March 28th, 2023 Legal Updates

Qatar Data Privacy – Between Recurrent Change

The state of Qatar did abide by the saying “do not go where the path may lead. Go instead where there is no path and leave a trail”. During 2018, the state of Qatar went through a major development in the data protection sector and practice, that became the first on its own amongst the GCC jurisdictions to issue and implement Law No. (13) of 2016 concerning personal data protection (the “Data Protection Law”).

The state of Qatar became the first member state to issue a generally applicable Data Protection Law. It became supplemented and complemented by a set of regulatory guidelines issued by the National Cyber Governance and Assurance Affairs (“NCGAA”) of the National Cyber Security Agency (“NCSA”) and the Guidelines (the “Guidelines”) issued by the Compliance and Data Protection Department (the “CDP”) at the Ministry of Transport and Communications (the “MoTC”).

Furthermore, Qatar Financial Center (“QFC”) issued amended Regulations (the “Regulations”) in 2021 that provides a separate regime that applies to entities licensed by the QFC. We will tackle in this article the main rights of data subjects, the current challenges and changes, data transfers and digital development and our recommendations for organizations to comply with data protection in this jurisdiction.

Mirroring of the EU General Data Protection Regulations (“GDPR”)

The Data Protection Law and the QFC Regulations incorporate concepts from EU privacy frameworks and introduce guidelines that provide a mechanism for which those subject to the data protection law may understand.

General FAQs That Are Relevant to Data Controllers, Data Processors And Data Subjects Within The State Of Qatar

A.  What type of data is covered under the law?

The Data Protection Law applies to personal data when this data is processed electronically and obtained, collected or extracted in any other way in preparation for electronic processing or is eventually being processed by combining electronic processing and traditional processing.

B.  What are the rights of data subjects under the Data Protection Law?

The Data Protection Law provides that each individual shall have the right to privacy of their personal data. Such data may only be processed within a framework of transparency, honesty, respect for human dignity and in accordance with the provisions of the Data Protection Law.

According to the Data Protection Law in Qatar, an individual may, at any time, have access to his personal data and request its review, in the face of any observer, and in particular has the right to:

  • Notify him of the processing of his personal data and of the purposes for which such processing is being carried out.
  • Notify him of any disclosure of inaccurate personal data about him.
  • Obtain a copy of his personal data after paying an amount not exceeding the amount of the service.

The Data Protection Law further addresses the sensitive personal data which aligns with GDPR provisions. The sensitive personal data consists of information pertaining to a natural person’s ethnic origin, health, physical or mental health, religious beliefs, relationships or criminal records.

C.  What are the main principles those keeping personal data must comply with?

The controller shall abide by the following:

  • Process personal data honestly and lawfully. The purpose of the data protection processing should be lawful in accordance with the law.
  • Consider the restrictions for designing, changing or developing products, systems and services related to the processing of personal data.
  • Take appropriate administrative, technical and material precautions to protect personal data, as determined by the competent department.
  • Privacy protection policies, set by the competent department, and a decision issued by the Minister of Transport and Communication.
  • As well, the controller may not process personal data, except after obtaining the consent of the individual, unless the processing is necessary to achieve a legitimate purpose of the controller or the third party to whom the data is sent.
D.. What are the rules around consent to use personal data in marketing?

As per the Data Protection Law, it is prohibited to send any electronic communication for the purpose of direct marketing to an individual, except after obtaining his prior consent. The electronic communication must include the identity of its originator, and what indicates that it was sent for direct marketing purposes. It must also include a valid and accessible address, through which the individual can send a request to the originator to stop these communications or withdraw his consent to send them.

In fact, the guidelines issued in 2020 provide that the Record of Processing Activities “ROPA” is an important record to be implemented, since it covers compliance with personal data in marketing requirements. These requirements vary between (i) tracking consent of the users/customers/service takers, (ii) communicating notices and managing privacy in general, (iii) monitoring data breaches and notifications. In the same vein, according to article 23 and/or article 24 of the Data Protection law, it is stipulated that a data controller could be obliged to compensate any damaged individual for any breach of privacy conducted with a fine.

And as per the QFC Data Protection Regulation, a Data Subject has the right to be informed before Personal Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.

Current Challenges and Changes

The current challenges and changes revolve around the Artificial intelligence and the incorporation of cloud policy in the state of Qatar that will enhance organizational operations but at the same time may constitute high risks for data protection breaches. This is a current discussion in the state of Qatar around cloud policy and is yet to be seen how the national policy will impact businesses as well as data transfers and data retention in general.

Recommendations For Organizational Compliance

Compliance with data privacy and protection laws, such as the Qatar DPL, comes with a certain set of challenges and compliances. For instance, unstructured data cause organizations to lose sight of personal data and sensitive personal data. The lack of visibility into such insights becomes a challenge for organizations to operationalize individuals’ rights management, consent management, or breach notification management.


In our years of experience in enabling organizations to streamline their business processes around data privacy laws and regulations, we’ve found the following best practices highly effective and efficient:

  • Classifying personal and sensitive data;
  • Management of high-volume personal data collected or processed;
  • Conducting routinely data protection impact assessments;
  • Monitoring and examining the risks of breaches or violations in any organization; and
  • Using effectively records of processing activities and automation tools in business related operations.

How can GLA help:

GLA & Company’s lawyers and consultants have extensive expertise across the region and are without a doubt qualified to assist and support.

Authors: Yousef Al Amly, Partner and Rana Moustafa, Associate

For further information, please contact Alex Saleh ( and Yousef Al Amly (