Data & Privacy · Qatar
Data protection & privacy laws in Qatar (2026)
Qatar shaded by its data & privacy status
Qatar has a comprehensive, generally applicable personal-data protection law — Law No. 13 of 2016 (PDPPL) — in force since 2017, the first such statute in the Gulf region. It is enforced by the NCGAA under the NCSA and sets out controller/processor obligations, data-subject rights, breach notification, and penalties. The Qatar Financial Centre free zone applies its own separate, GDPR-aligned data-protection regime overseen by the QFC Data Protection Office.
Key points
Law No. 13 of 2016 (PDPPL) applies broadly across all sectors to personal data processed electronically or prepared for electronic processing, requiring transparency, fairness and respect for human dignity. It was issued on 13 November 2016 and took effect in 2017.
The National Cyber Governance and Assurance Affairs (NCGAA), a division of the National Cyber Security Agency (NCSA), is the competent authority that administers and enforces the PDPPL, issues guidance, and handles grievances. The NCSA operates under the direct supervision of the Prime Minister.
Individuals have rights to access, correction, erasure, objection, and withdrawal of consent. Controllers face obligations on lawful processing, special protection for sensitive data (health, children, religion, criminal records), restrictions on direct electronic marketing, and cross-border transfer rules.
Under Article 23 and NCGAA guidance, controllers must notify the NCGAA and affected individuals of personal-data breaches that may cause serious harm, and processors must immediately notify the controller. The NCSA has published a Personal Data Breach Notification guideline for regulated entities.
PDPPL violations carry administrative fines up to QAR 1,000,000, with more serious breaches subject to fines up to QAR 5,000,000, alongside potential criminal liability for certain offences.
Entities in the Qatar Financial Centre free zone are governed not by the PDPPL but by the QFC Data Protection Regulations and Rules 2021 (issued 21 Dec 2021, effective 19 June 2022), which mirror GDPR — including 72-hour breach notification and fines up to USD 1.5 million per infringement — and are overseen by the QFC Data Protection Office.
Timeline - major decisions & events
Qatar's National Data Privacy Office (NDPO/NCSA) ordered a local contracting company to overhaul its data protection controls within 60 days after finding multiple PDPPL breaches, including unlawful processing and failure to supervise third-party processors. Marks the regulator's expansion of active enforcement beyond the ICT sector.
Baker McKenzie Connect on Tech ↗Qatar's National Planning Council (NPC) issued a cross-sector National Data Policy establishing principles of data integrity, consistency, and governance for all public-sector entities, covering data sharing, security, and quality standards. Complements the PDPPL by extending data governance beyond privacy to interoperability and data management.
Qatar National Planning Council (NPC) ↗The NCSA formally launched the National Cyber Security Strategy 2024–2030 around five pillars — including data-driven legislation, privacy protection, and international cooperation — aligned with Qatar National Vision 2030. Provides the decade-long strategic framework underpinning future data protection enforcement and regulation.
Qatar Government Communications Office (GCO) ↗Qatar's Council of Ministers officially adopted the National Cyber Security Strategy, giving the NCSA a formal governmental mandate for cybersecurity and data protection regulation ahead of its public launch later in 2024. Cemented NCSA's authority to enforce the PDPPL and issue binding guidance.
The Peninsula Qatar ↗Qatar's National Cyber Security Agency issued Version 1.0 of AI adoption guidelines, addressing data protection obligations when deploying AI systems including sensitive data leakage risks and alignment with PDPPL requirements. First official regulatory guidance in Qatar explicitly linking AI deployment to data privacy compliance.
Qatar National Cyber Security Agency (NCSA) ↗The NCSA released updated versions of its National Data Classification Policy and National Information Assurance Standard, tightening how organisations in Qatar must classify, label, and protect data assets in line with PDPPL obligations. Both standards carry compliance implications for the NCSA certification programme.
Qatar NCSA — National Cyber Governance and Assurance Affairs ↗Qatar required all World Cup attendees to install the Hayya fan-ID app and the Ehteraz COVID-tracing app; France's CNIL and German and Norwegian authorities warned fans of surveillance risks including unrestricted device data access and location tracking. Exposed Qatar's data governance framework to intense international scrutiny and accelerated domestic reform discussions.
Bank Info Security (ISMG) ↗The Ministry of Communications and Information Technology's Compliance and Data Protection Department issued the first detailed operational guidelines for implementing the 2016 PDPPL, covering consent mechanisms, cross-border data transfers, and security requirements. The first official practical compliance guidance issued to regulated entities five years after the law's enactment.
Qatar Ministry of Communications and Information Technology (MCIT) ↗Emiri Decree No. 1 of 2021 created the NCSA and vested in its National Cyber Governance and Assurance Affairs (NCGAA) division full supervisory and enforcement authority over the PDPPL. Gave Qatar's data protection framework a permanent, dedicated regulatory home for the first time since the law's 2016 enactment.
Qatar National Cyber Security Agency (NCSA) ↗Qatar enacted the Personal Data Privacy Protection Law (PDPPL), the first generally applicable data protection statute in the GCC, regulating collection, processing, storage, and cross-border transfer of personal data by all organisations, with administrative fines of up to QAR 5 million for serious breaches. Established Qatar as the regional pioneer in statutory data privacy protection.
Qatar NCSA — National Cyber Governance and Assurance Affairs ↗Qatar - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →