• Data Protection Regulations 2005

    QFC Reg No 6 – Data Protection Regulations
    Enactment Notice
    Part 1:
    Application, Commencement and Interpretation
    Article 1 - Citation
    Article 2 - Application
    Article 3 - Commencement
    Article 4 - Language
    Article 5 - Interpretation
    Part 2:
    General Provisions for the Processing of Personal Data
    Article 6 - General requirements
    Article 7 - Requirements for legitimate Processing
    Article 8 - Processing of Sensitive Personal Data
    Article 9 - Transfers to jurisdictions with adequate levels of protection
    Article 10 - Transfers to jurisdictions without adequate level of protection
    Article 11 - Providing information where data obtained from the Data Subject
    Article 12 - Providing information where data not obtained from the Data Subject
    Article 13 - Confidentiality
    Article 14 - Security of Processing
    Part 3:
    Rights of Data Subjects
    Article 15 - Right to access, rectification, erasure and blocking of Personal Data
    Article 16 - Right to object to Processing
    Part 4:
    Records and Notifications to the QFC Authority
    Article 17 - Requirement to record operations and notify the QFC Authority
    Article 18 - Register of notifications
    Part 5:
    The QFC Authority
    Article 19 - General Powers of the QFC Authority
    Article 20 - Production of information
    Article 21 - Power to make Rules
    Part 6:
    Remedies, Liability and Sanctions
    Article 22 - Directions
    Article 23 - Claims
    Part 7:
    General Exemptions
    Article 24 - General Exemptions
    Part 8:
    Interpretation and Definitions
    Article 25 - Interpretation
    Article 26 - Definitions

    • Enactment Notice

      The Minister of Economy and Commerce hereby enacts the following regulations pursuant to Article 9 of Law No. (7) of 2005

      Mohammed bin Ahmed bin Jassim Al Thani
      Minister of Economy and Commerce of the State of Qatar

      Issued at: The Qatar Financial Centre, Doha

      On: 14th Ramadan 1426 A.H.

      Corresponding to: 17th October 2005 A.D.

    • Part 1: Part 1: Application, Commencement and Interpretation

      • Article 1 - Citation

        These Regulations may be referred to as the Data Protection Regulations 2005.

      • Article 2 - Application

        These Regulations are made by the Minister pursuant to Article 9 of the QFC Law and shall apply in the QFC. To the fullest extent permitted by the QFC Law, the laws, rules and regulations of the State concerning the matters dealt with by or under these Regulations shall not apply in the QFC.

      • Article 3 - Commencement

        These Regulations shall come into force on the date of signature by the Minister.

      • Article 4 - Language

        In accordance with Article 9 of the QFC Law, these Regulations are written in the English language and the English text thereof shall be the official original text. Any translation thereof into another language shall not be authoritative and in the event of any discrepancy between the English text of these Regulations and any other version, the English text shall prevail.

      • Article 5 - Interpretation

        Words and expressions used in these Regulations and interpretative provisions applying to these Regulations are set out in Part 8.

    • Part 2: Part 2: General Provisions for the Processing of Personal Data

      • Article 6 - General requirements

        (1) Data Controllers must ensure that Personal Data which they process is:
        (A) processed fairly, lawfully and securely;
        (B) processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further processed in a way incompatible with those purposes or rights;
        (C) adequate, relevant and not excessive in relation to the purposes for which it is collected or further processed;
        (D) accurate and, where necessary, kept up to date; and
        (E) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data was collected or for which they are further processed.
        (2) Every reasonable step must be taken by Data Controllers to ensure that Personal Data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified.
        (3) A Data Controller must establish and maintain systems and controls that enable it to satisfy itself that it complies with the requirements of this Article.

      • Article 7 - Requirements for legitimate Processing

        A Data Controller may only Process Personal Data if:

        (1) the Data Subject has unambiguously given his consent;
        (2) Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
        (3) Processing is necessary for compliance with any legal obligation to which the Data Controller is subject;
        (4) Processing is necessary in order to protect the vital interests of the Data Subject;
        (5) Processing is necessary for the performance of a task carried out in the interests of the QFC or in the exercise of QFC Authority, Regulatory Authority, Tribunal or Appeals Body functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data is disclosed; or
        (6) Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the Third Party or parties to whom the Personal Data is disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation.

