Qatar Financial Centre updates its data protection law in line with the GDPR

The Qatar Financial Centre ('QFC'), a financial services free zone in Doha in Qatar, issued its updated Data Protection Regulations and Rules in December 2021, which align the QFC with international data protection laws, such as the European General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In this article, we provide a summary of the updated data protection law.

Following a public consultation held by the QFC Authority ('QCFA') last year, the Qatar Minister of Commerce and Industry enacted the Data Protection Regulations 2021 ('Regulations 2021') and Data Protection Rules 2021 ('the Rules') on 21 December 2021. Regulations 2021 will replace the existing Data Protection Regulations 2005 ('Regulations 2005').

Like its predecessor legislation, Regulations 2021 will regulate the processing of personal data in the QFC. However, Regulations 2021 include enhanced obligations and rights for data subjects that reflect many of the principles and rights under the GDPR, which is now considered as the 'gold standard' of data protection.

Regulations 2021 create a Data Protection Office and also the role of the Data Protection Commissioner ('the Commissioner'), entities which have already been created and which have been active since 21 December 2021.

Key requirements of the new Regulations

Regulations 2021 enhance privacy compliance requirements for businesses that are incorporated or registered in QFC. They also have extra-territorial effect in that they apply to businesses not incorporated or registered in the QFC if, 'as part of ongoing arrangements', the business processes personal data through an entity that is incorporated or registered in the QFC, unless it is only on an occasional basis. In such a case, Regulations 2021 only apply to the extent of that processing activity.

Regulations 2021 operate using the same core concepts such as 'data controller', 'data processor', and 'data subject' that are consistent with equivalent international data protection concepts.

The distinct features of Regulations 2021 compared to Regulations 2005 are:

• Notifications: Under Regulations 2005, businesses had to make a notification to the QFCA if they processed sensitive personal data or if they were transferring personal data to a country that was not subject to laws that ensure an adequate level of data protection. Regulations 2021 abolish this mandatory notification process. Permits may still be obtained from the Data Protection Office to process sensitive personal data or to transfer personal data outside the QFC, but a notification is no longer required.
• Consent: Consent must now be freely given, specific, informed, and an unambiguous indication by the data subject that they agree to the processing of the relevant personal data. Data subjects must be able to withdraw consent as easily as it was given and at any time. They must also be informed of this right before giving consent.
• Sensitive personal data: Similar to the GDPR, the definition of sensitive personal data now includes data relating to criminal convictions as well as biometric and genetic data.
• Accountability: Regulations 2021 have incorporated the principle of accountability which was introduced under the GDPR; it requires data controllers to be able to demonstrate that they comply with the principles set out in Regulations 2021. Businesses will have to implement robust governance standards and implement a written record of all processing activities. Information that should be included in the record is set out in the Rules and includes the lawful basis of processing and the documentation of adequate safeguards taken for data transfers outside the QFC.
• Rights: Regulations 2021 enhance the rights of data subjects with respect to their personal data, adding the right to withdraw consent, the right to data portability, and the right not to be subjected to a decision that is based solely on automated processing. There is now a time period for responding to such requests: at the latest within 30 days from receiving the request, and this can be extended for further 60 days if it is necessary to do so because of complexity and the number of requests.
• Data protection by design and default: Data controllers should integrate data protection into their processing activities and business practices, from the design stage right through the lifecycle
• Data Protection Impact Assessments ('DPIA'): If processing is likely to result in a high risk to the rights and legitimate interests of a data subject, a DPIA must be carried out by the data controller. Article 6 of the Rules sets out the information that a DPIA must contain, including identification and consideration of the lawful basis of processing, an assessment of the risks to and legitimate interests of data subjects, and measures envisaged to address such risks, including security measures to ensure the protection of personal data.

