Law No. 13 of 2016: Personal Data Privacy Protection

National Cyber Security Agency (NCSA)
National Cyber Governance and Assurance Affairs (NCGAA)

We, Tamim Bin Hamad Al-Thani, Emir of the State of Qatar

After having perused the Constitution, Telecommunications law promulgated by Decree-Law No. (34) of 2006, Electronic Transactions and Commerce law promulgated by Decree-Law No. (16) of 2010, Law No. (2) of 2011 on Official Statistics, as amended by law No. (4) of 2015, Cybercrimes Combatting law promulgated by Law No. (14) of 2014, Emiri Resolution No. (42) of 2014 on the Establishment of the Communications Regulatory Authority, Emiri resolution No. (8) of 2016 on the Organizational Structure of the Ministry of Transport and Communications, The proposal of the minister of transport and communications, and The draft law submitted by the Council of Ministers, and After consulting the Shura Council,

Have decided the following Law,

This document is not official and the official version of the law is the one published in the Official Gazette number 15 of year 2016 that is available on almeezan.qa

Chapter One: Definitions and General Provisions

Article (1)

For the implementation of the provisions hereof, the following terms and words shall have such meanings assigned to the same, unless otherwise required by context:

• Ministry: Ministry of Transport and Communications.
• Minister: Minister of Transport and Communication.
• Competent Department: the competent administrative unit at the Ministry.
• Competent Authority: any government entity competent, as per law, to regulate acts or procedures pertinent to Personal Data Processing and supervision of the same.
• Individual: a natural person whose Personal Data are processed.
• Controller: a natural or legal person who, whether acting individually or jointly with others, determines how Personal Data may be processed and determines the purpose(s) of any such processing Personal Data Processing.
• Processor: a natural or legal person who processes Personal Data for the Controller.

Article (2)

Provisions hereof shall apply to Personal Data when it is electronically processed, or obtained, gathered or extracted in preparation in any other way for electronic processing, or when processed via a combination of electronic and traditional processing.

Provisions hereof shall not apply to Personal Data processed by individuals within a private or a family scope, or to any Personal Data processed for the purpose of obtaining official statistical data as per provisions of the referred to law No (2) of 2011.

This document is not official and the official version of the law is the one published in the Official Gazette number 15 of year 2016 that is available on almeezan.qa

Chapter Two: Rights of Individuals

Article (3)

Each Individual has the right to the protection of the Personal Data thereof that shall be processed only within the framework of transparency, honesty, and respect of human dignity, and acceptable practices according to provisions hereof.

Article (4)

The Controller shall process Personal Data only after obtaining the consent of the Individual, unless data processing is necessary to achieve a Lawful Purpose for the Controller or the other recipient of such data.

Article (5)

An Individual may, at any time:

1. Withdraw the prior consent thereof for Personal Data Processing.
2. Object to processing the Personal Data thereof if such processing is not necessary to achieve the purposes for which such Personal Data have been collected or where such collected Personal Data are beyond the extent required, discriminatory, unfair or illegal.
3. Request omission or erasure of the Personal Data thereof in any of the cases referred to in the preceding two items, upon cessation of the purpose for which the processing has been conducted, or where all justifications for maintaining such Personal Data by the Controller cease to exist.
4. Request corrections to the Personal Data thereof. A request so made shall be accompanied with proof of the accuracy of such request.

Article (6)

An Individual may, at any time, access the Personal Data thereof and apply to review the same, in facing any Controller, and an Individual has, in particular, the right to:

1. Be notified of processing the Personal Data thereof and the purposes for which such processing is conducted.
2. Be notified of any disclosure of inaccurate Personal Data.
3. Obtain a copy of the Personal Data thereof after paying an amount that shall not exceed the service charge.

Article (7)

The controls and procedures, related to individuals' exercise of rights provided for in the two preceding Articles, shall be specified by a decision of the Minister.

This document is not official and the official version of the law is the one published in the Official Gazette number 15 of year 2016 that is available on almeezan.qa

Chapter Three: Liabilities of Controller and Processor

Article (8)

The Controller shall abide by the following:

1. Processing Personal Data honestly and legitimately.
2. Consider the controls related to designing, changing or developing products, systems and services pertinent to Personal Data Processing.
3. Taking appropriate administrative, technical and financial precautions to protect Personal Data, in accordance with what is determined by the Competent Department.
4. The privacy protecting policies developed by the Competent Department, and a decision thereon shall be issued by the Minister.

Article (9)

The Controller shall, prior to starting processing any Personal Data, inform the Individual with the following:

1. The Controller's details or any other party conducting the processing for the Controller or to be used thereby.
2. The Lawful Purposes that the Controller or any other party wants to process the Personal Data therefor.
3. Comprehensive and accurate description of the processing activities and the levels of disclosure of such Personal Data for the Lawful Purposes, and if the Controller fails to do so, the Controller shall provide the Individual with a general description thereof.
4. Any other information that is necessary and required for fulfilling conditions of Personal Data Processing.

