In Qatar, there are two parallel legal systems relating to data protection: the mainland legal system of the State of Qatar (“Mainland”) and the Qatar Financial Centre (“QFC”) regulatory system. The mainland legal system is the national legal framework, applicable across the country and based on civil law principles, with legislation issued by the State of Qatar. 
In contrast, the QFC operates under its own largely independent legal system, grounded in common law. The QFC law and regulations apply exclusively to entities licensed and registered within the QFC, and do not extend to businesses or individuals outside its jurisdiction. 

Mainland:  The primary legislation governing data protection is Qatar Law No. 13 of 2016 on the Protection of Personal Data Privacy (“Data Protection Law”).
QFC: As part of its legal infrastructure, the QFC has enacted its own data protection regime through the QFC Data Protection Regulations 2021 (“Regulations”) and the QFC Data Protection Rules (“Rules”).

Mainland: As a civil law jurisdiction, Qatar’s legal system is founded primarily on codified statutes and regulations, rather than judicial precedent. Accordingly, judicial decisions may have persuasive value in interpreting the provisions of the law. However, they do not have binding authority in the same way it does in common law systems. 
QFC: A notable judicial decision is Marc Reaidi v. Eversheds Sutherland (International) LLP, where the Qatar International Court and Dispute Resolution Center (“QICDRC”) accepted jurisdiction over a claim alleging breaches of the Regulations. The Claimant alleged that the Defendant had published an article referencing him, causing reputational harm in violation of data protection rights. The Court upheld jurisdiction under Article 8.3(c)(1) of the QFC Law, allowing the case to proceed despite the Defendant’s objections. 
Further, in September 2024, the QFC issued a USD 150,000 fine and a reprimand to a QFC-licensed firm, for breaches of Articles 8, 9, 29, and 31 of the Regulations.

Mainland: According to Article 1 of the Data Protection Law, “personal data” refers to “information that relates to an individual whose identity is identified or can reasonably be identified, either from those data or in combination with any other information”. 

Article 16 defines sensitive data as “data relating to the ethnic origin, children, health, physical or mental condition, religious beliefs, marital relationship, and felonies”.

QFC: Pursuant to Article 39 of the Regulations, “personal data” refers to any information relating to a Data Subject. “Data Subject” is defined as “a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the Data Subject”.

Sensitive data is defined in Article 39 as “personal data revealing or relating to race or ethnicity, political affiliation, or opinions, religious or philosophical beliefs, trade-union or organisational membership, criminal records, health or sex life, and genetic and biometric data used to identify an individual”.

Mainland: Before processing personal data, a controller must obtain explicit consent from data subjects, including their agreement to all relevant terms, conditions, and obligations associated with data processing. However, the processing of personal data will not require data subject consent if the personal data is being collected for a lawful purpose. “Lawful Purpose” is defined as “the purpose for which the personal data of an individual is processed in accordance with the law.”

A controller must also maintain a privacy policy pursuant to which data subjects are clearly and accurately informed of the processing purpose, the venue of processing, and the process of processing personal data, including their collection, use and disclosure, as well as all information necessary for ensuring safe processing of such personal data. In addition, data subjects must be informed of the following:
1)    their right to withdraw their consent (opt-out);
2)    their right to object to processing their personal data if such processing is not necessary to achieve the purposes for which such personal data have been collected or where such collected personal data are beyond the extent required, discriminatory, unfair or illegal;
3)    their right to request omission or erasure of their personal data upon cessation of the purpose for which the processing has been conducted, or where all justifications for maintaining such personal data by the controller cease to exist;
4)    their right to request corrections to their personal data. A request so made must be accompanied by proof of the accuracy of such request;
5)    their right to access their personal data and request to review the same, in particular, the right to: 
a)    be notified of processing the personal data and the purposes for which such processing is conducted;
b)    be notified of any disclosure of inaccurate personal data; and
c)    obtain a copy of their personal data after paying an amount that must not exceed the service charge (if any).
6)    the controller’s details or any other party conducting the processing for the controller or to be used thereby;
a)    the lawful purposes that the controller or any other party wants to process the personal data therefor;
b)    a comprehensive and accurate description of the processing activities and the levels of disclosure of such personal data for the lawful purposes, and if the controller is unable to do so, the controller must provide the customers with a general description thereof; and
c)    any other information that is necessary and required for fulfilling conditions of personal data processing.

