Data & Privacy - Qatar

Law No. 13 of 2016 (PDPPL) applies broadly across all sectors to personal data processed electronically or prepared for electronic processing, requiring transparency, fairness and respect for human dignity. It was issued on 13 November 2016 and took effect in 2017.

The National Cyber Governance and Assurance Affairs (NCGAA), a division of the National Cyber Security Agency (NCSA), is the competent authority that administers and enforces the PDPPL, issues guidance, and handles grievances. The NCSA operates under the direct supervision of the Prime Minister.

Individuals have rights to access, correction, erasure, objection, and withdrawal of consent. Controllers face obligations on lawful processing, special protection for sensitive data (health, children, religion, criminal records), restrictions on direct electronic marketing, and cross-border transfer rules.

Under Article 23 and NCGAA guidance, controllers must notify the NCGAA and affected individuals of personal-data breaches that may cause serious harm, and processors must immediately notify the controller. The NCSA has published a Personal Data Breach Notification guideline for regulated entities.

PDPPL violations carry administrative fines up to QAR 1,000,000, with more serious breaches subject to fines up to QAR 5,000,000, alongside potential criminal liability for certain offences.

Entities in the Qatar Financial Centre free zone are governed not by the PDPPL but by the QFC Data Protection Regulations and Rules 2021 (issued 21 Dec 2021, effective 19 June 2022), which mirror GDPR — including 72-hour breach notification and fines up to USD 1.5 million per infringement — and are overseen by the QFC Data Protection Office.