Article (10)

The Controller shall verify that Personal Data that he collects, or being collected for the benefit thereof, is relevant to Lawful Purposes and adequate for achieving the same. The Controller shall, also, ensure such data is accurate, complete and up to date to meet such Lawful Purposes. In addition, the Controller shall not keep any Personal Data for a period of time that exceeds the necessary period for achieving such purposes.

Article (11)

The Controller shall take the following procedures:

1. Reviewing privacy protection measures before proceeding with new processing operations.
2. Identifying Processors responsible for Personal Data protection.
3. Training and raising awareness of Processors on protecting personal data.
4. Developing internal systems to receive and investigate complaints, and data access and omission or correction requests; and they shall be made available to individuals.
5. Developing internal systems for the effective management of Personal Data, and reporting any breach of measures aiming at the protection thereof.
6. Using appropriate technologies to enable individuals to exercise their rights to directly access, review and correct their respective Personal Data.
7. Conducting comprehensive audits and reviews on the compliance extent with Personal Data protection requirements.
8. Verifying Processor's compliance with the instructions directed thereto, taking the appropriate precautions to protect Personal Data, and monitoring and following-up the same constantly.

Article (12)

The Controller shall, at the time of disclosing Personal Data or transferring it to the Processor, take into consideration that it is in line with Lawful Purposes and is processed according to provisions hereof.

Article (13)

Each of the Controller and the Processor shall take the precautions necessary to protect Personal Data against loss, damage, change, disclosure, access thereto, or the inadvertent or illegal use thereof.

Such precautions shall be commensurate with the nature and the importance of the Personal Data intended to be protected.

The Processor shall forthwith notify the Controller of the existence of any breach of the precautions referred to, or where any risk arises threatening Personal Data in any way.

Article (14)

The Controller shall inform the Individual and Competent Department of the occurrence of any breach of the precautions provided for in the preceding Article, and if such breach may cause serious damage to Personal Data or individual privacy.

Article (15)

Taking into account the liabilities provided for hereto, the Controller shall be forbidden from taking any decision or measure that may limit the Cross-Border Data Flow, unless the processing of such data is in breach of this Law, or where such processing may cause serious damage to the Personal Data or to the Individual's privacy.

This document is not official and the official version of the law is the one published in the Official Gazette number 15 of year 2016 that is available on almeezan.qa

Chapter Four: Personal Data with Special Nature

Article (16)

The Personal data, related to ethnic origin, children, health, physical or psychological condition, religious creeds, marital relations, and criminal offenses, shall be regarded as Personal data with special nature.

The Minister may add other types of Personal Data of a special nature, where the misuse or disclosure of the same may cause serious damage to Individual.

Personal Data of a special nature may only be processed after obtaining the permission from the Competent Department, as per the measures and controls determined by a decision issued by the Minister.

The Minister may, upon a decision therefrom, imposing additional precautions with the intent of protecting Personal Data of a special nature.

Article (17)

Taking into consideration the liabilities provided for hereto, an owner or operator of any website addressing children shall take into account the following:

1. Posting a notification on the website as to what child data is, the way of its use, and the policies followed in the disclosure thereof.
2. Obtaining, either electronically or through any other appropriate means, an explicit consent from the guardian of the child whose Personal Data is processed.
3. Providing a child's guardian, upon the request thereof, and after verifying the identity thereof, with a description of the type of the Personal Data processed, along with stating the purpose of the process together with a copy of the data processed or gathered about the child.
4. Deleting, removing or suspending processing any Personal Data that has been gathered from or about a child, if such is requested by child's guardian.
5. A child's participation in a game, promotional award or any other activity shall not be conditional on the child's provision of Personal Data in excess of the necessary for the participation in such activity.

This document is not official and the official version of the law is the one published in the Official Gazette number 15 of year 2016 that is available on almeezan.qa

Chapter Five: Exemptions

Article (18)

The Competent Authority may decide to process some Personal Data, without abiding by the provisions of Articles (4), (9), (15) and (17) hereof, for achieving any of the following purposes:

1. Protecting National and public security.
2. Protecting international relations of the State.
3. Protecting the economic or financial interests of the State.
4. Preventing any criminal offense, or gathering information thereon or investigating therein.

The Competent Authority shall keep a special record where the data achieving the aforementioned purposes shall be entered. Conditions, controls and statuses of entry on such record shall be specified by virtue of a decision issued by the Minister.