Further, the controller must abide by the following:
1)    process personal data in an honest and lawful manner; 
2)    consider the controls related to designing, changing or developing products, systems and services pertinent to personal data processing;
3)    take appropriate administrative, technical and financial precautions to protect personal data; and
4)    take the precautions necessary to protect personal data against loss, damage, change, disclosure, access thereto, or the inadvertent or illegal use thereof. Such precautions must be commensurate with the nature and the importance of the personal data intended to be protected.
QFC: The Regulations provide that organisations must follow several data protection principles. In order for personal data to be processed lawfully, at least one of the principles established in the Regulations must be met. Article 9 requires data controllers to comply with the Article 8 Principles, which are as follows: 
1)    Lawfulness, Fairness and Transparency 
2)    Specific Purpose 
3)    Data Minimisation 
4)    Accuracy
5)    Storage Limitation
6)    Integrity and Confidentiality of Processing

The processing of sensitive personal data are prohibited unless one of the special conditions set out in Article 12 of the Regulations applies. Article 12(1)(A) requires explicit written consent from the data subject for the processing of sensitive personal data. However, if the processing of such sensitive personal data is required for one of the extraordinary reasons listed in the Regulations (discussed below), written consent may not be needed. Reasons for processing sensitive personal data without written consent from data subjects are as follows:
1)    for the purposes of complying with employment law;
2)    to protect the vital interests of the subject or another individual and the subject is physically or legally incapable of giving their consent;
3)    the processing is carried out by an insurance firm for the purposes of providing a policy for life or health insurance;
4)    the processing is carried out by a not-for-profit entity in the course of its lawful activities and with appropriate safeguards, 
5)    the processing relates to data that the subject has made public;
6)    to establish, pursue or defend a legal claim or when a court is acting in its judicial capacity;
7)    to comply with an obligation imposed on the data controller by law;
8)    to perform a task carried out by any QFC regulatory body in the performance of its functions;
9)    for substantial public interest reasons; or
10)    for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services.
The above requirements do not apply if the data controller has obtained a permit from the Data Protection Office (“DPO”). For the data controller to apply for the permit to process sensitive personal data, the data controller must apply in writing, setting out the following: 
1)    the identity and contact details of the data controller; 
2)    the name, address, telephone number and e-mail address of the person within the data controller responsible for making the application for the permit; 
3)    a description of the processing of sensitive personal data for which the permit is being sought, including a description of the nature of the sensitive personal data involved; 
4)    the purpose of the proposed processing of the sensitive personal data; 
5)    the classes of data subjects being affected; 
6)    the identity of any person to whom the data controller intends to disclose the sensitive personal data; 
7)    to which jurisdictions, if known, such sensitive personal data may be transferred outside of the QFC; and 
8)    a description of the safeguards put into place by the data controller, to ensure the security of the sensitive personal data. 

Mainland: Under the Data Protection Law, privacy obligations apply to any natural or legal person that processes or controls personal data. A distinction under Qatari law is made between a data controller and a data processor. The controller is defined as “the natural or legal person who, alone or jointly with other persons, determines the method and purpose of processing of personal data”, while the processor is defined as “the natural or legal person who processes personal data on behalf of the controller.”

QFC: Pursuant to Article 7 of the Regulations, the privacy obligations apply to the processing of personal data by a data controller and data processor incorporated or registered in the QFC. Further, it also applies to those who are not licensed by the QFC, but through an ongoing arrangement use a QFC-licensed organisation to process the personal data of data subjects.

Under the Regulations, a data controller is defined as an individual or entity that determines the purposes and means of the processing of personal data.

A data processor, on the other hand, is an individual or entity that undertakes the processing of personal data on behalf of a data controller.

Mainland: The Data Protection Law in Article 1 defines the processing of personal data as “conducting one operation or a set of operations on personal data, such as collection, reception, recording, organisation, storage, adaptation, alteration, retrieval, use, disclosure, transmission, transfer, restriction, destruction, erasure, and cancellation.”

QFC: The Regulations define processing as “any operation or set of operations that is performed (whether or not by automatic means) on personal data or on sets of personal data, and includes collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consultation, using disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing and destroying the personal data.”

