The State of Qatar has issued a new law concerning the
privacy and protection of personal data, law no. 13 of 2016
(the Law). While it is not yet in force, it is anticipated that
it will be published in the official gazette soon and will come
into effect six months later.
The Law extends to personal data processed electronically or
obtained for electronic processing, or processed through a
combination of traditional and electronic processing methods.
It does not extend to private processing of personal data or
data collected for establishing official statistics.
The Law grants certain rights to individuals including the
right to give or withdraw consent for any processing of their
personal data. An individual also has the right to review their
personal data being stored, and to request any modifications to
The Law places a heavy burden on the data controllers and
processors to ensure that the personal data is handled with
care and is protected from any loss or unauthorised disclosure.
It directs the controllers to inter alia (i) review
the data privacy procedures; (ii) train and raise awareness
among processors; (iii) ensure effective management of personal
data; (iv) use proper technology, and; (v) maintain
Added protection is afforded to personal data of a private
nature. Such information can only be processed after obtaining
permission of the relevant department of the Ministry of
Transport and Communications (MTC). The owners and operators of
websites for children are also obliged to make adequate
disclosures on their websites and obtain permission from
parents before their child's information can be processed.
Direct marketing through electronic communication to
individuals without obtaining their advance consent is
Notwithstanding the above, exemptions are given under the
law which allow the competent authority or the controllers to
process personal data without compliance with certain
provisions. Some of the exemptions are: (a) the protection of
national or public security or international relations or
economic or financial interests of the State; (b) for the
prevention or investigation of a crime; (c) execution of a task
related to public interest; (d) purposes of scientific research
for public interest (e) upon an official request from the
investigation authorities or court of competent
The Law prescribes high financial penalties for
non-compliance or legislative breaches. The penalties will
range from QAR 1 million ($274,634) to QAR 5 million. However,
it is notable that imprisonment is not a prescribed sanction
under this law.
Impact on the Qatari financial sector
The Law may cause some practical difficulties for the banks,
either due to lack of clarity or to its subjective nature. To
identify a couple of examples: QCB has instructed the banks to
retain customers' information for at least 15 years. However,
the Law allows individuals to demand the deletion of their
personal information once the purpose has been fulfilled. This
inconsistency may result in non-compliance by the bank with the
QCB instructions. Another example relates to the Know Your
Client process undertaken by the banks. During this process,
certain personal data of a private nature may be gathered.
However, according to the Law, this information may only be
processed after obtaining permission of the MTC. It is not
clear whether the banks would need a blanket approval from the
MTC or whether permission would have to be sought specific to
each case. This may be a cumbersome process for the banks.
Moreover, banks are allowed to outsource certain non-core
functions to service providers, provided that adequate controls
and guidelines for risk mitigation are in place. This
outsourcing can help with cost reduction, improvement of
services, or saving time for the bank's main services. However,
it seems that the Law places an additional obligation on the
banks to ensure that the data obtained meets the lawful
purposes and is processed in accordance with the law.
Banks may also have to revisit their marketing and
promotional activities. Activities such as email updates or SMS
marketing may not be possible under the Law. The practical
risks remain unclear at present, as the relevant section in the
Law is broadly worded and remains open to interpretation.
Recommendations for banks
Before the law is effective, banks should consider taking
some precautionary steps:
- raising awareness internally and among
their service providers;
- reviewing internal documents to ensure
compliance with the Law;
- conducting internal trainings to ensure
the relevant departments are able to address customer's
questions or concerns regarding their rights under the
- conducting training for data processors
and revisit internal risk assessments and mitigation plans;
- revisiting banks' and the service
providers' security measures to protect customer data.