Data Protection & Privacy 2023

Last Updated March 03, 2023


Law and Practice


GLA & Company is a regional law firm based in the United Arab Emirates providing strategic, cost-effective and forward-thinking legal representation for companies seeking to do business in the Middle East. The firm is proud to hold a diverse portfolio of clients, from start-ups to global enterprises that have an interest in doing business in the Middle East. GLA’s practice consists of a full-service law firm, from simple advisory work to complex contentious and non-contentious matters. With extensive experience advising clients in the key GCC states of Kuwait, Saudi Arabia, Qatar, United Arab Emirates (UAE), as well as Egypt and Lebanon, the firm offers unique insights for companies seeking quality legal services. Data protection & privacy is one area that attracts the firm’s special attention, considering the expansion and revamping of applicable laws and regulations across the GCC in particular.

The state of Qatar was first introduced to the Data protection and privacy law in 2016, while the Qatari Law No 13 of 2016 (the “Personal Data Privacy Protection Law” or DPL) took effect in 2017. The state of Qatar was the first country in the Middle East to introduce the DPL. The Compliance and Data Protection Department (CDP) attached to the Ministry of Transport and Communications (MOTC) published guidelines concerning the DPL (the “Guidelines”) in 2021 with the aim of frameworking data protection in the state of Qatar. The DPL applies to personal data that is received, collected, extracted or processed through electronic or traditional methods. The DPL aligns with the universal data protection principles, established in the core of the General Data Protection Regulations (GDPR) of the European Union.

The fundamental data protection provisions are cross-related to the telecommunications law promulgated by Decree Law No 34 of 2006 in the state of Qatar, the Electronic Transactions and Commerce law promulgated by Decree Law No 16 of 2010, Law No 2 of 2011 on Official Statistics (as amended by Law No 4 of 2015) and the Cybercrimes Combating Law promulgated by Law No 14 of 2014. Qatar’s data protection and privacy regime is comprised of provisions related to penalties in other laws such as the Penal Code, the Trade Secrets Law, the Qatar Constitution, the Labour Law, the Qatar banking regulations issued by the Qatar Central Bank (QCB), and most recently the E-commerce Law.

The Data Protection Office (DPO) is an independent institution of the Qatar Financial Centre (QFC). The QFC first started enacting the data protection law in 2005. It is charged with administrating the QFC Data Protection Regulations 2021 (the “Regulations”) and all aspects of data protection within the QFC.

On the other hand, Qatar adopted a national artificial intelligence strategy in early 2022, with an aim to achieving its 2030 vision. As a driver for innovation, Qatari MOTC approved the outline of the strategy in 2019; the main goal behind it was furnishing sustainable and innovative economic growth, by targeting six main pillars in the state of Qatar – education, data access, employment, business, research, and ethics.

The Compliance and Data Protection department at the MOTC constitutes the key regulator in Qatar along with the National Cyber Security Agency (NSCA), which is the competent department for administration and enforcement of the DPL. It is the key authority conducting investigations regarding cybersecurity issues, implementing and examining issues related to national cyber-risks, and conducting fieldwork solidifying resilience against cybercrimes and crises.

The DPO is concerned with the data protection framework for QFC. It is the institution charged with providing guidance on all data protection matters or complaints related to the Regulations. The DPO is concerned with the protection of the rights of individuals and ensuring implementation of protection measures for all QFC entities, firms or future investors.


The enforcement process usually is triggered by a complaint filed before the MOTC, which is the competent authority in the state of Qatar. The MOTC will embark on an investigation process in order to verify the complaint and thereafter issue a judicial order binding the controller or processor.

Enforcement Process: Search, Investigate and Seize

The MOTC will issue a rectification decision, ordering the violating entity to rectify the violation within a fixed period, as per Article 26 of the DPL. The controller or processor has the right to file a “grievance” against such order to the minister within 60 days from the date of notification. The decision issued by the minister related to such grievance shall be deemed final according to Article 26 of the DPL. The judicial officers and/or law enforcement officers designated by the MOTC have the power according to Article 29 of the DPL to seize and document any crimes related to violating the provisions of the law.