Practical impacts

Regulations 2021 contain enhanced obligations on data controllers and data processors and increased rights for data subjects. Organisations will need to review their existing data compliance frameworks, re-assess their data processing activities, and update their policies and procedures in line with the new requirements. In particular:

• Privacy notices: Privacy notices will have to be updated to include more information, such as the lawful basis on which personal data is processed by the data controller, the period for which data will be retained or how to determine that period, the fact that personal data is intended to be transferred outside the QFC, and other information specified in the Rules.
• Data breach notifications: Businesses will have to ensure that they have an appropriate data breach notification procedure in place. Data controllers will now have to notify the Data Protection Office of a data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the data controller determines that the breach is unlikely to result in a risk to the rights and legitimate interests of the data subjects. Article 9 of the Rules specifies the information that should be included in the notification to the Data Protection Office. Unlike the GDPR and the DIFC Data Protection Law No. 5 of 2020, Regulations 2021 do not make it mandatory for data controllers to notify data subjects of a data breach. Instead, data controllers should consider notifying any breaches to affected data subjects, taking into account the risk to their rights and legitimate interests.
• Data transfers: Data transfers to countries that are not considered to have an adequate level of data protection by the Data Protection Office may be carried out if appropriate safeguards are put in place, such as standard contractual clauses ('SCCs') adopted by the Data Protection Office or if a derogation applies. Businesses will need to re-assess their data transfers and either implement clauses in their contracts with group entities and third parties, or review whether a derogation applies to such transfers.
• Data processors: Regulations 2021 impose direct compliance obligations on data processors and also require data controllers to enter into written contracts with data processors that must include the minimum requirements set out in Article 7 of the Rules. These requirements mirror the Article 28 GDPR data processor obligations. Businesses should implement a third-party contract management system to review and update their contracts with entities that process personal data on their behalf, such as cloud vendors and outsourcing service providers.

Importantly, where previously the QFCA would only issue a direction requiring an entity to do or refrain from doing something that was in violation of Regulations 2005, the Data Protection Office now has increased enforcement capabilities: it can now issue penalties up to a maximum of $1.5 million for the infringement of one provision. Any particular offence might infringe a number of provisions, which could each be subject to a fine of this amount. Businesses, therefore, need to take compliance seriously and begin updating their data protection frameworks as soon as possible.

Tips for compliance

The Commencement Date of the Regulations is 180 days after the date of the signature of Regulations 2021 i.e., 21 June 2022. The QFCA may, by notice, extend the Commencement Date until such date it considers appropriate. Until the Commencement Date, Regulations 2005 will remain in force.

The implementation period is short, unlike the two years that businesses had to comply with the GDPR. Organisations should therefore consider immediately how they will address the various enhanced requirements of Regulations 2021. This may require the involvement and buy-in of multiple business units, particularly those departments that are data heavy, such as HR, marketing, sales, and IT. A paper-based approach will not be sufficient, it will require careful and systematic assessment, planning, and implementation.

Organisations should consider the following:

• Management approval: obtaining approval from senior management from the outset. The changes that may be required to existing data protection frameworks could be costly and extensive. It is important that senior management understands the risks that may arise from non-compliance with Regulations 2021. These include financial risks, such as potential fines and compensation claims from individuals, and reputational risks, such as if data breaches occur and they are not notified, customers and employees may lose trust in the business and go elsewhere.
• Embed data privacy within the business: making employees aware of the new requirements under Regulations 2021 will be critical to ongoing compliance. Training on data protection should be updated and regularised.
• Map and audit data flows: if not already done, documenting the personal data that they hold, where it comes from, and with whom such data is shared. This information will form the foundation of the written record of processing activities that needs to be maintained under Regulations 2021.
• Consent procedure: if organisations choose to collect personal data on the basis of consent, Regulations 2021 now prescribe specific conditions for consent. It is important that organisations put in place a procedure for obtaining and documenting consent, particularly if consent is withdrawn.
• Contract and policy management: reviewing agreements, particularly with third party data processors, for compliance with the new legal requirements. There are detailed obligations that now have to be included in processing agreements and businesses may receive push back from suppliers and service providers. Policies also have to be updated to ensure that they are aligned with the requirements of Regulations 2021. It may be necessary to introduce new policies and procedures, such as a data breach notification procedure, a procedure on responding to data subject requests, and guidance on data transfers.
• Monitor and update: data protection compliance should be ongoing. Organisations will need to implement measures to ensure continuous monitoring of compliance with Regulations 2021.

This article was originally published on 4 March 2022 on OneTrust Data Guidance.