Mainland: The Data Protection Law provides that a controller shall: 
1)    process the personal data honestly, lawfully, and with integrity; 
2)    process the controls on designing, changing and/ or developing personal data-related products, systems and services; 
3)    adopt appropriate administrative, technical and physical precautions as necessary to protect personal data as determined by the Ministry of Communication and Information Technology (“Ministry”); and 
4)    abide by the privacy protection policies as developed by the Ministry and decreed by the Minister.
The Data Privacy Law does not provide examples of “lawful purposes”, but we understand that it would be something along the lines of obtaining employee information, or retaining and transferring employee information within an organisation.

QFC: As noted above, Article 8 of the Regulations sets out the following principles concerning processing personal data:
1.    Lawfulness, Fairness and Transparency: 
The personal data of a data subject must be processed lawfully, fairly, and
transparently.

2.    Specific Purpose: 
Personal data must be processed only for specific, explicit and lawful
purposes and only in accordance with the relevant data subject’s rights set
out in the Regulations. A data processor must not further process personal
data in a way that is incompatible with those purposes or those rights.

3.    Data Minimisation: 
Personal data that is processed must be adequate, relevant and limited to
what is necessary in relation to the purposes for which they are processed.

4.    Accuracy:
Personal data may be processed only if the data are accurate and up to date.
Reasonable efforts (taking into account the purposes for which the data were
processed) must be made to ensure that personal data that are inaccurate
are erased or corrected without undue delay.

5.    Storage Limitation:
Personal data must be kept in a form that permits data subjects to be
identified but only for as long as is necessary for the purposes for which the
data were processed.

6.    Integrity and Confidentiality of Processing:
Personal data must be processed in a way that ensures that the data are
appropriately secure, using appropriate technical and organisational
measures. In particular, the data must be protected against unauthorised or
unlawful processing and against accidental loss, destruction or damage.

Mainland: The Data Protection Law prescribes a general obligation on controllers and processors to take appropriate security precautions for the protection of personal data under Articles 11 and 13. While the Data Protection Law does not provide specific protection measures, it stipulates that the precautions should be commensurate with the nature and importance of the personal data intended to be protected. Additionally, the processor must notify the controller of any breach of the precautions taken to protect personal data against loss, damage, change, disclosure, access, or their inadvertent or illegal use. Equally, in most cases, controllers are required to notify the Ministry of data breaches. 

The regulatory body in the Mainland is the National Cyber Security Agency (“NCSA”).

QFC: Personal data is regulated under the Regulations and Rules. The Regulations apply to data controllers and data processors established in the QFC, as well as entities outside the QFC, who use a QFC licensed firm to process personal data. 

Personal data can only be processed pursuant to at least one of the lawful purposes set out in Article 10 of the Regulations (as set out in Question 10). 

Data processing must also comply with the core data protection principles set out in Articles 8 and 9.

The regulatory body in the QFC is the DPO.

Mainland: The Data Protection Law does not prescribe a specific retention period for personal data. However, it provides that the controller must verify that the personal data that it collects, or is being collected for the benefit thereof, is relevant to the lawful purposes for which it has been collected and adequate for achieving the same. The controller must ensure such data is accurate, complete, and up to date to meet such lawful purposes. In addition, the controller must not retain any personal data for a period exceeding the necessary duration for achieving lawful purposes.

The controller must provide a user friendly, practical and easily accessible method through which the data subject can withdraw their consent or disable the method for collecting, using, processing or disclosing personal data. The controller must delete the data subjects’ personal data if:
1)    the data subject has withdrawn the consent to process or use their personal data;
2)    the personal data is no longer necessary to provide the services requested by the data subject; or
3)    the customers are no longer subscribed to the service for which the personal data was collected.
The Data Protection Law requires controllers and processors to adopt all necessary precautions to protect personal data against loss, damage, change, disclosure and/ or illegal/inadvertent access thereto and/or use thereof. Precautions so adopted must be commensurate with the nature and the importance of the personal data being protected. 
Controllers are also required to:
1)    develop an internal personal data management system, and report any breach of protection measures thereof; 
2)    appropriately use available technologies to enable data subjects to exercise their rights to directly access, review and correct their respective personal data; and
3)    Conduct comprehensive audits and reviews on the compliance with personal data protection requirements.
However, no specific security protocols or technologies are named in the Data Protection Law.
QFC: The principle of storage limitation is set out in Article 8, which requires personal data to be kept in a form that permits data subjects to be identified but only for as long as is necessary for the purposes for which the data were processed.  
The data must be immediately erased securely once it has served its purpose. A retention period must be established in order to identify how long personal data is required for the specific purposes, so that organisations can ensure that personal data is deleted or anonymised. In some cases, a retention period is placed by other laws and regulations. Organisations must always verify such retention requirements when determining retention periods. 