Furthermore, at the QFC level, if the QFC DPO examines a contravention or violation of the law by any data controller, a direction would be issued to the data controller, addressing it to undertake the following, in compliance with Article 22 of the Regulations:

  • to act or omit from doing any step; and
  • to refrain from processing any personal data specified in the direction or to refrain from processing personal data for a purpose or in a manner specified in the direction.

The national Qatari system inherently relates to the GDPR in the EU and broadly follows the general principles established in the European Union Data Protection Directive (Directive 95/46/EC) and the General Data Protection Regulations (GDPR). It should be noted that in respect of the GDPR’s application vis-à-vis Qatari entities that have operations or establishments in the European Union (EU), their data processing activities will be subject to the GDPR irrespective of whether or not the processing takes place in the EU.

The Gulf Centre for Human Rights (GCHR) is an independent, non-profit CSO founded in April 2011 that works on promoting human rights, including the freedoms of association, peaceful assembly, and expression. During its second universal periodic review cycle in 2014, Qatar received 12 recommendations pertaining to free expression, free press, and the right to privacy. Amnesty International’s Security Lab led an investigation in 2020 into the efficacy of Ehteraz, the coronavirus tracker application, identifying “critical weaknesses” in its security system, compromising sensitive data related to the health and confidential information of many citizens.

In November 2014, Qatar’s MOTC announced a new “Open Data Policy” that aims to create an open and transparent platform where processing, sharing and interpreting information is accessible. The policy is intended to make “non-personal government data” such as crime figures available to the public, and it also institutes a mechanism through which citizens may request information.

With the Qatari focus on adopting legislation and collaborating with regional players for the implementation of data privacy, an Information Communications Technology (ITU) Regional Workshop for Cyber Security and Critical Infrastructure Protection (CIIP) and Cyber Security Forensics Workshop was held in Doha in February 2008. The workshop was focused on addressing threats in cyberspace and developing appropriate tools to combat cyber-attacks. This issue was also discussed in the 15th GCC e-government and e-services forum which was held in Dubai in May 2009.

In the state of Qatar, there has also been a growing focus on the incorporation of artificial intelligence training for judges and interest in teaching lawmakers about the rule of law’s connection to artificial intelligence. This has been promoted in Qatar by UNESCO in 2022.

DPL: Mirroring the GDPR

There is an inextricable link between DPL and GDPR, with enforcement in Qatar becoming more effective with the passage of many cross-laws related to privacy and data protection, the aim being to stand alongside peer jurisdictions following the same EU omnibus model.

QFC System of DPL

The Regulations for QFC aim to ensure proper monitoring and regulation of QFC firms in the context of data protection. Some of the most significant amendments introduced in those Regulations, including the establishment of eight main principles in the context of processing personal data, mirror those found in the GDPR. The Regulations are inspired by the privacy and data protection principles and guidelines contained in the EU Directive and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The enforcement measures under the DPL are highly similar to those of the EU Directive; however, the enforcement and sanctions at the QFC level still lack considerable appropriations as compared with the EU GDPR.

The key changes made to the QFC Regulations in 2021 pave the way for core innovations in data privacy in the state of Qatar. The updates to the law allowed the MOTC to hold companies to higher standards and impose significant fines in the event of non-compliance. Moreover, the updates introduced purpose specification, data minimisation, new rights, and additional transparency for controllers, which highlighted the Qatari competitive position with other international enforcement and regulatory bodies. Thus, it is becoming easier and more flexible for a large range of companies to safely store their data locally and facilitate operations on local cloud servers.

Another key development is clothed in terms of discussions around the assessment of adequate jurisdiction, after Schrems II. Now, following Schrems II, QFC data controllers are considering the Privacy Shield and all the other circumstances around their data transfers to the US.

