Qatar introduced Law No 13 of 2016 on Protecting Personal Data Privacy (the “Personal Data Privacy Protection Law”, or PDPPL), which took effect in 2017.

The PDPPL applies to personal data when it is electronically processed, or obtained, gathered or extracted in preparation for electronic processing, or processed via a combination of electronic and traditional processing. The PDPPL aligns with, but is not as stringent as, the universal data protection principles that were established as the core of the European Union’s General Data Protection Regulation (GDPR). The PDPPL explicitly excludes personal data processed by individuals within a private or family scope.

The PDPPL establishes key definitions central to its application: “Personal Data” is defined as data of an individual whose identity is defined or can be reasonably defined whether through such personal data or through the combination of such data with any other data. “Personal Data Processing” encompasses a broad range of activities including gathering, receipt, registration, organisation, storage, preparation, modification, retrieval, usage, disclosure, publication, transfer, withholding, destruction, erasure and cancellation. “Cross-Border Data Flow” means accessing, watching, retrieving, using or storing personal data without restrictions of the State’s borders.

The Compliance and Data Protection Department (CDPD) attached to the Ministry of Communications and Information Technology (MCIT) (previously known as the Ministry of Transport and Communications) published guidelines concerning the PDPPL (the “PDPPL Guidelines”) in 2021, with the aim of providing a framework for data protection in Qatar. The National Cyber Security Agency (NCSA) has also issued the Guidelines for Secure Adoption and Usage of Artificial Intelligence, which provide guidance on how to securely deploy AI systems while complying with PDPPL requirements.

The PDPPL was enacted after perusal of the Constitution and operates alongside several related laws. The preamble to the PDPPL explicitly references the following foundational legislation:

• the Telecommunications Law promulgated by Decree Law No 34 of 2006;
• the Electronic Transactions and Commerce Law promulgated by Decree Law No 16 of 2010;
• Law No 2 of 2011 on Official Statistics (as amended by Law No 4 of 2015); and
• the Cybercrimes Combating Law promulgated by Law No 14 of 2014.

Qatar’s data protection and privacy regime is also composed of provisions relating to penalties in other laws, such as:

• the Penal Code promulgated by Law No 11 of 2004;
• the Trade Secrets Law promulgated by Law No 5 of 2005;
• the Qatar Constitution;
• the Labour Law promulgated by Law No 14 of 2004; and
• the Qatar Banking Regulations issued by the Qatar Central Bank, governed by Law No 13 of 2012.

While these laws supplement data protection and privacy laws in Qatar, the PDPPL is the detailed framework for the protection of personal data in Qatar.

Qatar operates a dual legal system for data protection. In addition to the “mainland” or “State” system and the PDPPL described above, there is a separate legal data privacy protection regime in the Qatar Financial Centre (QFC). The QFC is a business and financial hub in Qatar that provides a legal, regulatory and tax environment distinct from “mainland Qatar”. It operates under its own legal framework and has its own independent judiciary. The key data protection legislation for the QFC is the QFC Data Protection Regulations 2021 (the “QFC Regulations”).

The Data Protection Office (DPO) is an independent institution of the QFC. It is charged with administering the QFC Regulations and all aspects of data protection within the QFC. Entities operating within the QFC are subject to the QFC Regulations rather than the PDPPL, creating a distinct regulatory environment for financial services and related businesses.

Extraterritorial Reach

The PDPPL does not contain explicit provisions regarding extraterritorial application. Unlike the EU’s GDPR, which expressly extends to controllers and processors outside the EU that offer goods or services to, or monitor the behaviour of, EU residents, the PDPPL is primarily focused on processing activities within Qatar. However, the law’s provisions regarding Cross-Border Data Flow indicate that controllers should not take any decision or measure that may limit cross-border data flow, unless the processing of such data is in breach of the law or may cause serious damage to personal data or to the individual’s privacy.

Governmental exemptions under Article 18 of the PDPPL permit certain processing activities without compliance with specific provisions for purposes of national security, international relations, economic or financial interests of the State, and prevention or investigation of criminal offences.

Interplay With Cyber and AI Laws

The PDPPL operates in conjunction with the Cybercrimes Combating Law. The NCSA is responsible for enforcement of both cybersecurity and data protection matters, and all data breaches should be reported to the NCSA.

The NCSA’s Guidelines for Secure Adoption and Usage of Artificial Intelligence address critical risks such as privacy violations, AI bias, security vulnerabilities and compliance challenges, particularly in sectors where AI processes personal data (such as finance, healthcare and law enforcement). AI systems must comply with PDPPL requirements for data minimisation, purpose limitation and lawful processing. AI models must incorporate auditability, traceability and documentation requirements. Additionally, the Qatar Central Bank has issued guidelines to ensure the ethical use of AI in the financial sector, mirroring PDPPL safeguards regarding data collection, processing purposes, transparency and explicit consent requirements.

Personal data must be processed lawfully, fairly and transparently, and only for specific, explicit and legitimate purposes. Processing must be limited to what is adequate, relevant and proportionate to the stated purpose, and data must be accurate, complete and kept up to date.

As a general rule, processing requires the prior consent of the data subject, which must be informed and specific.

Personal data may not be retained for longer than necessary to achieve the purpose of processing, subject to any mandatory legal retention obligations. Data controllers are required to implement appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, loss or destruction. These security and confidentiality obligations are reinforced under the Telecommunications Law and the Cybercrimes Combating Law.

The processing of sensitive personal data, such as health-related information, is subject to enhanced safeguards and typically requires explicit consent or express legal authorisation.

The cross-border transfer of personal data outside Qatar is restricted unless the recipient jurisdiction ensures an adequate level of protection, approval is obtained from the competent authority, or a statutory exception applies.

Data Subject Rights

Under the PDPPL, data subjects are afforded a number of core rights, including:

• the right to be informed of the collection and processing of their personal data;
• the right of access to personal data held about them;
• the right to rectification of inaccurate or incomplete personal data;
• the right to erasure of personal data where it is no longer necessary or is unlawfully processed, subject to legal retention requirements;
• the right to object to certain types of processing; and
• the right to withdraw consent at any time where processing is based on consent.

In addition, the Telecommunications Law protects the confidentiality of communications and related data, subject only to lawful disclosure or interception.

Organisations operating in Qatar and processing personal data should focus on the following core compliance measures:

• Identify and document processing activities: Map personal data flows, purposes of processing, categories of data subjects, and any third-party disclosures.
• Establish a lawful basis for processing: Ensure that each processing activity is supported by valid consent or a recognised statutory exemption.
• Implement transparency measures: Prepare and maintain clear privacy notices informing data subjects of how their data is processed.
• Put in place data security controls: Adopt appropriate technical and organisational safeguards proportionate to the nature and sensitivity of the data.
• Manage data subject rights: Implement procedures to receive, assess and respond to access, rectification, erasure and objection requests.
• Control data retention: Define and apply retention periods and ensure secure deletion once data is no longer required.
• Assess cross-border transfers: Review any transfers outside Qatar and ensure that legal requirements and approvals are met.
• Prepare for incidents and enforcement risk: Establish internal escalation and response procedures for data breaches and cyber incidents.

Under Qatari law, special categories of personal data – also referred to as sensitive personal data – include information relating to a person’s ethnic origin or race, physical or mental health, religious beliefs, relationships or marital status, criminal records and children. In the QFC, this definition additionally covers biometric data, genetic data and data relating to criminal convictions.

Processing of such data is generally prohibited unless prior approval is obtained from the MCIT or, in the QFC, a specific written permit from the Data Protection Officer (DPO). To obtain this permit, the data controller must provide details of the processing, its purpose, the categories of data subjects affected, any intended recipients, cross-border transfers, and the safeguards implemented to ensure security.

Sensitive personal data must be processed with explicit consent where no statutory exception applies, and organisations must implement enhanced security and confidentiality measures. The PDPPL and related regulations also require purpose limitation, data minimisation, accuracy, and limited retention of such data.

Processing data relating to minors requires additional care, typically involving parental or guardian consent, and full transparency regarding the processing purpose and safeguards.

