Data Protection Regulations 2005
Enactment Notice
The Minister of Economy and Commerce hereby enacts the following regulations pursuant to Article 9 of Law No. (7) of 2005
Mohammed bin Ahmed bin Jassim Al Thani
Minister of Economy and Commerce of the State of QatarIssued at: The Qatar Financial Centre, Doha
On: 14th Ramadan 1426 A.H.
Corresponding to: 17th October 2005 A.D.
Part 1: Part 1: Application, Commencement and Interpretation
Article 1 - Citation
These
Regulations may be referred to as the Data Protection Regulations 2005.Article 2 - Application
These
Regulations are made by theMinister pursuant to Article 9 of the QFC Law and shall apply in theQFC . To the fullest extent permitted by theQFC Law , the laws, rules and regulations of theState concerning the matters dealt with by or under theseRegulations shall not apply in theQFC .Article 3 - Commencement
These
Regulations shall come into force on the date of signature by theMinister .Article 4 - Language
In accordance with Article 9 of the QFC Law, these
Regulations are written in the English language and the English text thereof shall be the official original text. Any translation thereof into another language shall not be authoritative and in the event of any discrepancy between the English text of theseRegulations and any other version, the English text shall prevail.Article 5 - Interpretation
Words and expressions used in these
Regulations and interpretative provisions applying to theseRegulations are set out in Part 8.Part 2: Part 2: General Provisions for the Processing of Personal Data
Article 6 - General requirements
(1)Data Controllers must ensure thatPersonal Data which they process is:(A) processed fairly, lawfully and securely;(B) processed for specified, explicit and legitimate purposes in accordance with theData Subject's rights and not further processed in a way incompatible with those purposes or rights;(C) adequate, relevant and not excessive in relation to the purposes for which it is collected or further processed;(D) accurate and, where necessary, kept up to date; and(E) kept in a form which permits identification ofData Subjects for no longer than is necessary for the purposes for which thePersonal Data was collected or for which they are further processed.(2) Every reasonable step must be taken byData Controllers to ensure thatPersonal Data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified.(3) AData Controller must establish and maintain systems and controls that enable it to satisfy itself that it complies with the requirements of this Article.Article 7 - Requirements for legitimate Processing
A
Data Controller may only ProcessPersonal Data if:(1) theData Subject has unambiguously given his consent;(2)Processing is necessary for the performance of a contract to which theData Subject is party or in order to take steps at the request of theData Subject prior to entering into a contract;(3)Processing is necessary for compliance with any legal obligation to which theData Controller is subject;(4)Processing is necessary in order to protect the vital interests of theData Subject ;(5)Processing is necessary for the performance of a task carried out in the interests of theQFC or in the exercise ofQFC Authority ,Regulatory Authority ,Tribunal orAppeals Body functions or powers vested in theData Controller or in aThird Party to whom thePersonal Data is disclosed; or(6)Processing is necessary for the purposes of the legitimate interests pursued by theData Controller or by theThird Party or parties to whom thePersonal Data is disclosed, except where such interests are overridden by compelling legitimate interests of theData Subject relating to theData Subject's particular situation.Article 8 - Processing of Sensitive Personal Data
(1) AData Controller shall not processSensitive Personal Data unless:(A) theData Subject has given his explicit consent to theProcessing of thatPersonal Data ;(B)Processing is necessary for the purposes of carrying out the obligations and specific rights of theData Controller in the field of employment law;(C)Processing is necessary to protect the vital interests of theData Subject or of another person where theData Subject is physically or legally incapable of giving his consent;(D) theProcessing is carried out by a foundation, association or any other non-profit seeking body in the course of its legitimate activities with appropriate guarantees that theProcessing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that thePersonal Data is not disclosed to aThird Party without the consent of theData Subjects ;(E) theProcessing relates toPersonal Data which is manifestly made public by theData Subject or is necessary for the establishment, exercise or defence of legal claims;(F)Processing is necessary for compliance with any legal obligation to which theData Controller is subject;(G)Processing is necessary to uphold the legitimate interests of theData Controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by compelling legitimate interests of theData Subject relating to the data subject's particular situation;(H)Processing is necessary to comply with auditing, accounting or anti money laundering obligations that apply to aData Controller ; or(I)Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where thatPersonal Data is processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.(2) Article 8(1) shall not apply if:(A) a permit has been obtained to processSensitive Personal Data from theQFC Authority ; and(B) theData Controller applies adequate safeguards with respect to the processing of thePersonal Data .(3) An appeal against a decision of theQFC Authority to refuse to issue a permit to processSensitive Personal Data may be made to theTribunal .Article 9 - Transfers to jurisdictions with adequate levels of protection