Currently, one of the main topics still attracting public attention is related to the Qatari government’s direct access to citizens’ data.

Pending Changes

Currently, there is no freedom of information legislation in the state of Qatar, a step being discussed by most practitioners. In the same vein, the focus is on organisations and employers who would need to display that permission was duly received from employees for the assessment and collection of their personal sensitive and classified data.

Critical Discussions

Another key hot topic throughout 2022 was the FIFA World Cup held in Qatar and data privacy. Many European regulators stated that the accommodation application Hayaa used during the World Cup and the coronavirus tracking application Ehteraz were based on data collection and collection of metadata protected by secrecy laws in Germany, France and other European countries. Other examples of current issues include the collection of information regarding COVID-19 vaccinations, psychology tests and IQ tests.

Requirement for Appointment of Privacy Protection Officers

The DPL does not provide for an express obligation falling upon organisations in Qatar to appoint a data protection officer. Nevertheless, there is an obligation on the data controller to specify processors responsible for protecting personal data, train them appropriately on the protection of personal data and raise their awareness in relation to protecting personal data.

Criteria Necessary for Collection and Processing

The collection and processing of data must be conducted in compliance with the DPL. The controller is bound to process data honestly and legally. The criteria followed for collection and processing of data in the state of Qatar is based on the principle of consent. The data controller or any other party who is conducting data processing is obliged to provide a lawful purpose for which the data is being processed; describe specifically the activities and the degrees of disclosure of personal data and any other information deemed necessary and required for the satisfaction of personal data processing. Those obligations align with the provisions stipulated in Articles 13 and 8 of the DPL.

An individual may, at any time, have access to their personal data and request its review, in the face of any observer. In the same vein, any individual whose data is being processed or collected has the right to require and obtain from the data controller upon request, at reasonable intervals and without excessive delay or expense a confirmation as to whether personal data relating to them is being processed and, if so, information at least as to the purposes of the processing, the categories of personal data concerned and the recipients or categories of recipients to whom the personal data is disclosed. Other than mentioned above, no person may request access to any personal information held by an authority other than their personal data.

A practical example explaining the criteria necessary for collection and processing is the recently discussed example  of the collection and tracking of points of players, their movements and positioning during the FIFA World Cup 2022. According to the DPL, this is considered as processing. However, even if the GDPR and the DPL require prior express consent, an examination has concluded that, in the context of the FIFA World Cup, the players have impliedly consented to the processing of such personal data by the World Cup organisers.

Henceforth, the criteria are based on prior express consent but in certain circumstances (as mentioned above) the collection and processing may be drawn in the context of an implied consent.

Application of the “Privacy by Design and by Default” Concept

The DPL requires controllers to implement appropriate administrative, technical and financial precautions to protect personal data. These precautions must be proportionate to the risk of serious damage to individuals. This is known as Data Privacy by Design and by Default. Data controllers are currently invited to integrate privacy tools and techniques in their processing activities and practices, starting from the design stage, throughout the life of the activity. The best known example would be the approach provided by data controllers, requiring individuals to opt-in not opt-out.

Furthermore, Data Protection Impact Assessment (DPIA) and a Record of Personal Data Processing are a key component of any Personal Data Management System. This aligns with the provisions in Articles 13 and 11(1) of the DPL.

In the state of Qatar, the protection of personal data based on the “privacy by design” concept requires the organisation or entity to implement or use built-in products and systems that are considered as privacy friendly and protecting the personal data of each concerned individual.

Implementation of Internal/External Policies and Data Subject Rights

According to the DPL and Guidelines issued in the state of Qatar, organisations and controllers are bound to implement policies and procedures to enable individuals and data subjects to exercise their rights, including the right to withdraw consent and to request erasure or correction of personal data. Data controllers have 30 days to respond to such requests.

