QA-Law-13-2016 · دولة قطر
قانون حماية خصوصية البيانات الشخصية (قانون رقم 13 لسنة 2016)
Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016)
- المجال
- Data
المواد
⚠ ملخّص مُولّد بالذكاء الاصطناعي — هذا ليس النص الرسمي للقانون وقد يكون غير دقيق. ليس استشارة قانونية؛ راجع المصدر الرسمي.
المادة 1
For the implementation of the provisions hereof, the following terms and words shall have such meanings assigned to the same, unless otherwise required by context: Ministry: Ministry of Transport and Communications Minister: Minister of Transport and Communications Competent Department: the competent administrative unit at the Ministry Competent Authority: any government entity competent, as per law, to regulate acts or procedures pertinent to Personal Data Processing and supervision of the same. Individual: a natural person whose Personal Data are processed. Controller: a natural or legal person who, whether acting individually or jointly with others, determines how Personal Data may be processed and determines the purpose(s) of any such processing Personal Data Processing. Processor: a natural or legal person who processes Personal Data for the Controller. Personal Data: data of an individual whose identity is defined or can be reasonably defined whether through such Personal Data or through the combination of such data with any other data. Personal Data Processing: Personal Data Processing through one operation or more such as gathering, receipt, registration, organization, storage, preparation, modification, retrieval, usage, disclosure, publication, transfer, withholding, destruction, erasure and cancellation. Cross-Border Data Flows: access, watch, retrieve, use or store Personal Data without restrictions of the State's borders. Lawful Purpose: The purpose for which Personal Data of an Individual is processed, in accordance with the law. Acceptable Practices: processing activities determined or approved by the Competent Department with regard to various types of Lawful Purposes. Direct Marketing: sending any advertising or marketing material, in whatsoever means, to certain individuals. Wire and Wireless Communications: sending, broadcasting or receiving signals, images, shapes, sound, data, texts or information, of whatsoever kind or nature, via wire, wireless, radio, visual means, other electromagnetic communication means or any other similar communication means. Electronic Communication: a communication by means of any of Wire and Wireless Communications. Electronic Communication Establishment: establish, send or transfer an Electronic Communication or help therewith, or give directions to the Processor to do that. Website Operator: an individual who operates a web site, or offers products or services therethrough and gathers or processes Personal Data of users or visitors of such website.
المادة 2
Provisions hereof shall apply to Personal Data when it is electronically processed, or obtained, gathered or extracted in preparation in any other way for electronic processing, or when processed via a combination of electronic and traditional processing. Provisions hereof shall not apply to Personal Data processed by individuals within a private or a family scope, or to any Personal Data processed for the purpose of obtaining official statistical data as per provisions of the referred to law No (2) of 2011.
المادة 3
Each Individual has the right to the protection of the Personal Data thereof that shall be processed only within the framework of transparency, honesty, and respect of human dignity, and acceptable practices according to provisions hereof.
المادة 4
The Controller shall process Personal Data only after obtaining the consent of the Individual, unless data processing is necessary to achieve a Lawful Purpose for the Controller or the other recipient of such data.
المادة 5
An Individual may, at any time: 1. Withdraw the prior consent thereof for Personal Data Processing. 2. Object to processing the Personal Data thereof if such processing is not necessary to achieve the purposes for which such Personal Data have been collected or where such collected Personal Data are beyond the extent required, discriminatory, unfair or illegal. 3. Request omission or erasure of the Personal Data thereof in any of the cases referred to in the preceding two items, upon cessation of the purpose for which the processing has been conducted, or where all justifications for maintaining such Personal Data by the Controller cease to exist. 4. Request corrections to the Personal Data thereof. A request so made shall be accompanied with proof of the accuracy of such request.
المادة 6
An Individual may, at any time, access the Personal Data thereof and apply to review the same, in facing any Controller, and an Individual has, in particular, the right to: 1. Be notified of processing of the Personal Data thereof and the purposes for which such processing is conducted. 2. Be notified of any disclosure of inaccurate Personal Data. 3. Obtain a copy of the Personal Data thereof after paying an amount that shall not exceed the service charge.
المادة 7
The controls and procedures, related to individuals' exercise of rights provided for in the two preceding Articles, shall be specified by a decision of the Minister.
المادة 8
The Controller shall abide by the following: 1. Processing Personal Data honestly and legitimately. 2. Considering the controls related to designing, changing or developing products, systems and services pertinent to Personal Data Processing. 3. Taking appropriate administrative, technical and financial precautions to protect Personal Data, in accordance with what is determined by the Competent Department. 4. The privacy protecting policies developed by the Competent Department, and a decision thereon shall be issued by the Minister.
المادة 9
The Controller shall, prior to starting to process any Personal Data, inform the Individual with the following: 1. The Controller's details or any other party conducting the processing for the Controller or to be used thereby. 2. The Lawful Purposes that the Controller or any other party wants to process the Personal Data therefor. 3. Comprehensive and accurate description of the processing activities and the levels of disclosure of such Personal Data for the Lawful Purposes, and if the Controller fails to do so, the Controller shall provide the Individual with a general description thereof. 4. Any other information that is necessary and required for fulfilling conditions of Personal Data Processing.
المادة 10
The Controller shall verify that Personal Data that he collects, or being collected for the benefit thereof, is relevant to the Lawful Purposes and adequate for achieving the same. The Controller shall, also, ensure such data is accurate, complete and up to date to meet such Lawful Purposes. In addition, the Controller shall not keep any Personal Data for a period of time that exceeds the necessary period for achieving such purposes.
المادة 11
The Controller shall take the following procedures: 1. Reviewing privacy protection measures before proceeding with new processing operations. 2. Identifying Processors responsible for Personal Data protection. 3. Training and raising awareness of Processors on protecting personal data. 4. Developing internal systems to receive and investigate complaints, and data access and omission or correction requests; and they shall be made available to individuals. 5. Developing internal systems for the effective management of Personal Data, and reporting any breach of measures aiming at the protection thereof. 6. Using appropriate technologies to enable individuals to exercise their rights to directly access, review and correct their respective Personal Data. 7. Conducting comprehensive audits and reviews on the compliance extent with Personal Data protection requirements. 8. Verifying Processor's compliance with the instructions directed thereto, taking the appropriate precautions to protect Personal Data, and monitoring and following up the same constantly.
المادة 12
The Controller shall, at the time of disclosing Personal Data or transferring it to the Processor, take into consideration that it is in line with Lawful Purposes and is processed according to provisions hereof.
المادة 13
Each of the Controller and the Processor shall take the precautions necessary to protect Personal Data against loss, damage, change, disclosure, access thereto, or the inadvertent or illegal use thereof. Such precautions shall be commensurate with the nature and the importance of the Personal Data intended to be protected. The Processor shall forthwith notify the Controller of the existence of any breach of the precautions referred to, or where any risk arises threatening Personal Data in any way.
المادة 14
The Controller shall inform the Individual and Competent Department of the occurrence of any breach of the precautions provided for in the preceding Article, and if such breach may cause serious damage to Personal Data or individual privacy.
المادة 15
Taking into account the liabilities provided for hereto, the Controller shall be forbidden from taking any decision or measure that may limit the Cross-Border Data Flow, unless the processing of such data is in breach of this Law, or where such processing may cause serious damage to the Personal Data or to the Individual's privacy.
المادة 16
The Personal Data, related to ethnic origin, children, health, physical or psychological condition, religious creeds, marital relations, and criminal offenses, shall be regarded as Personal Data with special nature. The Minister may add other types of Personal Data of a special nature, where the misuse or disclosure of the same may cause serious damage to Individual. Personal Data of a special nature may only be processed after obtaining the permission from the Competent Department, as per the measures and controls determined by a decision issued by the Minister. The Minister may, upon a decision therefrom, impose additional precautions with the intent of protecting Personal Data of a special nature.
المادة 17
Taking into consideration the liabilities provided for hereto, an owner or operator of any website addressing children shall take into account the following: 1. Posting a notification on the website as to what child data is, the way of its use, and the policies followed in the disclosure thereof. 2. Obtaining, either electronically or through any other appropriate means, an explicit consent from the guardian of the child whose Personal Data is processed. 3. Providing a child's guardian, upon the request thereof, and after verifying the identity thereof, with a description of the type of the Personal Data processed, along with stating the purpose of the process together with a copy of the data processed or gathered about the child. 4. Deleting, removing or suspending processing any Personal Data that has been gathered from or about a child, if such is requested by child's guardian. 5. A child's participation in a game, promotional award or any other activity shall not be conditional on the child's provision of Personal Data in excess of the necessary for the participation in such activity.
المادة 18
The Competent Authority may decide to process some Personal Data, without abiding by the provisions of Articles (4), (9), (15) and (17) hereof, for achieving any of the following purposes: 1. Protecting National and public security. 2. Protecting international relations of the State. 3. Protecting the economic or financial interests of the State. 4. Preventing any criminal offense, or gathering information thereon or investigating therein. The Competent Authority shall keep a special record where the data achieving the aforementioned purposes shall be entered. Conditions, controls and statuses of entry on such record shall be specified by virtue of a decision issued by the Minister.