Article (19)

The Controller shall be exempted from the provisions of Articles (4), (5) Items 1, 2, and 3) and (6) hereof, in any of the following cases:

1. Executing a task related to the public interest as per the law.
2. Implementing a legal obligation or an order rendered by a competent court.
3. Protecting vital interests of Individual.
4. Achieving purposes of scientific research which is underway for public interest.
5. Gathering necessary information for investigation into a criminal offense, upon an official request of investigative bodies.

Article (20)

The Controller shall be exempted from disclosing the reasons for the refusal thereof of abiding by the rights of the Individual, as provided for in Article (6) hereof, if such disclosure would prevent achieving the purposes stipulated in Article (18) hereof.

Article (21)

Taking into consideration the provisions of the preceding two Article, the Controller shall be exempted from abiding by provisions of Article (6) hereof, in either of the following two cases:

1. When disclosure would cause harm to commercial interests of another individual.
2. When implementation of such liability would cause disclosing Personal Data related to another Individual who does not consent thereto, and disclosure may lead to physical or moral damage either to this Individual or to any other Individual.

This document is not official and the official version of the law is the one published in the Official Gazette number 15 of year 2016 that is available on almeezan.qa

Chapter Six: Electronic Communication for the Purpose of Direct Marketing

Article (22)

The transmission of any Electronic Communication to an Individual, for the purpose of Direct Marketing, shall be forbidden, except after obtaining the prior consent thereof.

The Electronic Communication shall include the identity of the originator thereof, and highlight that it is sent for the purpose of Direct Marketing. In addition, it shall include a valid address for easy access thereto and through which an Individual can send a request to the originator to stop such communications or revoke the consent on the sending thereof.

This document is not official and the official version of the law is the one published in the Official Gazette number 15 of year 2016 that is available on almeezan.qa

Chapter Seven: Penalties

Article (23)

Without prejudice to any more severe penalty stipulated in any other law, a penalty that shall not exceed $(1,000,000)$ one million QR shall be applicable to anyone violating any of the provisions of the Articles $(4,8,9,10,11,12,14,15$, and 22$)$ hereof.

Article (24)

Without prejudice to any more severe penalty stipulated in any other law, a penalty that shall not exceed $(5,000,000)$ five million QR shall be applicable to anyone violating any of the provisions of the Articles (13), (16\paragraph 3), and (17) hereof.

Article (25)

A penalty that shall not exceed $(1,000,000)$ One million QR shall be applicable to violating legal person, in the event of committing any of those crimes stipulated herein on the name or for the interest thereof, without prejudice to criminal liability taken by affiliated natural person.

This document is not official and the official version of the law is the one published in the Official Gazette number 15 of year 2016 that is available on almeezan.qa

Chapter Eight: Final Provisions

Article (26)

An Individual may file a complaint to the Competent Department in case of violating provisions hereof and the issued decisions in the implementation thereof.

The Competent Department may, after investigating received complaints and proving the seriousness thereof, issue a reasoned decision binding the Controller or Processor, as the case may be, to rectify such breach within a period it specifies.

The Controller or Processor may raise a grievance against such decision to the Minister, within sixty days from the notification date thereof.

The Minister shall decide on the grievance within sixty days from the date of the submission thereof, and the lapse of such period without a response shall be considered as an implicit rejection of the grievance, and the decision of the Minister thereon shall be final.

Article (27)

The Competent Department may, for the purpose of applying and implementing provisions hereof, take all necessary measures thereto, and in particular the following:

1. Coordinating with any professional group or association, and any other association representing Controllers or Website Operators for the purpose of self-organization encouragement and development, and raising awareness of this Law and developing training and learning programs.
2. Working with organizations and societies interested in family affairs to enhance the safety of children on the internet.
3. Conducting researches and monitor developments in technology's fields related to issues covered by this Law, and preparing reports or recommendations on the same.

Article (28)

Any contract or agreement made in violation of the provisions hereof shall be regarded as null and void.

Article (29)

The Ministry employees, authorized as law enforcement officers as per a decision by the Public Prosecutor, in agreement with the Minister, may detect and prove crimes committed in violation of provisions hereof.

Article (30)

Parties falling under provisions hereof shall, within six months from the date of the effectiveness thereof, adjust their conditions in line with provisions hereof.

Such period may be extended for other similar period or periods by virtue of a decision of the Council of Ministers, upon the proposal of the Minister.

Article (31)

The Minister shall issue the necessary decisions for the implementation of the provisions hereof.

Article (32)

All the competent authorities, each within the competences thereof, shall implement this Law, and it shall be published in the official gazette.

Tamim Bin Hamad Al Thani
Emir of the State of Qatar
Issued at the Emiri Diwan on: 03/02/1438 (AH) Corresponding to: 03/11/2016 (AD)

This document is not official and the official version of the law is the one published in the Official Gazette number 15 of year 2016 that is available on almeezan.qa

End of Document
National Cyber Governance and Assurance Affairs (NCGAA)
compliance.qcert.org