Data Subject Rights

It is provided in the DPL in the state of Qatar that the data controller should ensure that the data collected is being:

  • processed fairly, lawfully and securely;
  • processed for specified, explicit and legitimate purposes in accordance with the data subject’s rights and not further processed in a way incompatible with those purposes or rights;
  • adequate, relevant and not excessive in relation to the purposes for which it is collected or further processed;
  • accurate and, where necessary, kept up to date; and
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data was collected or for which it is further processed.

Fairness and Impact Analysis

The Guidelines issued in the state of Qatar provide for a Data Protection Impact Assessment (DPIA) before undertaking any processing activities. This would be applicable in the circumstances where special or sensitive data is being processed or exported. Organisations could be subject to a fine of QAR1 million (USD275,000) for failing to carry out a DPIA. Moreover, the DPL provides in Article 3 that data processing must be in conformity with the law and principles of good faith. A request permit from the CDP at the MOTC should be submitted and it should identify both permissible grounds and “additional conditions” for processing.

In addition, the Guidelines define the process for obtaining a permit. Data controllers should fill out the “Special Nature Processing Request Form”, which must be submitted to the CDP. In the same vein, data controllers will need to submit the relevant DPIA and any other additional information that the CDP may request. Currently, such documents are submitted by email. However, an online portal that would facilitate such submissions is expected to be launched soon.

The Definition of Harm to National Privacy and Data Protection Under the DPL

A personal data breach means a breach of security leading to the unlawful or accidental alteration, destruction, loss, unauthorised disclosure of, or access to, personal data. This includes both accidental or incidental and deliberate breaches.

The following are examples of harm or breaches classified as violations to data subject rights:

  • theft or loss of IT equipment containing personal or business sensitive data;
  • inappropriately accessing personal data about customers/staff;
  • leaving confidential/sensitive files that may contain personal data unattended;
  • inadequate disposal of confidential files that may contain personal data material;
  • unauthorised disclosure of client data; and
  • using client data for personal gain.

Personal data breaches often result in adverse impact(s) being suffered by individuals, organisations and/or communities, such as:

  • compromised personal safety or privacy;
  • the burden of additional legal obligation(s) or regulatory penalty(ies);
  • financial loss/commercial detriment;
  • disruption to business or reputational damage; and
  • the inability of individuals to access their data or exercise rights under privacy laws.

The above examples are not exhaustive but are indicative of the types of breaches and consequences against which controllers must put precautions in place for purposes of prevention and mitigation.

Sensitive or Special Data

The DPL in the state of Qatar addresses the concept of sensitive personal data, first introduced in the realms of the European Union in its framework on data protection and human rights. The DPL defines sensitive date as any data consisting of information as to a natural person’s:

  • ethnic origin/race;
  • health;
  • physical or mental health or condition;
  • religious beliefs;
  • relationships/marital status;
  • criminal records; and
  • children.

This category of “special” personal data is not available for processing except with the permission of the MOTC.

The DPL does not apply to personal data that is used as statistical data and may also not apply to personal data that is processed in private or family settings. Furthermore, the QFC Regulations provide for a definition of sensitive data to encompass data relating to criminal convictions as well as biometric and genetic data.

Special Overview of Children’s Websites

The DPL obliges all operators of websites targeting children to post specific notifications to the users. Thus, the prior explicit consent of a child’s guardian would be taken. Despite the broad coverage of such websites, this is widely viewed in practice as engulfing various categories of digital media, including social media applications.

Internet and Online Streaming

Moreover, as regards the internet and online streaming, the DPL along with the Qatari Civil code provide for a clear restriction against hate speech (and provide for its defusal), any propaganda that concerns political ties or any disrespect against the Emir or any other political or governmental figure or any religious figure.