Processing data relating to criminal convictions or offences is strictly controlled, allowed only under statutory authority, under legal requirements or with explicit consent, and subject to strong safeguards to prevent unauthorised access or disclosure.

In all cases, the processing of sensitive data carries heightened procedural and security obligations, and non-compliance may result in administrative, civil or criminal liability.

Under the PDPPL, companies providing products or services used by healthcare providers may process personal data, including patient data, only where such processing is based on the data subject’s consent or is necessary to achieve a lawful purpose (Article 4). The PDPPL does not expressly regulate or define “anonymisation”. However, to the extent that data is processed in a manner that no longer allows identification of an individual, such data would fall outside the scope of the PDPPL.

Where patient data constitutes personal data of a special nature (including health data), processing – including for product development or scientific research – requires prior permission from the competent authority, and may be subject to additional safeguards (Article 16). The PDPPL provides a limited exemption permitting processing for scientific research conducted in the public interest, subject to the conditions and controls set out in the Law (Article 19).

Qatar has not enacted legislation equivalent to the European Health Data Space Regulation, and there is no specific health-data governance framework comparable to the EU regime. Accordingly, the European Health Data Space Regulation has no direct legal impact in Qatar, and life sciences companies operating in Qatar must comply with the PDPPL rather than EU-style secondary use or data-sharing obligations.

Under the PDPPL, the use of personal data in AI systems must comply with the same personal data protection obligations that apply to any processing of personal data: lawful purpose, transparency, consent or necessity, data minimisation, and appropriate safeguards against unauthorised access or misuse. These general principles are the core legal requirements for AI-related data processing under Qatari law.

Qatar has not yet enacted a standalone AI data protection law, but there are emerging policy and guidance developments that shape how AI systems handling personal data should operate:

• The PDPPL’s framework itself requires controllers to process personal data only for lawful and specified purposes and to respect data subject rights, which by extension applies to AI systems that use personal data.
• Qatar’s national AI guidelines and policies (eg, the AI Guidelines for Developers issued by the MCIT) explicitly emphasise that organisations must respect personal data protection and privacy obligations under the PDPPL when designing or deploying AI systems. These guidelines reinforce the need to ensure that personal data is not exposed or published without lawful basis and that users can flag privacy issues.

• Sector-specific guidance, such as financial sector AI guidelines, mirrors PDPPL principles by requiring that AI systems only collect and process personal data necessary for their function and that individuals are informed about how their data is processed by AI.
• Broader national initiatives (including Qatar’s regulatory landscape for AI) are moving towards comprehensive governance frameworks, with AI ethics and data protection principles layered on top of the PDPPL for responsible AI adoption across sectors.

There is no risk-based classification, prohibited high-risk categories or binding AI regulation akin to the EU’s AI Act in Qatar’s PDPPL. Instead, all AI-related processing of personal data must simply align with the PDPPL’s core standards of lawful processing, transparency, purpose limitation and safeguards, with any higher-risk processing (such as sensitive personal data) requiring prior authority approval per Article 16 of the PDPPL.

A personal data breach under Qatari law occurs when there is a breach of security leading to the unlawful or accidental alteration, destruction, loss or unauthorised disclosure of or access to personal data. Breaches may be deliberate or accidental, and can affect both individuals and organisations.

Examples of breaches include:

• theft or loss of IT equipment containing personal or sensitive data;
• unauthorised access to customer or employee data;
• leaving confidential files unattended;
• inadequate disposal of documents containing personal data; and
• unauthorised disclosure or use of client data for personal gain.

Requirements and actions for organisations:

• Immediate containment and assessment: Identify the nature, scope and potential impact of the breach.
• Notification to the competent authority: Under the PDPPL, report serious breaches to the MCIT, or, in the QFC, to the DPO.
• Notification to affected data subjects: Notify affected data subjects where the breach is likely to result in significant risk to the rights and freedoms of data subjects.
• Documentation and record-keeping: Maintain records of the breach, causes and corrective measures taken.
• Mitigation and corrective measures: Implement technical and organisational safeguards to prevent further breaches, including access controls, encryption, secure disposal and staff training.
• Post-incident review: Update policies and procedures to prevent recurrence.

