Before choosing applications for my family, what should I check when reading the terms and
Protecting Personal Data: Qatari Personal Data Protection Law
In the first article, we discussed the GDPR and the major principles of this regulation. In this article, we need to see how the Qatari legislator addressed the principles of Data Protection and our related rights in this regard.
At the end of 2016, the legislative framework for data protection in Qatar was overhauled by Law No. 13 of 2016 Concerning Personal Data Protection and it was the first legislation in this regard among the GCC countries. It took effect in 2017, however, the executive regulations further implementing this law have not been issued yet.
We must understand the principles that are forming the soul of the legislation. It incorporates principles familiar to other international privacy frameworks and enshrines our right to have our personal data protected. It mandates that any person (legal or natural) who collects or processes such data adheres to the principles that we discussed in the first article; (i) Lawfulness, fairness, and transparency (ii) Purpose limitation (iii) Data minimization (iv) Accuracy (v) Storage limitation (vi) Integrity and confidentiality (please refer to the last article).
Well, what is the scope of the Personal Data Protection Law?
The Qatari legislation will apply in most instances where personal data is handled.
Article 2 provides that the requirements shall apply where personal data (being data which identifies an individual or which can be used in combination with other data to identify an individual) is electronically processed, or obtained, gathered or extracted in preparation for electronic processing, or where a combination of electronic and traditional processing is used.
The same article excludes two kinds of data; (i) the data collected or processed fo personal or family use (ii) data collected for statistical purposes in accordance with law number 2/2011.
So, in order to have a more detailed view of the legislation, we need to know the main actors who are performing on the scene of this law we have four actors, Data subject, MOTC, Data Controller and Data Processor
The Data Subject is the consumer, in other words, simply “us”. The MOTC is the Ministry of Transportation and Communication, it is the competent Authority by law.
The Data controller is a natural or legal person who individually or jointly with others, determines the method and purpose of processing personal data.
While the Data Processor is any natural or legal person who processes personal data for the controller. While there is no significant effect to distinguish between both from a consumer position - our position – it is extremely important for the service provider to classify himself as a processor or a controller!
The law explicitly applies legal mandates on the Controller in several articles such as (i) processing of personal data honestly and in accordance with the law; (ii) put in place appropriate measures to safeguard the data; (iii) comply with the privacy protection policies issued by the Ministry of Transportation and Communication (MoTC) from time to time; (iv) review existing data protection measures before introducing new products/services relating to personal data; (v) ensure that the personal data collected is relevant and accurate; and (iv) not keep the data for longer than required. Such obligations are mentioned in detail in articles 8-15 of the law.
On the other hand, both data controllers and data processors are required to take all necessary steps to protect personal data from loss, damage, alteration, disclosure, or from being accessed or used accidentally or unlawfully.
Well, don’t these obligations remind us of the GDPR principles that we discussed in the first article?
To make it easier for those who want to compare both regulations, the following is a comparison matrix between the data protection principles of the GDPR and the articles in the Qatari Personal Data Protection Law
- Lawfulness, fairness, and transparency can be traced in articles 8,9 & 10.
- Purpose limitation in article 9.2.
- Data minimization in article 9.3.
- Accuracy in article 9.4.
- Storage limitation in article 10.
- Integrity and confidentiality in articles 8.2, 8.4, 11, 13 & 14.
Having said that, what are our rights in the Qatari law?!!
The law identifies several rights in articles 3-7 for any data subject. Articles 3 & 4 establish the fundamental right of a data subject’s personal data to be protected from any harm and not to be collected in any means without strict consent from the data subject. Furthermore, the following articles describe the additional rights that the data subject has in relation to their personal data. we may summarize them as the following;
Withdraw of previous consents. (Article 5.1)
This right provides the data subject with the ability to withdraw a previously given consent for the processing of their personal data for a purpose. The request would then require the company to stop the processing of the personal data that was based on the consent provided earlier.
Object to the processing of personal data on the grounds it is unnecessary to achieve the objective it has been collected for, excessive, discriminatory, unfair, or unlawful. (Article 5.2)
This right provides the data subject with the ability to object to the processing of his/her personal data. Normally, this would be the same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted. However, a specific scenario would be when a customer asks that their personal data should not be processed for certain purposes.
Request of deletion of personal data on the grounds mentioned in the above articles. (Article 5.3)
This right provides the data subject with the ability to ask for the deletion of their data. This will generally apply to situations where a customer’s relationship has ended. It is important to note that this is not an absolute right and depends on your retention schedule and retention period in line with other applicable laws. For instance, article 21 of law 14/2014 explicitly requires the Service providers to retain the customer information for one year.
Request of correction of personal data. (Article 5.4)
This right provides the data subject with the ability to ask for modifications to their personal data in case the data subject believes that this personal data is not up to date or accurate. The law also requires the data subject to prove that such newly provided information is accurate.
Right to access and review their personal data. (Article 6)
This right provides the data subject with the ability to get access to their personal data that is being processed. The law strictly emphasizes that this right shall be enforced towards ANY Controller.
Right to be informed about the processing of their personal data and the purpose of such processing. (Article 6.1)
This right provides the data subject with the ability to ask a company for information about what personal data (about them) is being processed and the rationale for such processing.
Right to be informed about any disclosure of inaccurate personal data related to the data subject. (Article 6.2)
The data controller must notify the data subject about any/every disclosure, breach, or leakage of their personal data, this is the general rule. However, since the executive orders for this law have not been issued yet, it is preferable to wait and see how the competent authorities will deal with this topic.
Right to obtain a copy of the personal data. (Article 6.3)
Both Data Controller & Data Processor shall make a copy available for the data subject once requested, after paying fees for such service.
Are these rights enough to safeguard our personal data?!
The Qatari legislator has added some extra protection layers in articles 16 &17 when it comes to “Sensitive Personal Data” and “Child Protection”.
Article 16 classified the following types of data as “Sensitive Data”;
- Racial or ethnic origin and religious affiliation
- Any data related to children or family relations
- Health-related information including Physical and mental status
- Criminal offenses
Any Processing for any of these types requires a special permission from the minister of MOTC and he may even add more types to this list if such type may cause any harm to any person.
Article 17 addresses the data collection by websites targeting children. It strictly obligates the owner or operator of any website addressing our children to clearly announce the type of data that they collect from our children, how it will be used, and their disclosure policy for such data. Furthermore, it strictly requests clear consent from the custodian before collecting any data.
Article 17.4 clearly states that the owner/operator is committed to deleting the child's personal data upon the custodians’ request.
Here we must highly salute the legislator, you know why?!
This article gives the custodian the absolute power to control the child’s personal data, which is not the situation in the normal case! Do you remember the third right we discussed above?! The right to be forgotten is not absolute in article 5.3 as it is based on the grounds mentioned in articles 5.2 & 5.3!! here we have a different case, the absolute right to be forgotten!!!
So yes, we have a very bright side in this law and it gives us control over our children’s personal data. Will we make use of it?!