Specific Overview of Banking Sector

Banks operating in Qatar must take into consideration precautionary measures as follows:

  • raising awareness internally and amongst its service providers;
  • conducting due process and reviewing internal policies, disclaimers, consents or agreements and ensuring their compliance with the DPL;
  • conducting marketing and implementing technical support mechanisms able to answer any customer concerns;
  • conducting regular training and keeping employees up to date; and
  • reviewing all security measures implemented by the bank and the service providers and assessing whether any further steps can be taken or investments be made to protect customer data.

Specific Overview of QFC

The Regulations enhance the rights of data subjects with respect to their personal data as follows:

  • right to withdraw consent;
  • right to data portability; and
  • right not to be subjected to a decision that is based solely on automated processing.

Specific Overview of Health Sector and Private Health Data

Private health data under Article 16 of the DPL includes personal information related to an ethnic group, children, physical and mental health or state, treatment, health security, cause of death, socio-economic parameters regarding health and wellness, historical healthcare backgrounds such as diseases or any related information, and personal information collected to provide health services and opinions. The consent of individuals, children’s guardians, or any individual whose medical coded clinical data is being processed, first must be obtained explicitly or by confirmation.


According to the DPL Guidelines, controllers may use “cookies” on the individual’s web browser to target direct advertisements messages towards the individual. Such cookies should be deployed only after the individual has “opted-in”, ie, has clicked “accept” to allow such direct marketing cookies to be deployed on the individual’s browser.

Controllers may collect individuals’ email addresses on a web page of the controller’s website. The controller must make it clear, on the web page, that if the individual provides their email address in that instance, they are providing their consent towards receiving direct marketing emails until they withdraw their consent.

Prohibitions and Limits

The DPL under Article 22 and within its Guidelines prohibits explicitly unsolicited direct marketing or marketing communications. Prior consent to send electronic marketing communications is required including by wired or wireless communication. The DPL recognises that the consent must be explicit and unambiguous. It is worth noting that implied consent is not recognised under the DPL and mostly will be deemed invalidly taken.

The following information must be included in all communications electronically shared:

  • the identity of the sender;
  • an indication that the message is sent for a purpose of direct marketing;
  • a reachable and searchable address; and
  • a communication platform enabling the customer to request withdrawal of its consent and complete seizure of all upcoming communications.

Constraints on Behavioural and Targeted Marketing

The guidelines issued in 2020 provide that the Record of Processing Activities (ROPA) is an important record to be implemented since it covers compliance with personal data in marketing requirements. These requirements vary between the following:

  • tracking consent of the users/customers/service takers;
  • communicating notices and managing privacy in general; and
  • monitoring data breaches and notifications.

In the same vein, according to Article 23 and/or Article 24 of the DPL, it is stipulated that a data controller could be obliged to compensate any damaged individual for any breach of privacy conducted with a fine. And as per the QFC Data Protection Regulation, a data subject has the right to be informed before Personal Data is disclosed for the first time to third parties or used on their behalf for direct marketing and to be expressly offered the right to object to such disclosures or uses.

According to the DPL, workplace privacy rules are strictly providing for a solid framework protecting the employee’s privacy. Thus organisations must provide proof or evidence that they have a permitted reason as well as an additional condition to process their employees’ personal data (SISCO systems, telephone or PC monitoring, GPS). Employers will also need to conduct DPIAs when processing employees’ personal data as this is considered an example of processing that “may cause serious damage” by the CPD.

The Ministry of Administrative Development, Labour and Social Affairs (MADLSA) on 24 May 2021, launched the first phase of the Unified Platform for Complaints & Whistle-blowers. Through the electronic platform, citizens, expatriates and establishments can file a complaint against entities subject to the provisions of Qatar Labour Law No 14 of 2004 and the Domestic Workers Law promulgated by Law No 15 of 2017 or entities with business regulated by the Ministry of Administrative Development, Labour and Social Affairs.

Process and Complaints Submissions

The Guidelines clarify that required notifications of data breach incidents (to the CDP and affected individuals) must be made within 72 hours. There is currently no requirement in Qatar for data controllers who process personal information to register with the regulator, the NCGAA.

