Data Protection Regulations 2005
The Minister of Economy and Commerce hereby enacts the following regulations pursuant to Article 9 of Law No. (7) of 2005
Mohammed bin Ahmed bin Jassim Al Thani
Minister of Economy and Commerce of the State of Qatar
Issued at: The Qatar Financial Centre, Doha
On: 14th Ramadan 1426 A.H.
Corresponding to: 17th October 2005 A.D.
Part 1: Part 1: Application, Commencement and Interpretation
Article 1 - Citation
Regulationsmay be referred to as the Data Protection Regulations 2005.
Article 2 - Application
Regulationsare made by the Ministerpursuant to Article 9 of the QFC Law and shall apply in the QFC. To the fullest extent permitted by the QFC Law, the laws, rules and regulations of the Stateconcerning the matters dealt with by or under these Regulationsshall not apply in the QFC.
Article 3 - Commencement
Regulationsshall come into force on the date of signature by the Minister.
Article 4 - Language
In accordance with Article 9 of the QFC Law, these
Regulationsare written in the English language and the English text thereof shall be the official original text. Any translation thereof into another language shall not be authoritative and in the event of any discrepancy between the English text of these Regulationsand any other version, the English text shall prevail.
Article 5 - Interpretation
Words and expressions used in these
Regulationsand interpretative provisions applying to these Regulationsare set out in Part 8.
Part 2: Part 2: General Provisions for the Processing of Personal Data
Article 6 - General requirements(1)
Data Controllersmust ensure that Personal Datawhich they process is:(A) processed fairly, lawfully and securely;(B) processed for specified, explicit and legitimate purposes in accordance with the Data Subject'srights and not further processed in a way incompatible with those purposes or rights;(C) adequate, relevant and not excessive in relation to the purposes for which it is collected or further processed;(D) accurate and, where necessary, kept up to date; and(E) kept in a form which permits identification of Data Subjectsfor no longer than is necessary for the purposes for which the Personal Datawas collected or for which they are further processed.(2) Every reasonable step must be taken by Data Controllersto ensure that Personal Datawhich is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified.(3) A Data Controllermust establish and maintain systems and controls that enable it to satisfy itself that it complies with the requirements of this Article.
Article 7 - Requirements for legitimate Processing
Data Controllermay only Process Personal Dataif:(1) the Data Subjecthas unambiguously given his consent;(2) Processingis necessary for the performance of a contract to which the Data Subjectis party or in order to take steps at the request of the Data Subjectprior to entering into a contract;(3) Processingis necessary for compliance with any legal obligation to which the Data Controlleris subject;(4) Processingis necessary in order to protect the vital interests of the Data Subject;(5) Processingis necessary for the performance of a task carried out in the interests of the QFCor in the exercise of QFC Authority, Regulatory Authority, Tribunalor Appeals Bodyfunctions or powers vested in the Data Controlleror in a Third Partyto whom the Personal Datais disclosed; or(6) Processingis necessary for the purposes of the legitimate interests pursued by the Data Controlleror by the Third Partyor parties to whom the Personal Datais disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subjectrelating to the Data Subject'sparticular situation.
Article 8 - Processing of Sensitive Personal Data(1) A
Data Controllershall not process Sensitive Personal Dataunless:(A) the Data Subjecthas given his explicit consent to the Processingof that Personal Data;(B) Processingis necessary for the purposes of carrying out the obligations and specific rights of the Data Controllerin the field of employment law;(C) Processingis necessary to protect the vital interests of the Data Subjector of another person where the Data Subjectis physically or legally incapable of giving his consent;(D) the Processingis carried out by a foundation, association or any other non-profit seeking body in the course of its legitimate activities with appropriate guarantees that the Processingrelates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Datais not disclosed to a Third Partywithout the consent of the Data Subjects;(E) the Processingrelates to Personal Datawhich is manifestly made public by the Data Subjector is necessary for the establishment, exercise or defence of legal claims;(F) Processingis necessary for compliance with any legal obligation to which the Data Controlleris subject;(G) Processingis necessary to uphold the legitimate interests of the Data Controllerrecognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by compelling legitimate interests of the Data Subjectrelating to the data subject's particular situation;(H) Processingis necessary to comply with auditing, accounting or anti money laundering obligations that apply to a Data Controller; or(I) Processingis required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where that Personal Datais processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.(2) Article 8(1) shall not apply if:(A) a permit has been obtained to process Sensitive Personal Datafrom the QFC Authority; and(B) the Data Controllerapplies adequate safeguards with respect to the processing of the Personal Data.(3) An appeal against a decision of the QFC Authorityto refuse to issue a permit to process Sensitive Personal Datamay be made to the Tribunal.