      • Article 8 - Processing of Sensitive Personal Data

        (1) A Data Controller shall not process Sensitive Personal Data unless:
        (A) the Data Subject has given his explicit consent to the Processing of that Personal Data;
        (B) Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller in the field of employment law;
        (C) Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent;
        (D) the Processing is carried out by a foundation, association or any other non-profit seeking body in the course of its legitimate activities with appropriate guarantees that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not disclosed to a Third Party without the consent of the Data Subjects;
        (E) the Processing relates to Personal Data which is manifestly made public by the Data Subject or is necessary for the establishment, exercise or defence of legal claims;
        (F) Processing is necessary for compliance with any legal obligation to which the Data Controller is subject;
        (G) Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the data subject's particular situation;
        (H) Processing is necessary to comply with auditing, accounting or anti money laundering obligations that apply to a Data Controller; or
        (I) Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where that Personal Data is processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
        (2) Article 8(1) shall not apply if:
        (A) a permit has been obtained to process Sensitive Personal Data from the QFC Authority; and
        (B) the Data Controller applies adequate safeguards with respect to the processing of the Personal Data.
        (3) An appeal against a decision of the QFC Authority to refuse to issue a permit to process Sensitive Personal Data may be made to the Tribunal.

      • Article 9 - Transfers to jurisdictions with adequate levels of protection

        (1) Subject to Article 10, a Data Controller may only transfer Personal Data to a Recipient located in a jurisdiction outside the QFC if an adequate level of protection for that Personal Data is ensured by laws and regulations that are applicable to the Recipient.
        (2) The adequacy of the level of protection ensured by laws and regulations to which the Recipient is subject as referred to in Article 9(1) shall be assessed in the light of all the circumstances surrounding a Personal Data transfer operation or set of Personal Data transfer operations, including, but not limited to:
        (A) the nature of the data;
        (B) the purpose and duration of the proposed Processing operation or operations;
        (C) if the data does not emanate from the QFC, the country of origin and country of final destination of the personal data; and
        (D) any relevant laws to which the recipient is subject, including professional rules and security measures.

      • Article 10 - Transfers to jurisdictions without adequate level of protection

        (1) A Data Controller may transfer Personal Data to a Recipient which is not subject to laws and regulations which ensure an adequate level of protection within the meaning of Article 9(1) on condition that:
        (A) the QFC Authority has granted a permit for the transfer or the set of transfers and the Data Controller applies adequate safeguards with respect to the protection of this Personal Data;
        (B) the Data Subject has given his unambiguous consent to the proposed transfer;
        (C) the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller or the implementation of precontractual measures taken in response to the Data Subject's request;
        (D) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Data Controller and a Third Party;
        (E) the transfer is necessary or legally required on grounds important in the interests of the QFC, or for the establishment, exercise or defence of legal claims;
        (F) the transfer is necessary in order to protect the vital interests of the Data Subject;
        (G) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;
        (H) the transfer is necessary for compliance with any legal obligation to which the Data Controller is subject;
        (I) the transfer is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by legitimate interests of the data subject relating to the Data Subject's particular situation; or
        (J) the transfer is necessary to comply with auditing, accounting or anti money laundering obligations that apply to a Data Controller which is established in the QFC.
        (2) An appeal against a decision by the QFC Authority to refuse to issue a permit referred to in Article 10(1)(A) may be made to the Tribunal.

      • Article 11 - Providing information where data obtained from the Data Subject

        (1) A Data Controller shall provide a Data Subject whose Personal Data it collects with at least the following information immediately upon commencing to collect Personal Data in respect of that Data Subject:
        (A) the identity of the Data Controller;
        (B) the purposes of the Processing for which the Personal Data are intended; and
        (C) any further information in so far as such is necessary, having regard to the specific circumstances in which the Personal Data are collected, to guarantee fair Processing in respect of the Data Subject, such as:
        (i) the Recipients or categories of Recipients of the Personal Data;
        (ii) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply;
        (iii) the existence of the right of access to and the right to rectify the Personal Data;
        (iv) whether the Personal Data will be used for direct marketing purposes; and
        (v) whether the Personal Data will be processed on the basis of Article 8(1)(G) or Article 10(1)(I).
        (2) A Data Controller need not provide that information otherwise required by Article 11(1)(C)(i) to the Data Subject if the Data Controller reasonably expects that the Data Subject is already aware of that information.

      • Article 12 - Providing information where data not obtained from the Data Subject

        (1) Where Personal Data has not been obtained from the Data Subject, a Data Controller or his representative must at the time of undertaking the recording of Personal Data or if a disclosure to a Third Party is envisaged, no later than the time when the Personal Data is first recorded or disclosed provide the Data Subject with at least the following information:
        (A) the Personal Data or categories of Personal Data concerned; and
        (B) the information set out in Article 11(1).
        (2) Article 12(1) shall not apply to require:
        (A) the Data Controller to provide information which the Data Controller reasonably expects that the Data Subject already has; or
        (B) the provision of such information if it proves impossible or would involve a disproportionate effort.

      • Article 13 - Confidentiality

        Any person acting under a Data Controller or a Data Processor, including the Data Processor himself, who has access to Personal Data must not process it except on instructions from the Data Controller, unless he is required to do so by law.