In Qatar, in the event a violation of the DPL occurs, the data subject may file and submit a complaint before the NCGAA. The NCGAA is the competent enforcement authority, and it will investigate the complaint. In the event the complaint is found to be valid, the NCGAA can oblige the data controller or processor to rectify the violation within a specified period.

Potential Enforcement Penalties

As per the DPL, without prejudice to any more severe penalty stipulated by another law, whoever violates any of the provisions of Articles 4, 8, 9, 10, 11 shall be charged with a fine not exceeding QAR1 million (by virtue of Articles 12, 14, 15, 22 of this law). And whoever violates any of the provisions of Articles 13, 16(third paragraph), 17 of this law shall be charged with a fine not exceeding QAR5 million.

Additionally, the violating legal entity shall be charged with a fine not exceeding QAR1 million if one of the crimes stipulated in this law is committed in its name and for its account, without prejudice to the criminal responsibility of the natural person affiliated to it.

The laws and standards applicable to law enforcement access to data for serious crimes are similar to the GDPR, and the definition of sensitive personal data now includes data relating to criminal convictions as well as biometric and genetic data. Access to data for serious crimes may be carried out by the agency upon judicial approval without obtaining the consent of the concerned individual or entity.

Legal Framework

The state of Qatar has put in place the National Cyber Security Strategy (NCSS), which is essentially a platform for the protection and safeguarding of national interests and rights. The National Information Assurance policy and the National ICS security standard guide security controls and practices to provide protection. Qatar’s cyber prevention law bans offences committed through the internet and IT networks, which is a major technology regulation that must be put into consideration by tech companies.

Operational Framework

The Qatari computer emergency response team (Q-CERT) promotes the identification and prevention of cyber-attacks in the government and critical sectors. The state-of-the-art facilities, infrastructure and financing support systems for technology-based companies, programmes and start-ups.

Access to Data

Certain exemptions under Article 18 apply to all Competent Authorities in the State of Qatar. A Competent Authority is any central or local government agency or authority; government entity, organisation, association, or agency owned in whole or part; tribunal, court or regulatory or other agency; as well as any pool of assets owned or sponsored by central or local government or as otherwise prescribed in Qatar law or the Guidelines.

The agencies directly connected to the government and intelligence bodies may have direct access to data without judicial approval. This constitutes one of the main privileges for governmental bodies in the state of Qatar. However, if the above-mentioned bodies carry out the processing of such information, they must still abide by all other obligations under the DPL, such as maintaining a record where the data achieving the aforementioned purposes shall be entered. The conditions, controls and statuses of entry on such record shall be specified by virtue of a decision issued by the Minister.

The authors have yet to examine the cybersecurity measures taking effect in the Qatari jurisdiction, specifically relating to the use of AI to analyse publicly available data to infer security threats.

The Communications Regulatory Authority (CRA) of Qatar released the Cloud Policy Framework in June 2022. Qatar is not yet a participant in a Cloud Act agreement with the USA. It is anticipated that Qatar will enter into agreements with trusted foreign countries to facilitate the cross-border transfer of non-personal data when these foreign countries are subject to adequate data protection and cybersecurity standards.

However, with the Qatari vision for 2030, the state and CRA would be implementing a cloud-friendly environment where security levels shall be defined by the data owners based on the level of confidentiality, integrity and availability. It is anticipated that encryption keys shall be stored and managed by the data owner for all government-classified data.

The governmental entities in Qatar, like many countries and jurisdictions, have access to citizens’ and individuals’ personal data. As a precautionary measure, and to comply with global standards, governmental entities or agencies would usually have the discretion to use or transmit or process any information acquired. However, the information shared or processed would be classified as confidential.