Mainland: The Data Protection Law gives the data subjects several rights in respect to their personal data, subject to applicable restrictions and exemptions. This includes the rights of the data subjects to:
1)    withdraw consent to the processing of their personal data;
2)    object to certain processing activities;
3)    issue requests for the deletion or correction of their personal data; and
4)    request access to their personal data and related information about how and why it is being processed.
Furthermore, a data subject may, at any time, access their personal data and request revision of the same from the controller. Particularly, a data subject shall have the right to: 
1)    be notified of the processing of their personal data and the purposes for which such processing is to be conducted; 
2)    be notified of any disclosure of any inaccurate personal data; and 
3)    obtain a copy of their personal data after paying a service fee.
The controller also must verify that the personal data being collected is relevant to the lawful purpose and is sufficient for meeting the same. The controller must also verify that such personal data is accurate, complete and up-to-date to meet a lawful purpose.

QFC: The Regulations grant individuals the following rights in relation to their personal data: 
1)    Right to access (Article 16 of the Regulations): to confirm whether their personal data is being processed and to obtain a copy of their data. 
2)    Right to rectification (Article 17): to request the correction of inaccurate data or the completion of incomplete data. 
3)    Right to Erasure (Article 18): to request deletion of personal data in specific cases, such as where:
a)    consent has been withdrawn;
b)    the data is no longer necessary; or
c)    processing is unlawful. 
4)    Right to object (Article 19): to object to the processing of personal data where it is based on:
a)    public interest;
b)    lawful interest; or
c)    direct marketing. 
5)    Right to restrict processing (Article 20): to request restriction of processing in certain situations, such as:
a)    when the accuracy of data is contested;
b)    when the processing is unlawful and the data subject opposes the erasure of the personal data;
c)    the data controller no longer needs the personal data, but the personal data is required by the data subject for a legal claim; or 
d)    when the data subject has objected to processing, and restriction is needed while the controller determines whether its lawful grounds override those of the data subject. 
6)    Right to data portability (Article 21): to receive personal data in a structured, commonly used, and machine-readable format and to request its transfer to another controller, where the processing is based on consent or a contract and carried out by automated means.
7)    Rights in relation to automated decision-making, including profiling (Article 22): to not be subjected to decisions based solely on automated processing that produce legal or similarly significant effects, except where:
a)    necessary for a contract;
b)    permitted by law; or
c)    based on explicit consent.
8)    Right to transparent information and communication (Articles 13–15): to be informed, in clear and plain language, about how their data is collected, used, shared and retained. 

Mainland: Article 4 of the Data Protection Law requires a data controller to obtain the data subjects’ consent before processing their personal data unless the processing is for a lawful purpose. Furthermore, processing sensitive personal data requires prior approval from the relevant authorities (and data subject in most circumstances).

QFC: Article 11 of the Regulations identifies obtaining consent from a data subject as a lawful basis on which to process personal data. Consent expressly allows the data controller to give a data subject the choice and control of how their personal data is treated or used. It gives the data subject full control over personal data when correctly managed. 

The elements of consent are as follows: 
1)    consent must be freely given;
2)    consent must be specific; 
3)    consent must be informed; 
4)    consent must be an unambiguous indication; and 
5)    consent must be as easy to withdraw as it was to provide. 

Mainland: Under the Data Protection Law, the processing of personal data must be for a lawful purpose, and authorisation for the use of personal data is primarily obtained through the explicit consent of the data subject before any processing begins. For sensitive personal data, additional authorisation from the relevant authorities is required. Controllers must clearly inform data subjects of the purposes, methods, and conditions of processing, ensuring that consent is informed, specific, and freely given.

QFC:  Authorisation to use personal data must be based on a lawful basis as set out in Article 10 of the Regulations. 

