Personal Data Breach – Notification Requirements Under Qatar Law. Who, When, to Whom and How? – Lexology

Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
In an ever-expanding and evolving digital environment, the risk of a personal data breach is a reality that no organization can or should ignore.
Personal data is generally defined as information that relates to an identified or identifiable individual. Examples of personal data are names, addresses, identification documentation (passport, identity card). A personal data breach is the unlawful or accidental loss, alteration, destruction, or disclosure of personal data as a result of an organization’s security or internal protocols being compromised.
It’s critical to understand when and how your organization may be required to disclose a data breach to not only minimize the potential harm (be it financial, reputational, emotional) to the individuals’ personal data but also your organization’s liability and reputational exposure.
This article is a high-level summary of key notification requirements under Qatar law for both data controllers and processors in the event of a personal data breach incident.
Under Qatar law, controllers and processors of personal data are required to implement necessary and appropriate precautions to prevent personal data breaches. Such precautions comprise technical security measures but also internal policies and tools (such as data privacy impact assessments, personal data management systems), which are not addressed in this article but are directly tied to an organization’s potential liability in the event of a breach.
1. Regulatory Framework
There are two regulatory frameworks to consider: Qatar laws and the rules and regulations applicable in the Qatar Financial Centre (“QFC”).
There are two key laws to consider for personal data breach notification purposes:
(i) Law No. (13) of 2016 on the Protection of Personal Data Privacy (“PDP Law”); together with the complementary guidelines issued by the Compliance & Data Protection Department (“CDP”) at the Ministry of Transport and Communications (“Guidelines”); and
(ii) the Cybercrime Prevention Law No. (14) of 2014 (“Cybercrime Law”).
Qatar Financial Centre (“QFC”)
Within the QFC, the key laws are the recently updated Data Protection Regulations and Data Protection Rules (together the “QFC Regulations”) which officially replaced previous regulations and rules in June 2022 and include (new) notification requirements (see below).
2. Controller or Processor?
To understand your notification obligations, you must first assess whether your organization is a “Controller” (i.e. it determines how the personal data is processed and the purpose(s) of such processing) or a “Processor” (it processes the personal data on behalf of one or several controllers) as this impacts your organization’s notification obligations under both the PDP Law and the QFC Regulations. However your organization’s status (controller or processor) is irrelevant for purposes of the Cybercrime Law (see further details below).
Under the PDP Law and the QFC Regulations, if you are a processor, you are required to inform the relevant controller(s) for whom you process personal data of any breach or any threat risk to the personal data you process.
There is no statutory time frame to notify the controller(s), although the controller and the processor may have agreed a time frame contractually. Under the PDP Law, notification must be made “immediately after the processor becomes aware of such breach or threat.” The QFC Regulations provide for notification “without undue delay after becoming aware of a Personal Data Breach.” A processor is not, however, required to notify the underlying data subjects and/or local authorities.
We set out below the relevant notification requirements applicable to controllers under the PDP Law and the QFC Regulations.
3. PDP Law
Article 14 of the PDP Law, requires a controller to notify both the relevant individual(s) (whose data was compromised) and the CDP of any breach “if such breach would result in serious damage to the personal data or privacy of the individuals”.
There is no definition of “serious damage” under the PDP Law or the Guidelines. The controller is therefore responsible for making that assessment and acting accordingly i.e. deciding to notify or not and documenting the rationale and supporting elements for such decision. This should be weighed carefully, on a case-by-case basis and often against time pressure constraints to contain further data loss and/or to mitigate potential liability and reputational damage exposure. Consideration must be given to the type of data involved, volume of data compromised, data subjects impacted, remedial measures undertaken, whether the breach is ongoing or contained, etc.
The CDP guidelines call for a notification to the CDP and the affected individuals within 72 hours of becoming aware of the breach.
Notification process: who do you notify and how?
You are required to notify both the CDP and data subjects.
CDP: there is a dedicated form available at which we understand can be emailed to the CDP at [email protected]; although we typically also recommend filing a hard copy with the CDP.