Article 9 - Transfers to jurisdictions with adequate levels of protection(1) Subject to Article 10, a
Data Controllermay only transfer Personal Datato a Recipientlocated in a jurisdiction outside the QFCif an adequate level of protection for that Personal Datais ensured by laws and regulations that are applicable to the Recipient.(2) The adequacy of the level of protection ensured by laws and regulations to which the Recipientis subject as referred to in Article 9(1) shall be assessed in the light of all the circumstances surrounding a Personal Datatransfer operation or set of Personal Datatransfer operations, including, but not limited to:(A) the nature of the data;(B) the purpose and duration of the proposed Processingoperation or operations;(C) if the data does not emanate from the QFC, the country of origin and country of final destination of the personal data; and(D) any relevant laws to which the recipient is subject, including professional rules and security measures.
Article 10 - Transfers to jurisdictions without adequate level of protection(1) A
Data Controllermay transfer Personal Datato a Recipientwhich is not subject to laws and regulations which ensure an adequate level of protection within the meaning of Article 9(1) on condition that:(A) the QFC Authorityhas granted a permit for the transfer or the set of transfers and the Data Controllerapplies adequate safeguards with respect to the protection of this Personal Data;(B) the Data Subjecthas given his unambiguous consent to the proposed transfer;(C) the transfer is necessary for the performance of a contract between the Data Subjectand the Data Controlleror the implementation of precontractual measures taken in response to the Data Subject'srequest;(D) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subjectbetween the Data Controllerand a Third Party;(E) the transfer is necessary or legally required on grounds important in the interests of the QFC, or for the establishment, exercise or defence of legal claims;(F) the transfer is necessary in order to protect the vital interests of the Data Subject;(G) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;(H) the transfer is necessary for compliance with any legal obligation to which the Data Controlleris subject;(I) the transfer is necessary to uphold the legitimate interests of the Data Controllerrecognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by legitimate interests of the data subject relating to the Data Subject'sparticular situation; or(J) the transfer is necessary to comply with auditing, accounting or anti money laundering obligations that apply to a Data Controllerwhich is established in the QFC.(2) An appeal against a decision by the QFC Authorityto refuse to issue a permit referred to in Article 10(1)(A) may be made to the Tribunal.
Article 11 - Providing information where data obtained from the Data Subject(1) A
Data Controllershall provide a Data Subjectwhose Personal Datait collects with at least the following information immediately upon commencing to collect Personal Datain respect of that Data Subject:(A) the identity of the Data Controller;(B) the purposes of the Processingfor which the Personal Dataare intended; and(C) any further information in so far as such is necessary, having regard to the specific circumstances in which the Personal Dataare collected, to guarantee fair Processingin respect of the Data Subject, such as:(i) the Recipientsor categories of Recipientsof the Personal Data;(ii) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply;(iii) the existence of the right of access to and the right to rectify the Personal Data;(iv) whether the Personal Datawill be used for direct marketing purposes; and(2) A Data Controllerneed not provide that information otherwise required by Article 11(1)(C)(i) to the Data Subjectif the Data Controllerreasonably expects that the Data Subjectis already aware of that information.
Article 12 - Providing information where data not obtained from the Data Subject(1) Where
Personal Datahas not been obtained from the Data Subject, a Data Controlleror his representative must at the time of undertaking the recording of Personal Dataor if a disclosure to a Third Partyis envisaged, no later than the time when the Personal Datais first recorded or disclosed provide the Data Subjectwith at least the following information:(A) the Personal Dataor categories of Personal Dataconcerned; and(B) the information set out in Article 11(1).(2) Article 12(1) shall not apply to require:(A) the Data Controllerto provide information which the Data Controllerreasonably expects that the Data Subjectalready has; or(B) the provision of such information if it proves impossible or would involve a disproportionate effort.
Article 13 - Confidentiality
Any person acting under a
Data Controlleror a Data Processor, including the Data Processorhimself, who has access to Personal Datamust not process it except on instructions from the Data Controller, unless he is required to do so by law.
Article 14 - Security of Processing(1) The
Data Controllermust implement appropriate technical and organisational measures to protect Personal Dataagainst accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of Processing, in particular where the Processingof Personal Datais performed pursuant to Article 8 or Article 10 above.(2) Having regard to the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processingand the nature of the Personal Datato be protected.(3) The Data Controllermust, where Processingis carried out on its behalf, choose a Data Processorproviding sufficient guarantees in respect of the technical security measures and organisational measures governing the Processingto be carried out, and must ensure compliance with those measures.