      • Article 14 - Security of Processing

        (1) The Data Controller must implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of Processing, in particular where the Processing of Personal Data is performed pursuant to Article 8 or Article 10 above.
        (2) Having regard to the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected.
        (3) The Data Controller must, where Processing is carried out on its behalf, choose a Data Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the Processing to be carried out, and must ensure compliance with those measures.

    • Part 3: Part 3: Rights Of Data Subjects

      • Article 15 - Right to access, rectification, erasure and blocking of Personal Data

        A Data Subject has the right to require and obtain from the Data Controller upon request, at reasonable intervals and without excessive delay or expense:

        (1) confirmation as to whether Personal Data relating to him is being processed and, if so, information at least as to the purposes of the Processing, the categories of Personal Data concerned and the Recipients or categories of Recipients to whom the Personal Data is disclosed;
        (2) communication to him in an intelligible form of the Personal Data undergoing Processing and of any available information as to its source; and
        (3) as appropriate, the rectification, erasure or blocking of Personal Data the Processing of which does not comply with the provisions of these Regulations.

      • Article 16 - Right to object to Processing

        (1) A Data Subject has the right to:
        (A) object at any time on reasonable grounds relating to his particular situation to the Processing of Personal Data relating to him; and
        (B) be informed before Personal Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.
        (2) Where there is a justified objection, the Processing instigated by the Data Controller shall no longer include that Personal Data.

    • Part 4: Part 4: Records and Notifications to the QFC Authority

      • Article 17 - Requirement to record operations and notify the QFC Authority

        (1) A Data Controller must establish and maintain a record of all wholly or partly automatic Personal Data Processing operations or set of such operations intended to secure a single purpose or several related purposes.
        (2) The QFC Authority may make Rules prescribing:
        (A) the information in relation to Personal Data Processing operations that must be recorded for the purposes of Article 17(1);
        (B) the circumstances in which a Data Controller must notify the QFC Authority of any operations referred to in Article 17(1); and
        (C) the content of any such notification.

      • Article 18 - Register of notifications

        The QFC Authority shall keep a register of Personal Data Processing operations notified in accordance with Article 17.

    • Part 5: Part 5: The QFC Authority

      • Article 19 - General Powers of the QFC Authority

        (1) The QFC Authority has such functions and powers as may be conferred or expressed to be conferred on it, by or under these Regulations.
        (2) Without limiting the generality of Article 19(1), such powers and functions of the QFC Authority include the powers and functions, so far as are reasonably practicable, to:
        (A) access Personal Data processed by Data Controllers or Data Processors;
        (B) collect all the information necessary for the performance of its supervisory duties;
        (C) prescribe forms to be used for any of the purposes of these Regulations;
        (D) issue warnings or admonishments and make recommendations to Data Controllers; and
        (E) bring contraventions of these Regulations to the attention of the Tribunal.

      • Article 20 - Production of information

        (1) The QFC Authority may require a Data Controller by written notice to:
        (A) give specified information; and
        (B) produce specified documents
        which relate to the Processing of Personal Data.
        (2) The Data Controller in respect of whom a requirement is made pursuant to Article 20(1) shall comply with that requirement.

      • Article 21 - Power to make Rules

        (1) The QFC Authority may make Rules in respect of any matters related to the Processing of Personal Data and the regulation of Data Controllers.
        (2) In particular, the QFC Authority when exercising the power in Article 21(1) may make Rules in respect of:
        (A) forms, procedures and requirements under these Regulations;
        (B) the keeping of the register of notifications; and
        (C) the conduct of the QFC Authority and its officers, employees and agents in relation to the exercise of powers and performance of functions.
        (3) Where any Rules made for the purpose of these Regulations purport to be made in exercise of a particular power or powers, it shall be taken also to be made in the exercise of all powers under which it may be made.

    • Part 6: Part 6: Remedies, Liability And Sanctions

      • Article 22 - Directions

        (1) If the QFC Authority is satisfied that a Data Controller has contravened or is contravening these Regulations or Rules made for the purpose of these Regulations, the QFC Authority may issue a direction to the Data Controller requiring him to do either or both of the following:
        (A) to do or refrain from doing any act or thing within such time as may be specified in the direction; or
        (B) to refrain from Processing any Personal Data specified in the direction or to refrain from Processing Personal Data for a purpose or in a manner specified in the direction.
        (2) A direction issued under Article 22(1) shall contain:
        (A) a statement of the contravention of these Regulations or Rules which the QFC Authority is satisfied is being or has been committed; and
        (B) a statement to the effect that the Data Controller may appeal a decision of the QFC Authority to issue the direction to the Tribunal.
        (3) An appeal against a decision by the QFC Authority to issue a direction pursuant to Article 22(1) may be made to the Tribunal.

