Who Is a Data Controller?
Under Qatar's data protection law, a Controller is any person or organization that determines the purposes and means of processing personal data. In practical terms, this could be:
- Your employer holding your HR and payroll records
- A hospital or clinic managing your health records
- A bank or financial institution holding your account details
- A telecom company managing your subscription data
- A landlord holding copies of your passport and QID
- An online business or app collecting your usage data
A Processor is a party that processes data on behalf of the Controller — for example, a third-party payroll company or a cloud storage provider.
The Consent Requirement
Article 4 establishes a fundamental rule: a Controller must obtain your prior consent before processing your personal data, unless the processing is necessary to achieve a Lawful Purpose. This means organizations cannot simply collect and use your data without your knowledge or agreement.
For expats, this is especially relevant when:
- Signing employment contracts that include data sharing clauses
- Registering for services that request copies of your passport or QID
- Subscribing to apps or platforms that collect location or behavioral data
Transparency Obligations Before Processing Begins
Under Article 9, before processing starts, a Controller must inform you of:
- The Controller's full details and contact information
- The lawful purposes for which your data will be used
- Any other parties who may receive or process your data
- Your rights regarding that data
This means any organization asking for your personal data must be upfront about why they need it and what they plan to do with it. Vague or overly broad disclosures may not satisfy this requirement.
Data Quality and Accuracy Standards
Article 10 requires Controllers to verify that the data they collect is:
- Relevant to the stated lawful purpose
- Adequate for achieving that purpose
- Accurate, complete, and up to date
Controllers cannot simply accumulate large volumes of personal data without justification. They must also delete or update data when it is no longer accurate or necessary.
Security and Protection Obligations
One of the most important obligations falls under Article 13, which requires both Controllers and Processors to take all necessary precautions to protect personal data from:
- Loss or damage
- Unauthorized change or alteration
- Unlawful disclosure or access
- Accidental or illegal use
These precautions must be proportionate to the nature and sensitivity of the data involved. Organizations handling health data, financial data, or children's data face a higher standard of security obligation.
Breach Notification Requirements
Article 14 requires Controllers to notify both you as the individual and the Competent Department if a data breach occurs that could cause serious damage to your personal data or privacy. This is a critical right for expats — if your employer or service provider suffers a data breach, they cannot simply stay silent.
If you have not been notified of a breach you are aware of, this may constitute a violation of the law.
Internal Governance Requirements
Article 11 obliges Controllers to put internal systems in place, including:
- Reviewing privacy protections before launching new data processing operations
- Assigning specific staff responsible for personal data protection
- Training employees who handle personal data
- Developing clear data protection policies
This means it is reasonable for expats to expect their employers and service providers to have documented privacy policies and trained staff managing their data.
Penalties for Non-Compliance
Organizations that fail to meet their obligations face significant financial penalties:
- Up to QR 1,000,000 for violations of core obligations including consent, transparency, data quality, and breach notification (Article 23)
- Up to QR 5,000,000 for failures related to data security and special-category data protection (Article 24)
- Up to QR 1,000,000 for legal entities (companies) found liable for violations committed on their behalf (Article 25)
Any contract or agreement that violates these provisions is considered null and void under Article 28.
What You Should Do as an Expat
- Request a copy of your employer's data protection policy when you join a new job
- Review any consent forms carefully before signing, particularly clauses about sharing your data with third parties
- Report suspected breaches to the Competent Department if you believe your data has been compromised and you have not been notified
- Ask your employer who is responsible for managing your personal data and what protections are in place