Part 3: Part 3: Rights Of Data Subjects
Article 15 - Right to access, rectification, erasure and blocking of Personal Data
Data Subjecthas the right to require and obtain from the Data Controllerupon request, at reasonable intervals and without excessive delay or expense:(1) confirmation as to whether Personal Datarelating to him is being processed and, if so, information at least as to the purposes of the Processing, the categories of Personal Dataconcerned and the Recipientsor categories of Recipientsto whom the Personal Datais disclosed;(2) communication to him in an intelligible form of the Personal Dataundergoing Processingand of any available information as to its source; and(3) as appropriate, the rectification, erasure or blocking of Personal Datathe Processingof which does not comply with the provisions of these Regulations.
Article 16 - Right to object to Processing(1) A
Data Subjecthas the right to:(A) object at any time on reasonable grounds relating to his particular situation to the Processingof Personal Datarelating to him; and(B) be informed before Personal Datais disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.(2) Where there is a justified objection, the Processinginstigated by the Data Controllershall no longer include that Personal Data.
Part 4: Part 4: Records and Notifications to the QFC Authority
Article 17 - Requirement to record operations and notify the QFC Authority(1) A
Data Controllermust establish and maintain a record of all wholly or partly automatic Personal Data Processingoperations or set of such operations intended to secure a single purpose or several related purposes.(2) The QFC Authoritymay make Rules prescribing:(A) the information in relation to Personal Data Processingoperations that must be recorded for the purposes of Article 17(1);(B) the circumstances in which a Data Controllermust notify the QFC Authorityof any operations referred to in Article 17(1); and(C) the content of any such notification.
Article 18 - Register of notifications
QFC Authorityshall keep a register of Personal Data Processingoperations notified in accordance with Article 17.
Part 5: Part 5: The QFC Authority
Article 19 - General Powers of the QFC Authority(1) The
QFC Authorityhas such functions and powers as may be conferred or expressed to be conferred on it, by or under these Regulations.(2) Without limiting the generality of Article 19(1), such powers and functions of the QFC Authorityinclude the powers and functions, so far as are reasonably practicable, to:(A) access Personal Dataprocessed by Data Controllersor Data Processors;(B) collect all the information necessary for the performance of its supervisory duties;(C) prescribe forms to be used for any of the purposes of these Regulations;(D) issue warnings or admonishments and make recommendations to Data Controllers; and(E) bring contraventions of these Regulationsto the attention of the Tribunal.
Article 20 - Production of information(1) The
QFC Authoritymay require a Data Controllerby written notice to:(A) give specified information; and(B) produce specified documentswhich relate to the Processingof Personal Data.(2) The Data Controllerin respect of whom a requirement is made pursuant to Article 20(1) shall comply with that requirement.
Article 21 - Power to make Rules(1) The
QFC Authoritymay make Rules in respect of any matters related to the Processingof Personal Dataand the regulation of Data Controllers.(2) In particular, the QFC Authoritywhen exercising the power in Article 21(1) may make Rules in respect of:(A) forms, procedures and requirements under these Regulations;(B) the keeping of the register of notifications; and(C) the conduct of the QFC Authorityand its officers, employees and agents in relation to the exercise of powers and performance of functions.(3) Where any Rules made for the purpose of these Regulationspurport to be made in exercise of a particular power or powers, it shall be taken also to be made in the exercise of all powers under which it may be made.
Part 6: Part 6: Remedies, Liability And Sanctions
Article 22 - Directions(1) If the
QFC Authorityis satisfied that a Data Controllerhas contravened or is contravening these Regulationsor Rules made for the purpose of these Regulations, the QFC Authoritymay issue a direction to the Data Controllerrequiring him to do either or both of the following:(A) to do or refrain from doing any act or thing within such time as may be specified in the direction; or(B) to refrain from Processingany Personal Dataspecified in the direction or to refrain from Processing Personal Datafor a purpose or in a manner specified in the direction.(2) A direction issued under Article 22(1) shall contain:(A) a statement of the contravention of these Regulationsor Rules which the QFC Authorityis satisfied is being or has been committed; and(B) a statement to the effect that the Data Controllermay appeal a decision of the QFC Authorityto issue the direction to the Tribunal.(3) An appeal against a decision by the QFC Authorityto issue a direction pursuant to Article 22(1) may be made to the Tribunal.