Processing of personal data is lawful only and to the extent that at least one of the following applies: 
1) the data subject concerned has given their consent to the processing of their personal data for one or more specific purposes 
2) the processing of data is necessary: 
a) to perform a contract to which the data subject is a party; or
b) to take steps at the data subject’s request before entering into a contract;
3) the processing is necessary to comply with an obligation imposed on the data controller by law; 
4) the processing is necessary to protect the vital interests of the data subject or another individual;
5) the processing is necessary to perform a task carried out:
a) in the public interest; or
b) by any of the following in the performance of its functions:
 - the QFC Authority;
 - the QFC Regulatory Authority;
 - the Civil and Commercial Court;
 - the Regulatory Tribunal; and
 - a QFC Institution.
6) the processing is necessary for the purposes of the lawful interests of the data controller or another person to whom the data are disclosed (unless those interests are overridden by the rights and lawful interests of the data subject that require the data to be protected, in particular if the data subject is a child).

Mainland: Cross-border data flows are defined under the Data Protection Law as “enabling access to, view, retrieval, use or storage of personal data without regard to State boundaries.”

Article 15 of the Data Protection Law provides that a data controller should not impose limitations on cross-border data flow unless the processing of such data violates the provisions of the law or may inflict serious damage to the personal data or privacy of the data subject. Further, the Qatari NCSA’s guidelines provide that where personal data are transferred to another country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

The transfer of personal data outside Qatar is permissible whenever it is necessary, provided that an adequate level of protection and security for such data must be maintained. The controller must notify data subjects that it intends to transfer their personal data. Data subjects must be notified of where the data collected will be stored whether in Qatar or elsewhere. Data subjects must also consent to this transfer. 

QFC: Under Article 23 of the Regulations, transfers of personal data to jurisdictions listed by the DPO as offering an adequate level of protection are permitted without the need for additional safeguards. However, organisations are still required to ensure that personal data is processed lawfully and securely in these jurisdictions and are advised to regularly monitor the adequacy list, which is maintained by the DPO, in case of any updates or removals. 

For transfers to jurisdictions not included in the adequacy list, Article 24 of the Regulations applies. In such cases, transfers may only take place if one of the following is satisfied: 
1)    appropriate safeguards are in place, such as the use of Standard Contractual Clauses issued by the DPO. These clauses must be incorporated into binding agreements between the parties involved in the data transfer. 
2)    derogations set out in Article 24(3) may apply where: 
a)    the data subject concerned has been informed of the risks and has given their explicit consent to the transfer of their personal data for one or more specific purposes;
b)    the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of precontractual measures taken at the data subject's request;
c)    the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and a third party; 
d)    the transfer is necessary to comply with a legal obligation of the data controller or data processor; 
e)    the transfer is necessary to protect the vital interests of the data subject or another individual;
f)    the transfer is necessary to perform a task carried out in the public interest;
g)    the transfer is necessary for a QFC body to perform its functions and powers; or 
h)    the transfer is necessary for the establishment, exercise or defence of a legal claim. 
If neither Article 23 nor Article 24(3) can be satisfied, then a data transfer may only take place if there is: 
a)    no repetition or part of a repetitive course of transfers present;
b)    a limited number of data subjects concerned; 
c)    no sensitive personal data involved;
d)    an organisational lawful purpose; or
e)    an assessment of the circumstances surrounding the data transfer, which has determined that suitable safeguards are in place to protect the personal data.

Mainland: The Data Protection Law does not provide a specific legal definition of what constitutes a breach. However, the NCSA Personal Data Breach Notification Guidelines define a “breach” as “a breach of security leading to the unlawful or accidental alteration, destruction, loss, unauthorised disclosure of, or access to, personal data. This includes both accidental and deliberate breaches”. 

QFC: The Regulations define a breach as “any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Mainland: Any breach of the requirements of the Data Protection Law pertaining to obtaining, processing and preserving personal data should be reported to the NCSA by the controller. While the controller has to notify the NCSA, if a breach involves a processor, then the processer should provide the controller with the required information in order for the controller to be able to notify the relevant authorities in accordance with the law and guidelines. The controller has to notify the NCSA via the breach notification page on the NCSA website using the Breach Notification Form.
Such breach must be notified to the NCSA within 72 hours of becoming aware of it. This is pursuant to Article 14 of the Data Protection Law and section 6 of the NCSA’s guidelines pertaining to ‘Personal Data Breach Notifications’.
The breach notification must include the following:
1)    details of the nature of the personal data breach, including, to the extent possible, the categories of data subjects concerned, the types of personal data involved and an estimated number of data subjects and personal data records concerned;
2)    the name and contact details of the company’s primary responsible person for privacy-related matters or information on who the NCSA can contact to obtain further information;
3)    a description of the consequences likely to occur due to the personal data breach; and
4)    a description of the action(s) that the controller has taken or proposes to take to address the personal data breach, including, where appropriate, actions to mitigate the possible adverse effects of the personal data breach.
QFC: Pursuant to Article 31 of the Regulations, the data controller must notify the DPO of the breach without undue delay and not later than 72 hours of having become aware of it. The obligation however, does not apply where the data controller has determined that the personal data breach is unlikely to result in a risk to the rights and lawful interests of data subjects. If it is not possible to provide all the breach-related information at the same time, the information may be provided in phases without further undue delay. Where notification is required, the data controller must document any personal data breaches, including the facts relating to the personal data breach, its effects and the remedial action taken to enable the DPO to verify compliance with Article 31. 