Consequences and Regulatory Oversight

Breaches can result in financial loss, reputational damage, legal liability or disruption to operations.

Under the PDPPL and Cybercrimes Combating Law, the MCIT or DPO may investigate breaches, impose administrative fines or, in cases of deliberate misconduct, initiate criminal proceedings.

The CDPD at the MCIT is the key regulator in Qatar, and the NCSA is the competent department for administration and enforcement of the PDPPL. It is the key authority for conducting investigations regarding cybersecurity issues, implementing and examining issues related to national cyber-risks, and conducting fieldwork solidifying resilience against cybercrimes and crises. All data breaches should be reported to the NCSA.

In the QFC, the DPO is concerned with the data protection framework. It is the institution charged with providing guidance on all data protection matters or complaints related to the QFC Regulations. The DPO is concerned with the protection of the rights of individuals and ensuring implementation of protection measures for all QFC entities, firms or future investors.

The enforcement process is usually triggered by a complaint filed before the NCSA, which is the competent authority in the State of Qatar. The NCSA will commence an investigation process in order to verify the veracity of the complaint; thereafter, if warranted, it will issue a judicial order binding the controller or processor in line with its powers under the law.

The competent department, as listed in the PDPPL, will issue a rectification decision, ordering the violating entity to rectify the violation within a fixed period, as per Article 26 of the PDPPL. Previously it was understood that the competent department was the MCIT; however, recently the NCSA clarified that this department was not yet designated. The controller or processor has the right to file a “grievance” against such order to the relevant minister within 60 days from the date of notification. The decision issued by the minister related to such grievance shall be deemed final, according to Article 26 of the PDPPL. According to Article 29 of the PDPPL, the judicial officers and/or law enforcement officers designated by the NCSA have the power to document any offences and to seize any related materials, equipment or evidence in accordance with applicable procedure related to violations of the provisions of the law.

Furthermore, in the QFC, if the DPO determines a contravention or violation of the law by any data controller, a direction would be issued to the data controller to undertake the following, in compliance with Article 22 of the QFC Regulations:

• to act or omit from performing any step; and
• to refrain from processing any personal data specified in the direction or to refrain from processing personal data for a purpose or in a manner specified in the direction.

In the past 24 months in Qatar, there have been no widely reported, publicly available enforcement actions specifically under the PDPPL. Data protection enforcement in Qatar tends to be handled administratively by the competent authority rather than through public court judgments, and details of specific sanctions or enforcement decisions are generally not published publicly.

Practical takeaways for organisations:

• Treat PDPPL compliance as a proactive regulatory requirement, not a reactive one, even in the absence of public enforcement actions.
• Ensure lawful bases for processing, implement appropriate security safeguards and maintain documentation of processing activities.
• Establish internal mechanisms to handle data subject rights and potential complaints to the competent authority.
• Recognise that enforcement may occur administratively, and organisations should be prepared to respond to audits, investigations or directions from the authority.

Privacy and data-related litigation in Qatar remains limited and is not public. There is no publicly available body of case law showing a discernible trend in privacy or data protection disputes before the courts in the past 24 months. As a result, there is no clear pattern as to claimant types, causes of action, or remedies specifically grounded in data protection or privacy breaches. While the PDPPL provides a statutory framework for personal data protection and contemplates sanctions for violations, reported judicial decisions applying these provisions in civil litigation are scarce, and privacy litigation can be considered to be at an early stage in the jurisdiction.

There are no publicly reported court decisions in Qatar that have materially shaped a framework for privacy or data protection litigation comparable to landmark case law in other jurisdictions. In practice, the interpretation and application of data protection obligations are primarily driven by the statutory provisions of the PDPPL and guidance issued by the competent authority, rather than by judicial precedent. Consequently, there are no established judicial standards equivalent to those developed through EU-level case law.

