DLA Piper Intelligence

Data Protection
Laws of the World

Law

Qatar - Financial Centre Free Zone
Qatar - Financial Centre Free Zone
Note: Please also see Qatar.

The Qatar Financial Centre (QFC) implemented QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations (DPL).

Additionally, under the powers granted to the QFC Authority under Article 21 of the DPL, the QFC Authority has issued the Data Protection Rules 2005 (DPR).

Last modified 28 Jan 2019
Law
Qatar - Financial Centre Free Zone
Note: Please also see Qatar.

The Qatar Financial Centre (QFC) implemented QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations (DPL).

Additionally, under the powers granted to the QFC Authority under Article 21 of the DPL, the QFC Authority has issued the Data Protection Rules 2005 (DPR).

Last modified 28 Jan 2019
Definitions

Definition of data controller

Any person in the QFC who alone or jointly with others determines the purposes and means of the processing of personal data.

Definition of data processor

Any person who processes personal data on behalf of a data controller.

Definition of Identifiable Natural Person

Is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Definition of personal data

Any information relating to an identified natural person or an identifiable natural person. 

Definition of processing

Any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Definition of sensitive personal data

Personal data revealing or relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health or sex life.

Last modified 28 Jan 2019
Authority

The Employment Standards Office at the QFC Authority is effectively the administrator of the DPL and DPR in the QFC.

Employment Standards Office
Qatar Financial Centre
Level 8, QFC Tower 1
Westbay
Doha, Qatar
eso@qfc.qa
Tel: +974 44967609

Last modified 28 Jan 2019
Registration

Unless certain exceptions apply, data controllers must obtain a permit from and provide notice to the QFC Authority prior to processing sensitive personal data or transferring personal data outside of the QFC to a recipient who is not subject to laws or regulations that ensure an adequate level of protection for that personal data.

Last modified 28 Jan 2019
Data Protection Officers

There is no requirement under the DPL or the DPR for organizations to appoint a data protection officer. Though note the general obligation of a data controller to implement appropriate technical and organizational measures to protect personal data, as further detailed below (see Security section). It is however recommended that organizations that operates on a large scale or carries out regular and systematic monitoring of individuals appoint an individual responsible for overseeing the data controller’s compliance with data protection requirements.

Last modified 28 Jan 2019
Collection & Processing

Data controllers may process personal data when any of the following conditions are met:

  • The data subject has given his/her unambiguous consent to the processing of that personal data (DPL, Article 7(1))
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (DPL, Article 7(2))
  • Processing is necessary for compliance with any legal obligation to which the data controller is subject (DPL, Article 7(3))
  • Processing is necessary in order to protect the vital interests of the data subject (DPL, Article 7(4))
  • Processing is necessary for the performance of a task carried out in the interests of the QFC, or in the exercise of the QFC Authority, the QFC Regulatory Authority, the QFC Tribunal or Appeals Body functions or powers vested in the data controller or in a third party to whom the personal data is disclosed (DPL, Article 7(5)), or
  • Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the third party or parties to whom the personal data is disclosed, except where such interests are overridden by compelling legitimate interests of the data subject relating to the data subject's particular situation (DPL, Article 7(6))

Data controllers may process sensitive personal data when any of the following conditions are met:

  • The data subject has given his/her explicit consent to the processing of that personal data (DPL, Article 8(1)(A))
  • Processing is necessary for the purposes of carrying out the obligations and specific rights of the data controller in the field of employment law (DPL, Article 8(1)(B))
  • Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his/her consent (DPL, Article 8(1)(C))
  • Processing is carried out by a foundation, association or any other nonprofit-seeking body in the course of its legitimate activities with appropriate guarantees that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed to a third party without the consent of the data subjects (DPL, Article 8(1)(D))
  • The processing relates to personal data which is manifestly made public by the data subject or is necessary for the establishment, exercise or defense of legal claims (DPL, Article 8(1)(E))
  • Processing is necessary for compliance with any legal obligation to which the data controller is subject (DPL, Article 8(1)(F))
  • Processing is necessary to uphold the legitimate interests of the data controller recognized in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by compelling legitimate interests of the data subject relating to the data subject's particular situation (DPL, Article 8(1)(G))
  • Processing is necessary to comply with auditing, accounting or anti-money laundering obligations that apply to a data controller (DPL, Article 8(1)(H)), or
  • Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where that personal data is processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy (DPL, Article 8(1)(I))
Last modified 28 Jan 2019
Transfer

Data controllers may transfer personal data out of the QFC if the personal data is being transferred to a Recipient in a jurisdiction that has laws and regulations that ensure an adequate level of protection for that personal data (DPL, Article 9(1)). The adequacy of the level of protection ensured by laws and regulations to which the Recipient is subject to shall be assessed in light of all the circumstances surrounding a personal data transfer operation or set of personal data transfer operations, including but not limited to:

  • The nature of the data
  • The purpose and duration of the proposed processing operation or operations
  • If the data does not emanate from the QFC, the country of origin and country of final destination of the personal data
  • Any relevant laws to which the recipient is subject, including processional rules and security measures