Additionally, the data controller must consider notifying any affected data subjects of personal data breaches, taking into account the risk to their rights and lawful interests. If a notification to data subjects is given, it must use clear and plain language and must contain information relaying at least:
1)    the nature of the personal data breach;
2)    the likely consequences of the personal data breach; and
3)    a description of the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
As per the Rules, the notification of a breach to the DPO must at least: 
1)    describe the nature of the personal data breach, including the categories of the data subjects affected, the approximate number of data subjects affected and the categories and approximate number of personal data records affected; 
2)    give the name and contact details of a person from whom more information can be obtained;
3)    describe the likely consequences of the personal data breach;
4)    describe the measures that the data controller has taken or proposes to take to address the consequences of the personal data breach, including, if appropriate, measures to mitigate its possible adverse effects; and
5)    if the notification is not made within 72 hours after becoming aware of the personal data breach, give reasons for the delay.

Mainland: Enforcement of the Data Protection Law is the responsibility of the NCSA.

QFC: The privacy regulator is the DPO, which operates under the QFC Authority. 

Mainland: Article 24 of the Data Protection Law imposes significant penalties for certain types of data breaches, with fines of up to QR 5,000,000, reflecting the importance Qatar places on safeguarding the data of its nationals and residents. In addition, under Article 23, failure to report a breach to the NCSA as well as the affected data subjects could result in imposing a penalty up to QR 1,000,000.

QFC: Pursuant to Article 33 of the Regulations, The DPO may take the following measures: 
1.    issue reprimands or orders to rectify any infringements;
2.    impose a temporary or permanent limitation, including a ban, on the processing of personal data; and/or
3.    impose a penalty set out in Article 36 of the Regulations (described below). 

Mainland: Article 22 of the Data Protection Law governs electronic marketing and prohibits sending electronic communications to an individual for direct marketing, unless their prior consent has been obtained. The communications must clearly identify the sender, state that the message is for direct marketing purposes, and provide a valid, easily accessible address through which the individual can request the sender to stop these communications or give consent for future ones.

QFC: Pursuant to the QFC Data Protection Guidelines, electronic marketing is only permitted where the data subject has given clear, informed consent. This applies to marketing via email, SMS, and the use of online tracking tools, such as cookies.

Cookies that are strictly necessary do not require consent. However, analytics, functional, and targeting cookies generally do, as they involve processing personal or behavioral data. Organisations must disclose their use of cookies and provide users with the option to consent or reject them. Individuals also have the right to opt out of marketing at any time. 

Mainland: Although there are no sector-specific privacy requirements in the Data Protection Law itself, the following Qatari laws and regulations regulate the retention of data subjects’ records containing personal data in certain sectors:

•    Article 20 of the Anti-Money Laundering Law, Law No. 20 of 2019 on Combating Money Laundering and Terrorist Financing, which requires financial institutions and certain non-financial businesses and professions to retain all records, documents, instruments, and data collected through due diligence measures (including personal identification documents, account files, business correspondence, and the results of any analyses conducted) for a minimum of ten years from the date the business relationship ends or the occasional transaction or operation is completed.

•    Section 11.3 of the Qatar Central Bank Data Handling and Protection Regulation (Data Handling and Protection Regulation), which requires banks, insurance companies, exchange houses, fintech companies, finance companies, investment companies, and insurance brokers to adhere to data retention periods based on the type of data they handle. Sensitive Financial Information (SFI), which includes financial data linked to a specific customer, such as credit card details, account information, transactions, loans, and credit scores, must be retained for a minimum of ten years. Personal data and Special Personal Information (SPI), which includes personal data that could cause harm if misused, such as financial loss or identity theft, must also be retained for at least ten years.