(1) Subject to Article 10, aData Controller may only transferPersonal Data to aRecipient located in a jurisdiction outside theQFC if an adequate level of protection for thatPersonal Data is ensured by laws and regulations that are applicable to theRecipient .(2) The adequacy of the level of protection ensured by laws and regulations to which theRecipient is subject as referred to in Article 9(1) shall be assessed in the light of all the circumstances surrounding aPersonal Data transfer operation or set ofPersonal Data transfer operations, including, but not limited to:(A) the nature of the data;(B) the purpose and duration of the proposedProcessing operation or operations;(C) if the data does not emanate from theQFC , the country of origin and country of final destination of the personal data; and(D) any relevant laws to which the recipient is subject, including professional rules and security measures.Article 10 - Transfers to jurisdictions without adequate level of protection
(1) AData Controller may transferPersonal Data to aRecipient which is not subject to laws and regulations which ensure an adequate level of protection within the meaning of Article 9(1) on condition that:(A) theQFC Authority has granted a permit for the transfer or the set of transfers and theData Controller applies adequate safeguards with respect to the protection of thisPersonal Data ;(B) theData Subject has given his unambiguous consent to the proposed transfer;(C) the transfer is necessary for the performance of a contract between theData Subject and theData Controller or the implementation of precontractual measures taken in response to theData Subject's request;(D) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of theData Subject between theData Controller and aThird Party ;(E) the transfer is necessary or legally required on grounds important in the interests of theQFC , or for the establishment, exercise or defence of legal claims;(F) the transfer is necessary in order to protect the vital interests of theData Subject ;(G) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;(H) the transfer is necessary for compliance with any legal obligation to which theData Controller is subject;(I) the transfer is necessary to uphold the legitimate interests of theData Controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by legitimate interests of the data subject relating to theData Subject's particular situation; or(J) the transfer is necessary to comply with auditing, accounting or anti money laundering obligations that apply to aData Controller which is established in theQFC .(2) An appeal against a decision by theQFC Authority to refuse to issue a permit referred to in Article 10(1)(A) may be made to theTribunal .Article 11 - Providing information where data obtained from the Data Subject
(1) AData Controller shall provide aData Subject whosePersonal Data it collects with at least the following information immediately upon commencing to collectPersonal Data in respect of thatData Subject :(A) the identity of theData Controller ;(B) the purposes of theProcessing for which thePersonal Data are intended; and(C) any further information in so far as such is necessary, having regard to the specific circumstances in which thePersonal Data are collected, to guarantee fairProcessing in respect of theData Subject , such as:(i) theRecipients or categories ofRecipients of thePersonal Data ;(ii) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply;(iii) the existence of the right of access to and the right to rectify thePersonal Data ;(iv) whether thePersonal Data will be used for direct marketing purposes; and(v) whether thePersonal Data will be processed on the basis of Article 8(1)(G) or Article 10(1)(I).(2) AData Controller need not provide that information otherwise required by Article 11(1)(C)(i) to theData Subject if theData Controller reasonably expects that theData Subject is already aware of that information.Article 12 - Providing information where data not obtained from the Data Subject
(1) WherePersonal Data has not been obtained from theData Subject , aData Controller or his representative must at the time of undertaking the recording ofPersonal Data or if a disclosure to aThird Party is envisaged, no later than the time when thePersonal Data is first recorded or disclosed provide theData Subject with at least the following information:(A) thePersonal Data or categories ofPersonal Data concerned; and(B) the information set out in Article 11(1).(2) Article 12(1) shall not apply to require:(A) theData Controller to provide information which theData Controller reasonably expects that theData Subject already has; or(B) the provision of such information if it proves impossible or would involve a disproportionate effort.Article 13 - Confidentiality
Any person acting under a
Data Controller or aData Processor , including theData Processor himself, who has access toPersonal Data must not process it except on instructions from theData Controller , unless he is required to do so by law.Article 14 - Security of Processing
(1) TheData Controller must implement appropriate technical and organisational measures to protectPersonal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms ofProcessing , in particular where theProcessing ofPersonal Data is performed pursuant to Article 8 or Article 10 above.(2) Having regard to the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by theProcessing and the nature of thePersonal Data to be protected.(3) TheData Controller must, whereProcessing is carried out on its behalf, choose aData Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing theProcessing to be carried out, and must ensure compliance with those measures.Part 3: Part 3: Rights Of Data Subjects
Article 15 - Right to access, rectification, erasure and blocking of Personal Data
A
Data Subject has the right to require and obtain from theData Controller upon request, at reasonable intervals and without excessive delay or expense:(1) confirmation as to whetherPersonal Data relating to him is being processed and, if so, information at least as to the purposes of theProcessing , the categories ofPersonal Data concerned and theRecipients or categories ofRecipients to whom thePersonal Data is disclosed;(2) communication to him in an intelligible form of thePersonal Data undergoingProcessing and of any available information as to its source; and(3) as appropriate, the rectification, erasure or blocking ofPersonal Data theProcessing of which does not comply with the provisions of theseRegulations .Article 16 - Right to object to Processing
(1) AData Subject has the right to:(A) object at any time on reasonable grounds relating to his particular situation to theProcessing ofPersonal Data relating to him; and(B) be informed beforePersonal Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.(2) Where there is a justified objection, theProcessing instigated by theData Controller shall no longer include thatPersonal Data .Part 4: Part 4: Records and Notifications to the QFC Authority
Article 17 - Requirement to record operations and notify the QFC Authority
(1) AData Controller must establish and maintain a record of all wholly or partly automaticPersonal Data Processing operations or set of such operations intended to secure a single purpose or several related purposes.(2) TheQFC Authority may make Rules prescribing:(A) the information in relation toPersonal Data Processing operations that must be recorded for the purposes of Article 17(1);(B) the circumstances in which aData Controller must notify theQFC Authority of any operations referred to in Article 17(1); and(C) the content of any such notification.Article 18 - Register of notifications
The
QFC Authority shall keep a register ofPersonal Data Processing operations notified in accordance with Article 17.Part 5: Part 5: The QFC Authority
Article 19 - General Powers of the QFC Authority
(1) TheQFC Authority has such functions and powers as may be conferred or expressed to be conferred on it, by or under theseRegulations .(2) Without limiting the generality of Article 19(1), such powers and functions of theQFC Authority include the powers and functions, so far as are reasonably practicable, to:(A) accessPersonal Data processed byData Controllers orData Processors ;(B) collect all the information necessary for the performance of its supervisory duties;(C) prescribe forms to be used for any of the purposes of theseRegulations ;(D) issue warnings or admonishments and make recommendations toData Controllers ; and(E) bring contraventions of theseRegulations to the attention of theTribunal .Article 20 - Production of information
(1) TheQFC Authority may require aData Controller by written notice to:(A) give specified information; and(B) produce specified documentswhich relate to theProcessing ofPersonal Data .(2) TheData Controller in respect of whom a requirement is made pursuant to Article 20(1) shall comply with that requirement.Article 21 - Power to make Rules
(1) TheQFC Authority may make Rules in respect of any matters related to theProcessing ofPersonal Data and the regulation ofData Controllers .(2) In particular, theQFC Authority when exercising the power in Article 21(1) may make Rules in respect of:(A) forms, procedures and requirements under theseRegulations ;(B) the keeping of the register of notifications; and(C) the conduct of theQFC Authority and its officers, employees and agents in relation to the exercise of powers and performance of functions.(3) Where any Rules made for the purpose of theseRegulations purport to be made in exercise of a particular power or powers, it shall be taken also to be made in the exercise of all powers under which it may be made.Part 6: Part 6: Remedies, Liability And Sanctions
Article 22 - Directions
(1) If theQFC Authority is satisfied that aData Controller has contravened or is contravening theseRegulations or Rules made for the purpose of theseRegulations , theQFC Authority may issue a direction to theData Controller requiring him to do either or both of the following:(A) to do or refrain from doing any act or thing within such time as may be specified in the direction; or(B) to refrain fromProcessing anyPersonal Data specified in the direction or to refrain fromProcessing Personal Data for a purpose or in a manner specified in the direction.(2) A direction issued under Article 22(1) shall contain:(A) a statement of the contravention of theseRegulations or Rules which theQFC Authority is satisfied is being or has been committed; and(B) a statement to the effect that theData Controller may appeal a decision of theQFC Authority to issue the direction to theTribunal .(3) An appeal against a decision by theQFC Authority to issue a direction pursuant to Article 22(1) may be made to theTribunal .Article 23 - Claims
(1) A person who believes on reasonable grounds that he has been adversely affected by a contravention of theRegulations in respect of theProcessing of hisPersonal Data or as regards the exercise of their rights under Articles 15 and 16 may file a claim with theQFC Authority .(2) TheQFC Authority may enquire into any claim filed with it in accordance with Article 23(1) and may in the course of making such enquiries, rely upon those powers referred to in Article 20.(3) On the basis of an enquiry referred to in Article 23(2), theQFC Authority may issue a direction requiring theData Controller to do any act or thing.(4) AData Controller shall comply with any direction issued by theQFC Authority under Article 22(1).Part 7: Part 7: General Exemptions
Article 24 - General exemptions
(1) TheseRegulations do not apply to natural persons in the course of their purely personal or household activities.(2) TheQFC Authority may make Rules exemptingData Controllers from compliance with theseRegulations or any parts of theseRegulations .Part 8: Part 8: Interpretation and Definitions
Article 25 - Interpretation
(1) In theseRegulations , a reference to:(A) a provision of any law or regulation includes a reference to that provision as amended or re-enacted from time to time;(B) an obligation to publish or cause to be published a particular Document shall, unless expressly provided otherwise in theseRegulations , include publishing or causing to be published in printed or electronic form;(C) a calendar year shall mean a year of the Gregorian calendar;(D) a month shall mean a month of the Gregorian calendar;(E) the masculine gender includes the feminine and the neuter;(F) writing includes any form of representing or reproducing words in legible form; and(G) references to a person includes any natural or legal person, Body Corporate, or body unincorporate, including a branch, company, partnership, unincorporated association, government or state.(2) The headings in theseRegulations shall not affect its interpretation.(3) A reference in theseRegulations to a Part, Article or Schedule by number only, and without further identification, is a reference to a Part, Article or Schedule of that number in theseRegulations .(4) A reference in theseRegulations to a Schedule, an Article or a Part using a short form description of such Schedule, Article or Part in parenthesis are for convenience only and the short form description shall not affect the construction of the Article or Part to which it relates.(5) A reference in an Article or other division of theseRegulations to a paragraph, sub-paragraph or Article by number or letter only, and without further identification, is a reference to a paragraph, sub-paragraph or Article of that number or letter contained in the Article or other division of theseRegulations in which that reference occurs.(6) Each of the Schedules to theseRegulations shall have effect as if set out in theseRegulations and references to theseRegulations shall include reference to the Schedules.(7) Any reference in theseRegulations to "include", "including", "in particular" "for example", "such as" or similar expressions shall be considered as being by way of illustration or emphasis only and are not to be construed so as to limit the generality of any words preceding them.Article 26 - Definitions
The following words and phrases shall where the context permits have the meanings shown against each of them:
Appeals Body the Appeals Body of the QFC established pursuant to Article 8 of the QFC Law.CRO the Companies Registration Office established pursuant to Article 7 of the QFC Law. Data Controller any person in the QFC who alone or jointly with others determines the purposes and means of theProcessing ofPersonal Data .Data Processor any person who processes Personal Data on behalf of aData Controller .Data Subject the individual to whom Personal Data relates.Identifiable Natural Person a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Minister the minister of Economy and Commerce of the State .Personal Data any information relating to an identified natural person or an Identifiable Natural Person .Processing any operation or set of operations which is performed upon Personal Data , whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.QFC the Qatar Financial Centre. QFC Authority or QFCA the Qatar Financial Centre Authority established pursuant to Article 3 of the QFC Law. QFC Law Law No. (7) of 2005 of the State .Recipient a Person to whomPersonal Data is disclosed, whether aThird Party or not; however, authorities which may receivePersonal Data in the framework of a particular inquiry shall not be regarded as recipients.Regulations Regulations enacted by the Minister in accordance with Article 9 of the QFC Law.Regulatory Authority the Regulatory Authority of the QFC established pursuant to Article 8 of the QFC Law.Rules Rules made by the QFC Authority pursuant to theQFC Law , theseRegulations or any other Regulation pursuant to which theQFC Authority has power to make rules, including, where the context permits, standards, principles and codes of practice.Sensitive Personal Data Personal Data revealing or relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health or sex life.State the State of Qatar. TDR Regulations Regulations to be enacted or enacted by the Minister with the consent of theCouncil of Ministers pursuant to theQFC Law relating to theTribunal and the resolution of disputes.Third Party a person other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the data. Tribunal the tribunal established or to be established pursuant to the TDR Regulations .