Data subjects: the Guidelines call for direct individual notifications describing the breach, potential consequences as a result of the breach, remedial steps, contact details for questions.
4. QFC Regulations
The competent authority within the QFC is the Data Protection Office (“DPO”). A controller must notify the DPO “without undue delay and, where feasible, not later than 72 hours after having become aware of [a breach]”.
This requirement does not apply if the controller “has determined that the Personal Data Breach is unlikely to result in a risk to the rights and legitimate interests of Data Subjects”. Like the PDP Law, this assessment and whether to notify the DPO is at the organization’s discretion. At this time, the QFC has not issued any guidelines in relation to such assessment.
The QFC Regulations call for a notification to the DPO and the affected individuals (assuming the Controller decides to notify the data subjects) within 72 hours of becoming aware of the breach.
Who do you notify?
Notifying the DPO is mandatory unless the Controller has determined that such notification was not warranted (see above). Unlike the PDP Law, notifying data subjects is at the Controller’s discretion.
Form of notification and contents:
The notification must at least describe the nature of the breach, categories and approximate number of data subjects affected, contact person within the organization, likely consequences of the breach, remedial measures undertaken or contemplated. Notifications made to data subject later than 72 hours after the Controller has become aware of the breach must include an explanation of the reason(s) for the delay.
5. Cybercrime Law
There is no distinction between controller and processor under the Cybercrime Law since the law targets the unlawful access to the personal data, regardless of the underlying organization targeted.
Article 1 of the Cybercrime Law defines “Cybercrime” as “Any act involving an unlawful use of an information technology technique, an information system or the Internet in violation of the provisions of this Law”. Under Article 3, this comprises “(…) any person who (i) intentionally and illegally accesses in any way a website, an information system, an information network (…) exceeds authorized access; (iii) or knowingly continues his visit or access”.
Article 22(2) of the Cybercrime Law further requires the prompt reporting of “any crime mentioned in this Law or any unlawful attempts regarding any capturing [defined as viewing or acquiring electronic data information], intercepting or spying and provide the competent authority with any information necessary to uncover the truth”.
There is no set timeline for reporting besides the above reference to a “prompt” reporting.
Who do you notify?
The competent authority for the reporting is the Cybersecurity and Economic Crimes Combatting Section (“CECCS”) of the Ministry of Interior (“MoI”).
The notification is made through a cover letter (in Arabic or dual, English-Arabic, language) accompanied by the relevant supporting documentation which must be translated into Arabic; noting that the officials are typically open to reviewing the existing English documentation beforehand to confirm whether it is sufficient for their purposes.
6. Sanctions
PDP Law: failure to report a data breach to the CDP and/or the impacted data subjects carries fines up to QAR 1 million per violation.
Failure to put in place appropriate precautions commensurate with the nature and importance of the underlying personal data carries fines up to QAR 5 million per violation which applies equally to controllers and processors.
QFC: The QFC Regulations provide for a variety of sanctions ranging from reprimand, prohibition to process, to fines (which are capped at USD $1.5 million).
7. Additional Considerations
– To disclose or not to disclose?
While your organization may consider that there is no risk of “serious damage” (PDP Law) or “risk to the rights and legitimate interests of Data Subjects” (QFC Regulations), other factors, such as uncertainty regarding the amount of information breached and/or public exposure risks (in particular over social media) may prompt your organization to consider notifying the relevant authorities and/or affected individuals nonetheless. Regardless of the decision to disclose or not, but particularly if you decide not to disclose the incident, make sure that all correspondence, investigations, remedial measures, etc. are properly documented.
– Additional notification requirements?
Your organization may be subject to additional notification requirements whether by being subject to other laws (such as the European General Data Protection Rules) or under cyber-liability insurance coverage, which must all be factored in.
– Ripple effect and lessons learned
A personal data breach typically has multiple ramifications and will test your organization’s internal policies, decision-making cohesion, and responsiveness. Issues such as internal and external communication, technical remedial measures to be adopted all call for advance planning. This can be achieved, among other tools, through the establishment of an incident response plan (IRP).
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR)
© Copyright 2006 – 2022 Law Business Research