New regulatory guidelines on Law No. 13 of 2016 concerning the Personal Data Protection Law
Qatar was one of first countries in the Middle East to introduce a standalone data protection law. The Personal Data Protection Law (the “PDPL”) was issued more than four years ago. The PDPL incorporated concepts familiar from other international privacy frameworks at the time. In November 2020, the Compliance and Data Protection Department (CDP) of the Ministry of Transport and Communications issued 14 regulatory guidelines on the PDPL. Notably, the guidelines introduced new concepts that are not expressly addressed in the PDPL. Many of these concepts are aligned with principles in the EU General Data Protection Regulation, which came into force in 2018. These include requirements for controllers to carry out data privacy impact assessments and to maintain records of processing activities.
The guidelines are likely to be a precursor to increased enforcement activity by the CDP. Compliance with these new measures may, depending on their current internal data protection policies and procedures, require substantial effort for organisations doing business in Qatar and failure to do so could lead to fines of up to QAR 5,000,000 (USD 1,370,000).
There are currently 14 guidelines covering a range of different privacy compliance issues. The guidelines are intended to clarify obligations under the PDPL and, in many cases, they go further by introducing new requirements.
Organisations need to consider incorporating into their business practices the following to ensure continued compliance:
Third party processors: There are enhanced requirements in the guidelines to carry out due diligence on data processors and put in place adequate contracts to regulate how they process personal data.
Personal Data Management System: The PDPL introduces the new concept of a Personal Data Management System (PDMS) that must be implemented by organisations to effectively manage the personal data that they process and to report any violations of procedures and controls.
Privacy notices: The new guidelines are more prescriptive on the information that should be included in a privacy notice, which may require organisations to update existing policies and forms.
Record of processing activities: Data controllers now need to maintain a record of processing activities (ROPA) and ensure that any departments which process personal data are informed and trained on how to update the ROPA.
Special nature personal data: Authorisation from the CDP is required to process any data of a “special nature”, which includes data relating to health, religion, criminal convictions and children.
Data subject requests: Organisations must implement appropriate policies and procedures to enable individuals to exercise their rights, including the right to withdraw consent and to request erasure or correction of personal data. Data controllers have 30 days to respond to such requests.
Data breach notification: The guidelines clarify that required notifications of data breach incidents (to the CDP and affected individuals) must be made within 72 hours.
Data Privacy Impact Assessments: The PDPL does not expressly refer to a requirement for controllers to conduct a Data Privacy Impact Assessment (DPIA). However, the guidelines now make it a requirement to conduct a DPIA before undertaking new processing activities, particularly in the case of prospective data exports or the processing of special nature personal data. Organisations could be subject to a fine of QAR 1,000,000 (USD 275,000) for failing to carry out a DPIA.
Privacy by design and default: Organisations must embed privacy into their processing activities and business practices, from the design stage and throughout their lifecycle. The guidelines include a number of recommendations on how to achieve this.
Direct marketing: The guidelines clarify that consent for direct marketing communications must be explicit, unambiguous and a clear, affirmative statement. It should also be easy for individuals to withdraw their consent. Previous methods of inferring consent, such as pre-ticked boxes or implied consent, may no longer be considered valid.