Under the PDPPL, there is no collective or representative redress mechanism for privacy or data protection claims. The PDPPL provides for an individual complaint mechanism only, whereby an individual may file a complaint with the competent department in the event of a violation of the Law, and the competent department may investigate and issue a binding decision requiring the controller or processor to rectify the breach (Article 26). The PDPPL does not contemplate group actions, representative claims or collective proceedings, and there have been no legislative developments introducing collective redress frameworks for data protection matters in Qatar.

Under Qatari law, there is no specific legal regime governing non-personal data akin to the EU Data Act or comprehensive cross-sector data-sharing frameworks for the Internet of Things (IoT), cloud computing, big data or similar services.

At present, there is no dedicated law, case law or published guidance in Qatar that establishes a cross-sector non-personal data governance framework, data access sharing rights for non-personal data holders and users, or obligations similar to the EU Data Act. The available legal instruments focus on the protection of personal data and related processing obligations.

Some policy documents such as government data management or data-sharing policies (eg, initiatives for inter-agency data exchange) exist in the public sector and envisage structured sharing of non-personal data among government entities under agreed standards and conditions (eg, through a central data exchange platform), but these are policy/operational instruments rather than standalone statutory laws and do not create statutory rights analogous to EU data governance laws.

Qatar has not yet enacted legislation similar to the EU Data Act, and there is no public indication of an imminent data governance law specifically for non-personal data comparable to the EU framework.

In practice therefore, organisations in Qatar that handle non-personal data rely on sector-specific rules and contracts (eg, cloud service agreements, telecom or banking security standards) and any applicable government data policies when sharing or using such data, but there is no overarching legal regime specifically governing non-personal data at present.

The PDPPL is closely linked to other Qatari laws regulating cybersecurity and digital transactions. The NCSA enforces cybersecurity laws and plays a role in ensuring personal data protection in AI applications and IoT services. The Telecommunications Law and Cybercrime Law impose additional restrictions on electronic data processing and cybersecurity threats.

Under the PDPPL, the statutory rights and obligations apply only to personal data. The PDPPL does not regulate non-personal data, and therefore does not establish rights or obligations relating to the use, sharing, portability, interoperability, switching, termination, FRAND access  or mandatory data sharing in respect of non-personal data.

In relation to personal data, the PDPPL grants individuals core rights, including the right to be informed of processing and its purposes, the right to access and obtain a copy of their personal data, the right to request correction of inaccurate data, the right to object to processing where it is not necessary for a lawful purpose, the right to withdraw consent, and the right to request erasure where the purpose for processing has ceased or no longer exists. The PDPPL does not provide for data portability, interoperability, switching rights, FRAND access, or mandatory data sharing between organisations.

From an obligations perspective, controllers must ensure that personal data is processed for a lawful purpose, based on either consent or necessity, and in a manner that is fair, proportionate, and limited to what is required. Controllers must comply with transparency requirements, maintain data accuracy and relevance, avoid excessive retention, and implement appropriate administrative, technical and financial safeguards to protect personal data. Controllers are also required to manage and report serious personal data breaches and to obtain prior permission from the competent authority where processing involves personal data of a special nature.

In addition to the PDPPL itself, the competent authority has issued non-binding implementation guidelines to support compliance. The PDPPL Guidelines provide practical guidance, templates and checklists to assist organisations in operationalising PDPPL requirements, including governance measures, security controls, transparency practices and handling of data subject rights. While not legally binding, they are relevant in demonstrating good-faith compliance with the PDPPL.

Accordingly, key action items for organisations include identifying whether data processed constitutes personal data, defining and documenting lawful purposes, implementing consent and transparency mechanisms, putting in place appropriate security and governance measures, establishing procedures to respond to data subject rights requests, limiting retention periods, and seeking prior approval where required for processing sensitive personal data.

See 1.7 Regulators.

According to the PDPPL Guidelines, controllers may use “cookies” on an individual’s web browser to target direct advertisement messages towards the individual. Such cookies should be deployed only after the individual has “opted in” – ie, has clicked “accept” to allow such direct marketing cookies to be deployed on the individual’s browser.

Controllers may collect individuals’ email addresses on a web page of the controller’s website. The controller must make it clear, on the web page, that if the individual provides their email address in that instance they are providing their consent towards receiving direct marketing emails until they withdraw their consent.