Article 23 - Claims(1) A person who believes on reasonable grounds that he has been adversely affected by a contravention of the
Regulationsin respect of the Processingof his Personal Dataor as regards the exercise of their rights under Articles 15 and 16 may file a claim with the QFC Authority.(2) The QFC Authoritymay enquire into any claim filed with it in accordance with Article 23(1) and may in the course of making such enquiries, rely upon those powers referred to in Article 20.(3) On the basis of an enquiry referred to in Article 23(2), the QFC Authoritymay issue a direction requiring the Data Controllerto do any act or thing.(4) A Data Controllershall comply with any direction issued by the QFC Authorityunder Article 22(1).
Part 7: Part 7: General Exemptions
Article 24 - General exemptions(1) These
Regulationsdo not apply to natural persons in the course of their purely personal or household activities.(2) The QFC Authoritymay make Rules exempting Data Controllersfrom compliance with these Regulationsor any parts of these Regulations.
Part 8: Part 8: Interpretation and Definitions
Article 25 - Interpretation(1) In these
Regulations, a reference to:(A) a provision of any law or regulation includes a reference to that provision as amended or re-enacted from time to time;(B) an obligation to publish or cause to be published a particular Document shall, unless expressly provided otherwise in these Regulations, include publishing or causing to be published in printed or electronic form;(C) a calendar year shall mean a year of the Gregorian calendar;(D) a month shall mean a month of the Gregorian calendar;(E) the masculine gender includes the feminine and the neuter;(F) writing includes any form of representing or reproducing words in legible form; and(G) references to a person includes any natural or legal person, Body Corporate, or body unincorporate, including a branch, company, partnership, unincorporated association, government or state.(2) The headings in these Regulationsshall not affect its interpretation.(3) A reference in these Regulationsto a Part, Article or Schedule by number only, and without further identification, is a reference to a Part, Article or Schedule of that number in these Regulations.(4) A reference in these Regulationsto a Schedule, an Article or a Part using a short form description of such Schedule, Article or Part in parenthesis are for convenience only and the short form description shall not affect the construction of the Article or Part to which it relates.(5) A reference in an Article or other division of these Regulationsto a paragraph, sub-paragraph or Article by number or letter only, and without further identification, is a reference to a paragraph, sub-paragraph or Article of that number or letter contained in the Article or other division of these Regulationsin which that reference occurs.(6) Each of the Schedules to these Regulationsshall have effect as if set out in these Regulationsand references to these Regulationsshall include reference to the Schedules.(7) Any reference in these Regulationsto "include", "including", "in particular" "for example", "such as" or similar expressions shall be considered as being by way of illustration or emphasis only and are not to be construed so as to limit the generality of any words preceding them.
Article 26 - Definitions
The following words and phrases shall where the context permits have the meanings shown against each of them:
Appeals Body the Appeals Body of the QFCestablished pursuant to Article 8 of the QFC Law. CRO the Companies Registration Office established pursuant to Article 7 of the QFC Law. Data Controller any person in the QFCwho alone or jointly with others determines the purposes and means of the Processingof Personal Data. Data Processor any person who processes Personal Dataon behalf of a Data Controller. Data Subject the individual to whom Personal Datarelates. Identifiable Natural Person a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Minister the minister of Economy and Commerce of the State. Personal Data any information relating to an identified natural person or an Identifiable Natural Person. Processing any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. QFC the Qatar Financial Centre. QFC Authority or QFCA the Qatar Financial Centre Authority established pursuant to Article 3 of the QFC Law. QFC Law Law No. (7) of 2005 of the State. Recipient a Personto whom Personal Datais disclosed, whether a Third Partyor not; however, authorities which may receive Personal Datain the framework of a particular inquiry shall not be regarded as recipients. Regulations Regulations enacted by the Ministerin accordance with Article 9 of the QFC Law. Regulatory Authority the Regulatory Authority of the QFCestablished pursuant to Article 8 of the QFC Law. Rules Rules made by the QFC Authoritypursuant to the QFC Law, these Regulationsor any other Regulation pursuant to which the QFC Authorityhas power to make rules, including, where the context permits, standards, principles and codes of practice. Sensitive Personal Data Personal Datarevealing or relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health or sex life. State the State of Qatar. TDR Regulations Regulations to be enacted or enacted by the Ministerwith the consent of the Council of Ministerspursuant to the QFC Lawrelating to the Tribunaland the resolution of disputes. Third Party a person other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the data. Tribunal the tribunal established or to be established pursuant to the TDR Regulations.