These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.
Qatar
Personal Data Privacy Protection Law (Law No.13 of 2016)
Key Provisions
Article 1: Key Definitions
- •Personal Data: Data identifying an individual directly or indirectly (e.g., ethnic origin, health, marital status).
- •Processing: Operations like collection, storage, modification, disclosure, or destruction.
- •Controller: Entity determining purposes and means of processing.
- •Processor: Entity processing data on behalf of the Controller.
Article 2: Scope
Applies to electronic processing or data prepared for electronic processing. Exempts personal/family use and official statistics.
Articles 3–7: Rights of Data Subjects
- •Right to Protection of Data processing
- •Right to withdraw consent, object to processing, request deletion/correction.
- •Right to access data, be informed of processing purposes, and obtain copies.
- •Must respond to requests per Ministerial decisions.
Article 4: Consent
Consent required unless processing is necessary for a Lawful Purpose (e.g., public interest, legal obligation).
Articles 18–21: Exemptions
Exemptions for national security, public interest, criminal investigations, or scientific research. Controllers may withhold reasons for refusal if disclosure harms state interests.
Article 8–15: Controller & Processor Obligations
- •Process data lawfully, implement technical/organizational safeguards.
- •Notify individuals of breaches causing serious harm.
- •Verify data accuracy, relevance, and retention limits.
- •Train staff, audit compliance, and monitor Processors.
Article 16: Sensitive Data
Requires explicit permission from the Competent Department for processing. Additional safeguards may apply.
Article 17: Children's Data
Obtain guardian consent, post privacy notices, and avoid excessive data collection for activities.
Article 22: Direct Marketing
Requires prior consent. Communications must identify the sender, purpose, and include an opt-out mechanism.
Articles 23–25: Penalties
- •Fines up to QR 1M for violations (e.g., consent, security).
- •Fines up to QR 5M for breaches of sensitive data or child protection rules.
- •Legal persons liable for fines; natural persons may face criminal charges.
Article 26–32: Compliance & Enforcement
- •Complaints filed to the Competent Department; binding rectification orders.
- •Ministries coordinate awareness programs and monitor compliance.
- •Adjustments required within six months of law enactment.
Compliance Checklist
Article 8–11: Obligations
For Controllers:
- •Implement technical (encryption) and organizational (policies) safeguards.
- •Conduct audits, train staff, and maintain complaint systems.
For Processors:
- •Follow Controller's security instructions. Report breaches immediately.
- •Assist in audits and breach investigations.
Article 13: Data Security
For Controllers:
Protect data against loss/damage; notify breaches promptly.
For Processors:
Notify Controller of risks/vulnerabilities.
Article 16: Sensitive Data
For Controllers:
Obtain Competent Department approval for processing.
For Processors:
Process only as instructed; avoid unauthorized use.
Article 17: Children's Data
For Controllers:
Post privacy notices; obtain guardian consent.
For Processors:
Delete child data upon guardian request.
Article 22: Direct Marketing
For Controllers:
Include opt-out mechanisms in communications.
For Processors:
Process marketing data only with Controller's consent framework.
Article 26: Complaints
For Controllers:
Establish mechanisms to handle data subject requests.
For Processors:
Assist Controllers in resolving complaints.
Article 15: Cross-Border Transfers
For Controllers:
Ensure transfers comply with lawful purposes and do not harm privacy.
For Processors:
Avoid transfers unless authorized by Controller.
Article 10: Data Retention
For Controllers:
Define retention periods aligned with purposes; destroy data securely.
For Processors:
Follow Controller's retention/destruction instructions.
Article 4: Consent Management
For Controllers:
Obtain explicit consent for sensitive data or new purposes.
For Processors:
Process data only per Controller's consent scope.
Need Help with Qatar PDPL Compliance?
Our expert team can guide you through Qatar's data protection requirements and ensure your organization stays compliant.
Checklist to implementation
Need a fact-specific view?
Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.