ended on 30 June 2018, so organisations must review their data privacy measures as a matter of urgency.

Organisations found breaching the DPL could be liable for fines of up to 5 million QR, damage their reputation and engender mistrust among consumers.

How GDPR compliance can help with DPL compliance

Qatar’s DPL contains many similarities to the EU GDPR (General Data Protection Regulation), which came into force in May 2018, so complying with the GDPR can help organisations comply with the DPL.

With the appropriate data protection compliance framework in place, not only will you be able to avoid significant fines and reputational damage but you will also be able to show customers that you are trustworthy and responsible, and derive added value from the data you hold.

Learn how to demonstrate compliance with the GDPR >>