Who Is a Data Controller in Qatar?
Under Law No. 13 of 2016, a Controller is any person or organisation that determines the purposes and means of processing personal data. If you are an expat living in Qatar, controllers you regularly interact with include:
- Your employer (holds your employment and HR records)
- Banks and financial institutions
- Telecom providers such as Ooredoo and Vodafone Qatar
- Government service platforms
- Retailers and e-commerce platforms
- Healthcare providers
Controllers may also appoint Processors — third parties who handle data on their behalf — but the controller remains ultimately responsible.
Core Legal Obligations of Controllers
Obtaining Lawful Consent (Article 4)
Controllers must obtain your prior consent before processing your personal data. If no consent is obtained, they must demonstrate a Lawful Purpose that legally justifies the processing. You should always be told why your data is needed before it is collected.
Informing You Before Processing Begins (Article 9)
Before any processing starts, the controller must inform you of:
- Their identity and contact details
- The identity of any third-party processor
- The lawful purposes for which your data will be processed
- Any planned disclosure of your data to other parties
This obligation means that surprise data collection is illegal in Qatar. Always look for a privacy notice before submitting your personal details.
Ensuring Data Quality (Article 10)
Controllers must ensure the personal data they hold is:
- Relevant to the stated lawful purposes
- Adequate for achieving those purposes
- Accurate, complete, and up to date
If you discover that a company holds inaccurate data about you, you have the right to demand correction.
Privacy by Design (Article 8 & 11)
Controllers must consider privacy protection from the outset when designing products, systems, or services. They are also required to:
- Review privacy protection measures before launching new processing operations
- Identify specific processors responsible for data protection
- Train staff on personal data protection
- Develop internal policies and procedures for data handling
This means that any service you use in Qatar should have internal privacy safeguards, not just a published policy.
Securing Your Data (Article 13)
Controllers and processors must take precautions proportionate to the nature and sensitivity of the data to protect it against:
- Loss or damage
- Unauthorised changes
- Disclosure to unauthorised parties
- Inadvertent or illegal access
Failing to implement adequate security measures carries penalties of up to QR 5,000,000.
Notifying You of Data Breaches (Article 14)
If a security breach occurs that may cause serious damage to your personal data or privacy, the controller must notify:
- You (the affected individual)
- The Competent Department
This is a significant protection for expats — if your employer or bank suffers a data breach affecting your information, they are legally obligated to tell you.
Restrictions on Cross-Border Data Transfers (Article 15)
Controllers cannot impose unnecessary restrictions on cross-border data flow, but they must ensure that any international transfer does not breach the law or cause serious harm to your privacy.
What Happens When Controllers Break the Rules?
The law sets out clear financial penalties:
- Violations of consent, transparency, data quality, and security notification obligations: up to QR 1,000,000 (Article 23)
- Violations of data security and special-category data rules: up to QR 5,000,000 (Article 24)
- Corporate violations: up to QR 1,000,000 for the legal entity, separate from personal liability of individuals involved (Article 25)
Practical Advice for Expats
- Request privacy notices from any organisation collecting your data
- Check employment contracts for clauses relating to data processing — your employer must comply with this law
- If you receive a breach notification, take it seriously and consider changing passwords or monitoring your financial accounts
- If a company refuses to correct inaccurate data, you can escalate to the Competent Department
- Be aware that contracts violating this law are null and void under Article 28
Summary
Qatar's data privacy law creates a comprehensive framework of controller obligations designed to protect your information. Knowing these rules empowers you to ask the right questions and take action when companies fall short of their legal duties.