المادة 19
The Controller shall be exempted from the provisions of Articles (4), (5\ Items 1, 2, and 3) and (6) hereof, in any of the following cases: 1. Executing a task related to the public interest as per the law. 2. Implementing a legal obligation or an order rendered by a competent court. 3. Protecting vital interests of Individual. 4. Achieving purposes of scientific research which is underway for public interest. 5. Gathering necessary information for investigation into a criminal offense, upon an official request of investigative bodies.
المادة 20
The Controller shall be exempted from disclosing the reasons for the refusal thereof of abiding by the rights of the Individual, as provided for in Article (6) hereof, if such disclosure would prevent achieving the purposes stipulated in Article (18) hereof.
المادة 21
Taking into consideration the provisions of the preceding two Articles, the Controller shall be exempted from abiding by provisions of Article (6) hereof, in either of the following two cases: 1. When disclosure would cause harm to commercial interests of another individual. 2. When implementation of such liability would cause disclosing Personal Data related to another Individual who does not consent thereto, and disclosure may lead to physical or moral damage either to this Individual or to any other Individual.
المادة 22
The transmission of any Electronic Communication to an Individual, for the purpose of Direct Marketing, shall be forbidden, except after obtaining the prior consent thereof. The Electronic Communication shall include the identity of the originator thereof, and highlight that it is sent for the purpose of Direct Marketing. In addition, it shall include a valid address for easy access thereto and through which an Individual can send a request to the originator to stop such communications or revoke the consent for the sending thereof.
المادة 23
Without prejudice to any more severe penalty stipulated in any other law, a penalty that shall not exceed (1, 000,000) one million QR shall be applicable to anyone violating any of the provisions of the Articles (4, 8, 9, 10, 11, 12, 14, 15, and 22) hereof.
المادة 24
Without prejudice to any more severe penalty stipulated in any other law, a penalty that shall not exceed (5, 000, 000) five million QR shall be applicable to anyone violating any of the provisions of the Articles (13), (16\ paragraph 3), and (17) hereof.
المادة 25
A penalty that shall not exceed (1,000,000) One million QR shall be applicable to violating legal person, in the event of committing any of those crimes stipulated herein on the name or for the interest thereof, without prejudice to criminal liability taken by affiliated natural person.
المادة 26
An Individual may file a complaint to the Competent Department in case of violating provisions hereof and the issued decisions in the implementation thereof. The Competent Department may, after investigating received complaints and proving the seriousness thereof, issue a reasoned decision binding the Controller or Processor, as the case may be, to rectify such breach within a period it specifies. The Controller or Processor may raise a grievance against such decision to the Minister, within sixty days from the notification date thereof. The Minister shall decide on the grievance within sixty days from the date of the submission thereof, and the lapse of such period without a response shall be considered as an implicit rejection of the grievance, and the decision of the Minister thereon shall be final.
المادة 27
The Competent Department may, for the purpose of applying and implementing provisions hereof, take all necessary measures thereto, and in particular the following: 1. Coordinating with any professional group or association, and any other association representing Controllers or Website Operators for the purpose of self-organization encouragement and development, and raising awareness of this Law and developing training and learning programs. 2. Working with organizations and societies interested in family affairs to enhance the safety of children on the internet. 3. Conducting research and monitor developments in technology's fields related to issues covered by this Law and preparing reports or recommendations on the same.
المادة 28
Any contract or agreement made in violation of the provisions hereof shall be regarded as null and void.
المادة 29
The Ministry employees, authorized as law enforcement officers as per a decision by the Public Prosecutor, in agreement with the Minister, may detect and prove crimes committed in violation of provisions hereof.
المادة 30
Parties falling under provisions hereof shall, within six months from the date of the effectiveness thereof, adjust their conditions in line with provisions hereof. Such period may be extended for other similar period or periods by virtue of a decision of the Council of Ministers, upon the proposal of the Minister.
المادة 31
The Minister shall issue the necessary decisions for the implementation of the provisions hereof.
المادة 32
All the competent authorities, each within the competences thereof, shall implement this Law, and it shall be published in the Official Gazette.
أدلة ذات صلة
- حماية بيانات الشخصية والتسويق في قطر
- خروقات البيانات والشكاوى في قطر: ما يجب على المغتربين معرفته
- حقوقك في حماية البيانات الشخصية في قطر: دليل للمقيمين الأجانب
- حماية بيانات الفرد في قطر: دليل التسويق والموافقة
- التزامات مراقب البيانات في قطر القانونية
- انتهاكات البيانات والشكاوى في قطر: ما يحتاج المغتربون معرفته