DECODING An Exclusive Cheat-Sheet

Curated By:

QATAR'S
Data protection law No. (13) of 2016 : Qatar Personal Data Privacy PROTECTON Law (PDPPL)

Applicability & Scope of the Law Penalties under pdppl

INTEGRITY & CONFIDENTIALITY

Severe financial penalties are

QAR 1,000,000
QAR 5,000,000
Applies to the processing of Personal Data in Qatar by Individuals or Organizations.
Applies to the when Personal Data is imposed for violations and non-
Electronically Processed compliance
Obtained, gathered or extracted for electronic processing No criminal penalties are imposed
A combination of electronic or traditional processing
The penalties range from QAR
Does not apply when Processed by Individuals within a private or family scope.
1,000,000 to QAR 5,000,000
Does not apply when Data is processed for the purpose of obtaining official
depending on the Articles of the
statistical data such as census data.
PDPPL has been violated

Rights of Individuals
ARTICLE 5
RIGHT TO WITHDRAW CONSENT
Right to Withdraw Prior Consent
at any time for Personal Data
Processing
RIGHT TO OBJECT PROCESSING
OF PERSONAL DATA
Data Breach Notification Requirements
ARTICLE 13
The Processor shall notify the
Controller of the existence of any
breach or where any risk
threatens the Personal Data
to
KEY DEFINITIONS
ARTICLE 14 INDIVIDUAL
The Controller shall inform the A natural person whose Personal
Individual and Competent Data are processed
Department of the occurrence of
any breach and if such breach may
CONTROLLER
cause serious damage to Personal A natural or corporate person who
Data or individual privacy individually or jointly with others,
determines the method and

72
Circumstances that may lead to serious harm to an individual’s privacy
If Collection of Personal Data is HOURS Performing automated- Collection of personal purpose of processing personal
not necessary to achieve the TO REPORT decision making data via third parties data
purpose for Data Collection
Processing of Processing of Cross-border Direct marketing
sensitive data employees’ data transfer
PROCESSOR
If collection of Personal Data is
A natural or corporate person who
beyond the extent required,
discriminatory, unfair or illegal GDPR vs QATAR PDPL processes personal data for the
controller
RIGHT TO OMISSION OR
ERASURE OF PERSONAL DATA
PRINCIPLES QPDPL GDPR PERSONAL DATA
Low (can be
Right to omission or erasure if the The degree of implementation and details completed in HIGH Data of an individual whose identity
Min. decision)
processing is not necessary or the is specific, or reasonably
Biometric and genetic sensitive Data NO YES
data is collected through unfair identifiable, either through such
Data portability and profiling NO YES
means, or the purpose of the data or by combining it with any
processing ceases to exist Threshold for children parental consent (13-16 yrs old) NO YES other data
DPO for companies NO YES
REQUEST CORRECTIONS TO THE PROCESSING DATA
PERSONAL DATA Record keeping Only for MoTC
Both for DPA
& companies
One or several processes for
Right to request corrections DPIA request and privacy by design & default YES but Not YES clearly
explicitly defined personal data such as collecting,
through verified and accurate Threshold for children parental consent (13-16 yrs old) NO YES receiving, registering arranging
request
Electronic communications for direct marketing: saving preparing amending
YES NO
ARTICLE 6 prohibited unless prior consent obtained recovering using disclosing
YES (unless
RIGHT TO ACCESS PERSONAL DATA The degree of implementation and details against the Law YES (more publishing transferring blocking
& cause harm to detailed)
Right to request access to the
Data S.) deleting or cancelling personal data
personal data that is collected on Prohibition from taking any measures against
them. The PDPPL obligates data the cross-border data transfer that could Regulatory Authority
controllers to notify the individual limit the international data flow
National Cyber Governance and
about the processing of their Measures can be taken if the cross-border
Assurance Affairs (NCGAA) is
personal data or the purpose of
processing it and notify of any
CROSS transfer is in violation of the provisions
provided in the PDPPL or the processing of
empowered by the National Cyber
disclosure of inaccurate personal BORDER such data may result in serious harm to the Security Agency (NCSA) for
data DATA TRANSFER personal data or the respective individuals administering and enforcement

It is also empowered with

Data Security & Privacy Measures developing controls around its
DATA ACCESS REGULAR DATA DATA BREACH PRIVACY BY
ENCRYPTION CONTROLS BACKUPS NOTIFICATION DESIGN provisions
www.tsaaro.com