      • Article 23 - Claims

        (1) A person who believes on reasonable grounds that he has been adversely affected by a contravention of the Regulations in respect of the Processing of his Personal Data or as regards the exercise of their rights under Articles 15 and 16 may file a claim with the QFC Authority.
        (2) The QFC Authority may enquire into any claim filed with it in accordance with Article 23(1) and may in the course of making such enquiries, rely upon those powers referred to in Article 20.
        (3) On the basis of an enquiry referred to in Article 23(2), the QFC Authority may issue a direction requiring the Data Controller to do any act or thing.
        (4) A Data Controller shall comply with any direction issued by the QFC Authority under Article 22(1).

    • Part 7: Part 7: General Exemptions

      • Article 24 - General exemptions

        (1) These Regulations do not apply to natural persons in the course of their purely personal or household activities.
        (2) The QFC Authority may make Rules exempting Data Controllers from compliance with these Regulations or any parts of these Regulations.
        (3) Without prejudice to Article 24(1), Articles 9, 10, 11 and 12 shall not apply to the Regulatory Authority, QFC Authority or CRO if the application of those Articles would be likely to prejudice the proper discharge by those entities of their functions.

    • Part 8: Part 8: Interpretation and Definitions

      • Article 25 - Interpretation

        (1) In these Regulations, a reference to:
        (A) a provision of any law or regulation includes a reference to that provision as amended or re-enacted from time to time;
        (B) an obligation to publish or cause to be published a particular Document shall, unless expressly provided otherwise in these Regulations, include publishing or causing to be published in printed or electronic form;
        (C) a calendar year shall mean a year of the Gregorian calendar;
        (D) a month shall mean a month of the Gregorian calendar;
        (E) the masculine gender includes the feminine and the neuter;
        (F) writing includes any form of representing or reproducing words in legible form; and
        (G) references to a person includes any natural or legal person, Body Corporate, or body unincorporate, including a branch, company, partnership, unincorporated association, government or state.
        (2) The headings in these Regulations shall not affect its interpretation.
        (3) A reference in these Regulations to a Part, Article or Schedule by number only, and without further identification, is a reference to a Part, Article or Schedule of that number in these Regulations.
        (4) A reference in these Regulations to a Schedule, an Article or a Part using a short form description of such Schedule, Article or Part in parenthesis are for convenience only and the short form description shall not affect the construction of the Article or Part to which it relates.
        (5) A reference in an Article or other division of these Regulations to a paragraph, sub-paragraph or Article by number or letter only, and without further identification, is a reference to a paragraph, sub-paragraph or Article of that number or letter contained in the Article or other division of these Regulations in which that reference occurs.
        (6) Each of the Schedules to these Regulations shall have effect as if set out in these Regulations and references to these Regulations shall include reference to the Schedules.
        (7) Any reference in these Regulations to "include", "including", "in particular" "for example", "such as" or similar expressions shall be considered as being by way of illustration or emphasis only and are not to be construed so as to limit the generality of any words preceding them.

      • Article 26 - Definitions

        The following words and phrases shall where the context permits have the meanings shown against each of them:

        Appeals Body the Appeals Body of the QFC established pursuant to Article 8 of the QFC Law.
        CRO the Companies Registration Office established pursuant to Article 7 of the QFC Law.
        Data Controller any person in the QFC who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
        Data Processor any person who processes Personal Data on behalf of a Data Controller.
        Data Subject the individual to whom Personal Data relates.
        Identifiable Natural Person a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
        Minister the minister of Economy and Commerce of the State.
        Personal Data any information relating to an identified natural person or an Identifiable Natural Person.
        Processing any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
        QFC the Qatar Financial Centre.
        QFC Authority or QFCA the Qatar Financial Centre Authority established pursuant to Article 3 of the QFC Law.
        QFC Law Law No. (7) of 2005 of the State.
        Recipient a Person to whom Personal Data is disclosed, whether a Third Party or not; however, authorities which may receive Personal Data in the framework of a particular inquiry shall not be regarded as recipients.
        Regulations Regulations enacted by the Minister in accordance with Article 9 of the QFC Law.
        Regulatory Authority the Regulatory Authority of the QFC established pursuant to Article 8 of the QFC Law.
        Rules Rules made by the QFC Authority pursuant to the QFC Law, these Regulations or any other Regulation pursuant to which the QFC Authority has power to make rules, including, where the context permits, standards, principles and codes of practice.
        Sensitive Personal Data Personal Data revealing or relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health or sex life.
        State the State of Qatar.
        TDR Regulations Regulations to be enacted or enacted by the Minister with the consent of the Council of Ministers pursuant to the QFC Law relating to the Tribunal and the resolution of disputes.
        Third Party a person other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the data.
        Tribunal the tribunal established or to be established pursuant to the TDR Regulations.