In the same vein, the governmental entity’s employees and officers are obliged to refrain from disclosing any such information or using it in any other way than to undertake their duties (eg, the Hookom website provides this as a notice to all users). The government’s access to data constituted a critical discussion amongst practitioners in Qatar during the collection and processing of data by government applications in relation to world cup fans.

It is noteworthy that one of the key assets of telecoms law in the state of Qatar is that it provides under Article 69 that any person who, in the course of their employment in the telecommunications field, or as a result thereof:

  • divulges, spreads, publishes, or records all or part of the content of a telecommunications message, without legal authority;
  • hides alters, obstructs, or changes all or part of any telecommunications message that reached the person; or
  • divulges any information concerning users of telecommunications networks or their communications that are made or received, without legal authority,

shall be subject to:

  • imprisonment for not more than one year; and/or
  • a fine of up to QAR100,000.

Trans-border data flow is defined under the DPL as accessing, viewing, retrieving, using or storing personal data without borders constraints. The DPL in the state of Qatar provides that data controllers should not take measures or adopt procedures that may restrict or prevent trans-border data flow, unless processing such data violates the provisions of the DPL or will cause gross damage to the data subject.

More specifically, the law reserves the right for governmental bodies to determine that this principle, amongst others, does not apply to certain categories of data they process, based on the following grounds:

  • national security;
  • international relations;
  • the economic or monetary interests of the state; or
  • the prevention or investigation of criminal offences.

A trans-border data flow may occur where the data exporter is:

  • performing a task pertaining to the public good;
  • executing a court order;
  • protecting the vital interests of the individual;
  • meeting the objectives of scientific research; or
  • collecting information to investigate a crime when requested by officials.

Qatar is yet to enter into Mutual Legal Assistance Treaties (MLATs) or bilateral treaties to ensure appropriate involvement of the authorities in the countries where the data is stored.

The situation where a notification or approval would most likely be required to transfer data internationally or to carry out cross-border transfer would be in the context of QFC transfers. In principle, QFC does not maintain a list of “adequate” jurisdictions. However, in certain circumstances, when the recipient in a country is not deemed to have an adequate level of protection for personal data, it would essentially require obtaining a permit for the transfer and the data controller would apply certain safeguards in accordance with Article 10(1)(a) of the QFC DPL.

From an operational perspective, according to the CRA it is no longer necessary for data to be stored “on-premises” or “locally”. Instead, organisations should implement security measures such as encryption, anonymisation and aggregation at predefined secure hubs (regions/availability zones), which are more efficient than localisation. According to the Cloud Policy Framework issued in the state of Qatar, data residency shall no longer be a requirement as data classification schemes, security and encryption technologies now secure a high level of protection controls.

The independent audit reports must verify that Cloud Service Providers (CSP) adhere to security controls and international standards such as ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, FedRAMP, HITRUST, MTCS, IRAP, and ENS. Technical details being shared with the government may be seen within the next few years.

It has been noted that these are newly discussed concepts, but it is anticipated that data localisation may be required for extremely sensitive data only and that this would constitute one of the limitations to an organisation collecting or transferring data in connection with foreign government data requests or foreign litigation proceedings. The Cloud Policy Framework (CPF) issued in June 2022 will set the road for more concrete considerations relating to the above-mentioned circumstances and operations.

Pursuant to Article 15(3) of the QFC DPL, a data subject has the right to require and obtain from the Data Controller upon request, at reasonable intervals and without excessive delay or expense, as appropriate, the rectification, erasure or blocking of personal data the processing of which does not comply with the law.

The virtuous cycle enabling AI revolution is composed of big data generated, computing power and algorithms. According to the National Artificial Intelligence strategy in Qatar, more than 94% of the Qatari population uses the internet.

AI methods tend to acquire “black box” characteristics. This context may lead to complete dismissal or ignorance of principles of fairness, accountability and transparency principles that are vital for data privacy. It is noted that AI algorithms will inherit any biases consecrated in data, and mechanisms are required that guarantee outputs which are consistent with the Qatari norms.