Article 22 of the PDPPL and the PDPPL Guidelines explicitly prohibit unsolicited direct marketing or marketing communications. Prior consent to send electronic marketing communications is required, including by wired or wireless communication. The PDPPL recognises that the consent must be explicit and unambiguous. It is worth noting that implied consent is not recognised under the PDPPL and will mostly be deemed as invalidly taken.

The following information must be included in all electronically shared communications:

• the identity of the sender;
• an indication that the message is sent for the purpose of direct marketing;
• a reachable and searchable address; and
• a communication platform enabling the customer to request withdrawal of its consent and request the immediate cessation of all upcoming communications.

Currently, there is no freedom of information legislation in the State of Qatar – a step being discussed by most practitioners. In the same vein, the focus is on organisations and employers, which would need to display that permission was duly received from employees for the assessment and collection of their personal sensitive and classified data.

According to the PDPPL, workplace privacy rulesstrictly provide for a solid framework for protecting an employee’s privacy. Thus, organisations must provide proof or evidence that they have a permitted reason to process their employees’ personal data (SISCO systems, telephone or PC monitoring, GPS). Employers will also need to conduct data protection impact assessments when processing employees’ personal data, as this is considered by the CDPD as an example of processing that “may cause serious damage”.

In parallel, the Labour Law requires employers to maintain employee files and registers containing personal and employment-related information, including identification details, wages, leave records, disciplinary sanctions and termination information, and to retain such records for prescribed periods. These obligations do not override the PDPPL, and employers must ensure that the collection, storage and retention of employment records under the Labour Law are carried out in compliance with the PDPPL’s privacy and data protection requirements.

On 24 May 2021, the Ministry of Administrative Development, Labour and Social Affairs (MADLSA) launched the first phase of the Unified Platform for Complaints and Whistle-blowers. Through this electronic platform, citizens, expatriates and establishments can file a complaint against entities subject to the provisions of Qatar Labour Lawpromulgated by Law No 14 of 2004 and the Domestic Workers Law promulgated by Law No 15 of 2017, or against entities with business regulated by the MADLSA.

The PDPPL applies to the processing of personal data where such data is electronically processed, prepared for electronic processing, or processed using a combination of electronic and traditional means. It does not regulate non-personal data.

During due diligence, the disclosure or access to personal data constitutes personal data processing, including disclosure and transfer. Accordingly:

• Personal data may only be processed for a lawful purpose, either based on the data subject’s consent or where processing is necessary to achieve a lawful purpose of the controller or recipient (Article 4).
• Any disclosure of personal data must be consistent with the lawful purposes for which the data was collected (Article 12).
• Controllers and processors must implement appropriate administrative, technical and financial safeguards to protect personal data against unauthorised access, disclosure or misuse (Articles 8, 11 and 13).
• Personal data disclosed during due diligence must be adequate, relevant and not excessive, and must not be retained for longer than necessary for the relevant purpose (Article 10).

The PDPPL does not contain specific provisions tailored to M&A due diligence; compliance is assessed under the general processing obligations.

The PDPPL does not expressly regulate “change of control”. However, a change in ownership or control that results in a new entity determining the purposes and means of processing may constitute a change in the controller.

In such cases:

• Personal data may continue to be processed only for lawful purposes consistent with the PDPPL (Article 4).
• The controller must ensure that individuals are informed of the identity of the controller and the purposes of processing, and any material change to processing activities must be consistent with the information provided to individuals (Article 9).
• Any transfer of personal data to a new controller must comply with the disclosure and safeguarding requirements of the PDPPL (Articles 12 and 13).

The PDPPL requires controllers, prior to processing personal data, to inform individuals of:

• the controller’s identity;
• the lawful purposes of the processing; and
• a description of the processing activities and levels of disclosure (Article 9).

While the PDPPL does not mandate transaction-specific notifications, any post-transaction change that affects these elements must remain compliant with the transparency requirements under Article 9.

