Data Protection in Qatar

Collection and processing in Qatar

Generally, data subject consent is required to collect and process personal data, except to the extent processing is deemed necessary for a lawful purpose of the controller, or the third party to whom the personal data is sent.

Lawful purpose is defined in the Data Protection Law as "the purpose for which the personal data of the data subject is being processed in accordance with the law," which includes cases where a data controller is processing personal data for legitimate interests and specific purposes set forth under Data Protection Law as described below.

Prior to processing personal data, the data controller must notify the data subject of the following information:

  • The details of the data controller or another party who processes the data on behalf of the data controller;
  • The lawful purpose for which the data controller or any third party wants to process the personal data;
  • A comprehensive and accurate description of the processing activities and the degrees of disclosure of personal data for the lawful purpose; and
  • Any other information deemed necessary and required for the satisfaction of personal data processing.

The data controller is free to process data without the consent of the data subject or a lawful purpose in the following circumstances:

  • The data processing is in the public interest. A data controller would process personal data in the public interest if it is conducting a specific task in the public interest pursuant to applicable law or is exercising "official authority" (e.g. a public body's tasks, functions or duties) pursuant to applicable law;
  • The data processing is required to meet a legal obligation. A data controller would be considered processing personal data to meet a legal obligation where it is required to do so by virtue of the law or court order;
  • The data processing is required to protect the data subject's vital interests. What constitutes as "vital interests" is applied very narrowly to cases of "life and death" and on the basis of humanitarian grounds such as in relation to a pandemic / epidemic. Further, this exemption is likely to arise in cases where data related health is being processed which is a category of sensitive personal data (explored further below) and in which case, this exemption would only apply if the data subject is physically or legally incapable of providing consent and as such, explicit consent may be more appropriate in the circumstances;
  • The data processing is required for scientific research being conducted in the public interest. Cases involving the processing of personal data for "scientific research in the public interests" should be interpreted broadly and would include processing activities to further technological development or privately funded research; or
  • The data processing is required to investigate a crime, if officially requested by the investigating authorities.

Sensitive personal data may not be processed except after obtaining authorization from the NCGAA. There is a high threshold for processing this data and, amongst other things, a data controller would be required to:

  • Identify a permitted reason for processing sensitive personal data and an "additional condition" for processing activities and these "additional conditions" include, but are not limited to, (i) processing with the data subject's explicit consent or parental consent (as may be relevant), (ii) the personal data is made public by the data subject; or (iii) the processing is necessary in an employment context and would enable the data controller to fulfil their obligations as an employer;
  • Complete a data protection impact assessment to identify, inter alia, the purpose and permitted reason for processing, the potential damage / harm that can be caused to the data subject as a result of the processing activities and the risks to the processing and methods / actions to mitigate such risks; and
  • Obtain permission from the NCGAA to process such personal data which may be conditioned on, inter alia, the data controller evidencing to the NCGAAthat it has the appropriate administrative, technical and financial precautions in place to protect such special personal data.

Continue reading

  • no results

Previous topic
Back to top