The profiling, microtargeting and online manipulation are all part of a bigger scheme where many technological companies are treating users and customers as end-products. As much as the principles of transparency, accountability and purposefulness are carved into the Qatari DPL and guidelines, Qatar is yet to implement effective measures in practice to achieve its ambitions of cybersecurity protections and dealing with big data analytics, automated decision-making and AI sub-branches.

The MOTC in the state of Qatar may in certain circumstances co-ordinate with any professional group or association, and any other association representing controllers or website operators for the purpose of self-organisation encouragement and development and raising awareness on DPL and developing training and learning programmes. Digital governance is something yet to be examined in the Qatari jurisdiction.

According to Article 11(7) of the DPL, data controllers are obliged to carry out comprehensive audits and reviews about the extent of their compliance with DPL. Currently, nothing in the law provides for class action or collective redress.

According to the Guidelines, specifically related to data processors and data controllers, the contract must include obligations on the processor to assist the controller with audits and reviews of their compliance with the DPL. Such obligations include:

  • permitting the controller, or an auditor appointed by the controller, to audit compliance with its obligations under the DPL;
  • that the processor will contribute to such audits where required;
  • which party will be financially responsible for such audits; and
  • that the processor will make available all information as is required to show its compliance with the DPL.

The auditor shall plan and perform a certification audit in two phases:

  • Design Assessment – considered as preliminary assessment and verification that controls have been designed, documented, approved and communicated to relevant parties; and
  • Operating Effectiveness Assessment – considered as final assessment.

In corporate transactions, entities would need to gather information and assess the steps that should be taken into consideration to become compliant. The issues relevant to conducting diligence in corporate transactions would be met when assessing the gaps between different jurisdictions involved in the transaction, especially when reviewing cross-border provisions. The issues would be violation of non-disclosure provision or disclosure of unnecessary information during the due diligence.

According to the NCSA Guidelines, organisations must act relying on a base-risk approach. Currently, publicly traded companies are not obliged to disclose cybersecurity incidents and periodic disclosures about their cybersecurity policies and procedures. There is no provision in the DPL providing for such obligation or disclosure duty, except for financial disclosure.

The competition law and consumer protection law in Qatar converge on many aspects related to DPL: specifically, for example, service providers shall ensure that customer information and customer communications are protected by security and technical safeguards that are appropriate to their sensitivity. It is prohibited under competition law to divulge any information or data relative to the implementation of the provisions of the Competition Act or to use the information for purposes other than those admitted under the law. Furthermore, according to telecoms law, the customer has the right to erasure and request that its information and personal data be erased.

One of the key issues arising, relating to the implementation of DPL and the constant innovations being witnessed in the digital field, is the use of social media platforms and the increasing impact these platforms are gaining in the Qatari jurisdiction as well as around the globe. The Qatari system’s treatment of concurrent and fast developments in this area have yet to be seen. It is anticipated that many bilateral and multilateral agreements will be concluded with Qatar in the coming years regionally and internationally, specifically related to judicial assistance and cloud computing and deployment systems.

GLA & Company

Suad Commercial Complex
Third Floor
Fahad Al Salem Street

Author Business Card

Law and Practice


GLA & Company is a regional law firm based in the United Arab Emirates providing strategic, cost-effective and forward-thinking legal representation for companies seeking to do business in the Middle East. The firm is proud to hold a diverse portfolio of clients, from start-ups to global enterprises that have an interest in doing business in the Middle East. GLA’s practice consists of a full-service law firm, from simple advisory work to complex contentious and non-contentious matters. With extensive experience advising clients in the key GCC states of Kuwait, Saudi Arabia, Qatar, United Arab Emirates (UAE), as well as Egypt and Lebanon, the firm offers unique insights for companies seeking quality legal services. Data protection & privacy is one area that attracts the firm’s special attention, considering the expansion and revamping of applicable laws and regulations across the GCC in particular.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.