Please note that if the transaction involves personal data of a special nature (eg, health data, children’s data, religious beliefs, criminal data), such data may only be processed – including being disclosed or transferred in the context of an M&A or asset deal – with prior permission from the competent authority and subject to any additional safeguards imposed.

“Cross-Border Data Flow” is defined under the PDPPL as accessing, viewing, retrieving, using or storing personal data without border constraints. The PDPPL provides that data controllers should not take measures or adopt procedures that may restrict or prevent Cross-Border Data Flow, unless processing such data would violate the provisions of the PDPPL or cause gross damage to the data subject.

More specifically, the PDPPL reserves the right for governmental bodies to decide that certain obligations under the Law (including those relating to Cross-Border Data Flow) do not apply to certain categories of data they process, based on the following grounds:

• national security;
• international relations;
• the economic or financial interests of the State; or
• the prevention or investigation of criminal offences.

A Cross-Border Data Flow may occur where the data exporter is:

• performing a task pertaining to the public good;
• executing a court order;
• protecting the vital interests of the individual;
• meeting the objectives of scientific research; or
• collecting information to investigate a crime when requested by officials.

The PDPPL does not prescribe specific transfer mechanisms (such as adequacy determinations, standard contractual clauses or transfer impact assessments) for lawful Cross-Border Data Flow. Compliance is assessed by reference to adherence to the PDPPL’s general processing principles and safeguards.

In addition, personal data of a special nature may only be processed, including through cross-border transfer, with prior permission from the competent authority and subject to any additional safeguards imposed.

Qatar is yet to enter into mutual legal assistance treaties or bilateral treaties to ensure appropriate involvement of the authorities in countries where the data is stored. The PDPPL does not condition the legality of Cross-Border Data Flow on the existence of such treaties.

Situations where a notification or approval would most likely be required to transfer data internationally or to carry out cross-border transfer would be in the context of QFC transfers. In principle, the QFC does not maintain a list of “adequate” jurisdictions. However, in certain circumstances, when the recipient in a country is not deemed to have an adequate level of protection for personal data, this would essentially require obtaining a permit for the transfer and the data controller would apply certain safeguards in accordance with Article 10(1)(a) of the QFC Regulations.

There is no general data localisation requirement or prior approval requirement for cross-border transfers under the PDPPL, except in the case of personal data of a special nature, which requires prior permission from the competent authority (Article 16).

From an operational perspective, according to the Communications Regulatory Authority (Qatar’s telecommunications and digital services regulator), it is no longer necessary for data to be stored “on premises” or “locally”. Instead, organisations should implement security measures such as encryption, anonymisation and aggregation at predefined secure hubs (regions/availability zones), which are more efficient than localisation.

The Cloud Policy Framework (CPF) issued in June 2022 sets the roadmap for more concrete considerations relating to the above-mentioned circumstances and operations. According to the CPF, data residency shall no longer be a requirement as data classification schemes, security and encryption technologies now secure a high level of protection controls.

These are newly discussed concepts, but it is expected that data localisation may be required for extremely sensitive data only, and that this would constitute one of the limitations to an organisation collecting or transferring data in connection with foreign government data requests or foreign litigation proceedings.

Pursuant to Article 15(3) of the QFC Regulations, a data subject has the right to require and obtain from the data controller – upon request, at reasonable intervals and without excessive delay or expense, as appropriate – the rectification, erasure or blocking of personal data, the processing of which does not comply with the law.

Under the PDPPL, cross-border transfers of personal data are permitted in principle.

The PDPPL expressly recognises “Cross-Border Data Flow” and provides that a controller may not restrict the transfer of personal data outside the State unless the processing violates the Law or may cause serious damage to the personal data or the individual’s privacy (Article 15).

Accordingly, international transfers are allowed provided that:

• the processing serves a lawful purpose;
• the controller complies with the PDPPL’s general data protection obligations (including security safeguards and transparency); and
• the transfer does not result in serious harm to personal data or individual privacy.

There have been no recent developments in the regulation of the international transfer of personal data. Under the law, it is not restricted. However, given that neighbouring countries have enacted amendments to supplement their own data protection laws, Qatar may follow suit by introducing updates to the PDPPL to align with regional and global standards.