•    Article 47 of the Labor Law, Law No. 14 of 2004, which requires employers to maintain a file for every employee containing the employee's information and all documents, certificates, decisions, personal data and records of actions related to the employee. Employers must retain an employee's file for at least one year from the employee's end of employment.

QFC: The Regulations and Rules apply to all sectors. 

Mainland:  The Data Protection Law does not impose any requirement to appoint a Data Protection Officer. However, according to Article 8(3), controllers are required to have in place “appropriate administrative, technical and financial precautions to protect personal data.”

QFC: The Regulations do not require the appointment of a Data Protection Officer. 

Mainland: The record-keeping and documentation obligations under the Data Protection Law primarily involve maintaining a Record of Processing Activities (“ROPA”). While not explicitly mandated, a ROPA is considered an essential administrative precaution to demonstrate compliance with various Data Protection Law requirements. Controllers must document what personal data is processed, why and how it's processed, who is responsible, and details of any associated Data Protection Impact Assessments. This includes tracking consent, privacy notices, third-party data sharing, international data transfers, special category data processing, and data breach responses. The ROPA should also include details such as data retention periods, legal grounds for processing, and security measures in place. 

QFC: Article 30 of the Regulations sets out that data controllers must make and retain a written record of all processing of personal data under their responsibility. As per Rule 8 of the Rules, this record must contain: 
1)    identity and contact details of the data controller;
2)    the purposes of the processing;
3)    the lawful basis for the processing;
4)    descriptions of the categories of recipients to whom the personal data have been or will be disclosed;
5)    the categories of recipients to whom the personal data have been or will be disclosed;
6)    if applicable, transfers of personal data to a jurisdiction outside the QFC or to another person, including the details of the jurisdiction or the other person and, in the case of a transfer referred to in Article 24 of the Regulations, the documentation of suitable safeguards;
7)    the envisaged time limits for retention of the different categories of personal data; and
8)    a general description of the technical and organisation measures. 

Mainland: Controllers are required to conduct a DPIA before initiating any new personal data processing or making significant changes to existing processing. It is mandatory when the processing may cause serious harm such as cross-border data transfers, or the use of sensitive data. The assessment must evaluate the nature, amount, and sensitivity of the personal data involved, assess potential risks to individuals, and consider their organisation’s size and resources. 

The controller should determine if the processing can be done with less data, review available protection measures, and decide on safeguards that are proportionate to the risks and the processing activity. It should be completed by individuals with knowledge of the processing and data protection expertise, and who have sufficient authority to approve it. DPIAs must be documented, regularly reviewed, and used to demonstrate compliance with Articles 11 and 13 of the Data Protection Law, which require appropriate technical, administrative, and financial measures to protect personal data.

QFC: Article 27 prescribes that if a type of processing is likely to result in a high risk to the rights and lawful interests of data subjects, a data controller must, before processing, carry out an assessment of the impact that envisaged processing will have on the protection of personal data, through a DPIA. 

The DPIA must be carried out in particular if the following are met:
1)    there is automated processing, including profiling, which leads to decisions that have a legal effect or would otherwise significantly affect the data subject;
2)    processing of sensitive personal data is on a large scale; or
3)    there is systematic monitoring of a publicly accessible area on a large scale.
Additionally, Rule 6 under the Rules provides a list of the standards that must be included in the DPIA, which must at least include:
1)    a systematic description of the envisaged processing operations and the purposes of the processing;
2)    an assessment as to how the processing operations are adequate, relevant and limited to what is necessary in relation to the purposes for which the personal data are processed;
3)    an assessment of the risks to the rights and lawful interests of data subjects; and
4)    the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulations, taking into account the rights and lawful interests of data subjects and other persons concerned.

Mainland: Under the Data Protection Law, the definition of processing encompasses both data sharing and transfers. The Data Protection Law requires controllers and processors to adopt all necessary precautions to protect personal data against loss, damage, change, disclosure and/ or illegal/inadvertent access thereto and/or use thereof, including by third parties. These safeguards must be proportionate to the nature and importance of the information being protected. 

However, if the personal data is being collected directly by an entity situated outside Qatar, then the arrangement will not be subject to Qatar’s Data Protection Law. On the other hand, if a Qatar-based entity first collects the personal data and then transfers it abroad, the Qatari controller and/or processor must ensure that the data is being collected and processed for a lawful purpose, and the controller will have to obtain authorisation from the Ministry before processing and transferring any sensitive data.