In the absence of an adequate level of protection, data controllers may transfer personal data out of the QFC if any of the following are true:

  • QFC Authority has granted a permit for the transfer or the set of transfers and the data controller applies adequate safeguards with respect to the protection of this personal data (DPL Article 10(1)(A)). Article 3.2 of the DPR then sets out the requirements for applying for such a permit (including a description of the proposed transfer of personal data for which the permit is being sought and including a description of the nature of the personal data involved)
  • Data subject has given his / her unambiguous consent to the proposed transfer (DPL, Article 10(1)(B))
  • Transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject’s request (DPL, Article 10(1)(C))
  • Transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and a third party (DPL, Article 10(1)(D))
  • Transfer is necessary or legally required on grounds important in the interests of the QFC, or for the establishment, exercise or defense of legal claims (DPL, Article 10(1)(E))
  • Transfer is necessary in order to protect the vital interests of the data subject (DPL, Article 10(1)(F))
  • Transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case (DPL, Article 10(1)(G))
  • Transfer is necessary for compliance with any legal obligation to which the data controller is subject (DPL, Article 10(1)(H))
  • Transfer is necessary to uphold the legitimate interests of the data controller recognized in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by legitimate interests of the data subject relating to the data subject’s particular situation (DPL, Article 10(1)(I))
  • Transfer is necessary to comply with auditing, accounting or anti-money laundering obligations that apply to a data controller which is established in the QFC (DPL, Article 10(1)(J))

Authorities who receive personal data in the context of a particular inquiry are not regarded as Recipients under the DPL or the DPRs (as per the definition of Recipient in the DPL).

Last modified 28 Jan 2019
Security

Data controllers must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing, in particular where sensitive personal data is being processed or where the personal data is being transferred out of the QFC to a jurisdiction without an adequate level of protection (DPL, Article 14(1)).

When applying for a permit to process sensitive personal data, or transfer personal data out of the QFC to a jurisdiction without an adequate level of protection, data controllers must include detail regarding the safeguards employed to ensure the security of such sensitive personal data/personal data (respectively, Articles 2.1.1(I) and 3.2.1(I) of the DPR).

The measures implemented ought to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (DPL, Article 14(2)).

Last modified 28 Jan 2019
Breach Notification

There is no requirement under the DPL and nor the DPR to inform the QFC Authority of any breaches of personal data databases. It is nevertheless recommended that a data controller notifies the QFC Authority and the concerned data subjects of events of breach as soon as practicable and in any event, within 72 hours from the time the data controller becomes aware of such breach.

Last modified 28 Jan 2019
Enforcement

In the QFC, the ESO oversees the enforcement of the DPL.

If the QFC Authority is satisfied that a data controller has contravened or is contravening the DPL or DPR, the QFC Authority may issue a direction to the data controller requiring it to do either or both of the following:

  • To do or refrain from doing any act or thing within such time as may be specified in the direction (DPL, Article 22(1)(A))
  • To refrain from processing any personal data specified in the direction or to refrain from processing personal data for a purpose or in a manner specified in the direction (DPL, Article 22(1)(B))

A data controller may file an appeal against a decision by the QFC Authority to issue a direction pursuant to DPL, Article 22(1) at the QFC Tribunal (DPL, Article 22(3)). 

Last modified 28 Jan 2019
Electronic Marketing

Immediately upon collecting personal data, the DPL requires data controllers to provide data subjects who they have collected personal data from, with, among other things, any further information to the extent necessary (having regard to the specific circumstances in which the personal data is collected). This includes information on whether the personal data will be used for direct marketing purposes (DPL, Article 11).

If the personal data has not been obtained from the data subject, the data controller or their representative must at the time of undertaking the recording of personal data – or if it is envisaged that the personal data will be disclosed to a third party, no later than when the personal data is first recorded or disclosed – provide the data subject with, among other things, information regarding whether the personal data will be used for direct marketing purposes (DPL, Article 12).

Before personal data is disclosed for the first time to third parties or used on a data subject’s behalf for the purposes of direct marketing, data subjects also have the right to be informed and to be expressly offered the right to object to such disclosures or uses (DPL, Article 16(1)(B)).

Additionally, the DPL requires a data controller to record various types of information regarding its personal data processing operations (Article 17(1) and 2(A)). This must include an explanation of the purpose for the personal data processing (DPR, Article 4(1)(B)). The DPR suggests that one of these purposes may be for advertising, marketing and public relations for the data controller itself or for others (Article 4.1(e)).

Last modified 28 Jan 2019
Online Privacy

The DPL or DPR do not contain specific provisions relating to online privacy, however, the broad provisions detailed above are likely to apply. In addition, as Qatar criminal law applies in the QFC, the privacy principles laid out therein may apply (see Qatar).

Last modified 28 Jan 2019
Contacts
Brenda Hill
Brenda Hill
Legal Director
T +974 4420 6126
Last modified 28 Jan 2019