QFC: As per Article 28 of the Regulations, data controllers may only appoint data processors that offer sufficient guarantees to implement appropriate technical and organisational measures and protect data subject rights. Controllers and processors must enter into a written agreement meeting the minimum requirements outlined in the Rules. 

Rule 7 requires that such an agreement must, at a minimum, include:
1)    the subject matter, nature, purpose, and duration of the processing;
2)    the type of personal data and categories of data subjects; and
3)    the rights and obligations of the data controller.
The agreement must also require a processor to:
1)    process data only on documented instructions from the controller;
2)    ensure that personnel processing personal data have untaken to maintain confidentiality;
3)    implement appropriate security measures (as per Article 29);
4)    obtain the controller’s permission before engaging sub-processors;
5)    assist the controller in responding to data subject rights requests and meeting obligations;
6)    delete or return personal data once processing ends; and
7)    provide information to demonstrate compliance and allow for audits or inspections.

Mainland: Article 25 of the Data Protection Law provides that legal entities violating its provisions may be subject to fines of up to QAR 1,000,000, without prejudice to any criminal liability that may be imposed on affiliated natural persons.

Law No. 11 of 2004 (“The Penal Code”) imposes criminal liability on persons who publish news or comments relating to a person’s private or family life. This provision could also include where personal data has been leaked.

Furthermore, an amendment to Article 8 of Law No. 14 of 2014 on Combating Cybercrime was recently announced, which adds the following language:
“Anyone who infringes upon the privacy of individuals while they are in a public place, by publishing or circulating images or video clips of them without their consent or in circumstances not permitted by law, through information network or any other information technology, shall be subject to imprisonment for a term not exceeding one year, and by a fine not exceeding (100,000) one hundred thousand Qatari Riyals, or by either of these two penalties.” 

The NCSA has the authority to investigate complaints filed by individuals against the processor for not complying with the Data Protection Law. After completing the investigation, the NCSA may take a decision against the processor, as the case may be, to remedy such violation within a specified time limit. In past cases, certain websites outside Qatar have been blocked in response to consumer complaints within the country.

QFC: Article 33(2)(H) of the Regulations give the DPO the power to impose a financial penalty for infringements of the Regulations. As per Article 36(3) of the Regulations, the maximum fine that can be applied may amount to USD 1,500,000 per provision infringed. This means the total maximum fine is based on the number and nature of the provisions infringed. Where a firm infringes more than one provision, each infringement carries a maximum penalty of USD 1,500,000.

Mainland: The Data Protection Law imposes several requirements for controllers and processors, including that the controller must:
1)    review privacy protection measures before proceeding with new processes; 
2)    determine the processors responsible for the protection of personal data; 
3)    train, and raise the awareness of the processors in the protection of personal data; 
4)    develop an internal system to receive and look into complaints, data access requests and omission/correction requests, and shall provide access thereto to data subjects; 
5)    develop an internal effective personal data management system, and report any breach of such measures; 
6)    appropriately use available technologies to enable data subjects to exercise their rights to directly access, review and correct their respective personal data; 
7)    conduct comprehensive audits and reviews regarding compliance with personal data protection requirements; and 
8)    ensure processors comply with the instructions given, adopt appropriate precautions to protect personal data, and follow through on the same constantly.
QFC: The Regulations require data controllers and processors to maintain ongoing compliance measures and be prepared for regulatory audits or inspections.
This includes:
1)    regularly reviewing DPIAs when processing risks change (Article 27); 
2)    maintaining and updating security measures (Article 29); 
3)    cooperating with the DPO, including providing access to records or systems on request; and
4)    demonstrating ongoing accountability, which involves not only keeping records but ensuring that data protection is embedded in day-to-day operations, policies, and governance structures (Article 9). 

Mainland: There have been no recent developments to Qatar’s primary Data Protection Law. However, regulatory enforcement activity has notably increased, and the NCSA consistently publishes updated guidelines on their official website, providing ongoing clarity and support to organisations regarding compliance requirements and best practices.

QFC: As of now, there have been no enacted changes to the QFC Regulations and Rules. However, in 2023, the QFC Authority issued Consultation Paper No. 5 of 2023, proposing amendments to enhance the current data protection framework. These proposed changes are still pending approval and have not yet come into force.