QATAR Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Dean Jaloudi and Jehan Saleh, GLA & Company
ience against cybercrimes and crises. All data breaches should be reported to the NCSA. In the QFC, the DPO is concerned with the data protection framework. It is the institution charged with providing guidance on all data protection matters or complaints related to the QFC Regulations. The DPO is concerned with the protection of the rights of individuals and ensuring implementation of protection measures for all QFC entities, firms or future investors. 1.3 Enforcement Proceedings and Fines The enforcement process is usually triggered by a complaint filed before the NCSA, which is the competent authority in the State of Qatar. The NCSA will commence an investigation process in order to verify the veracity of the complaint; thereafter, if warranted, it will issue a judicial order binding the controller or processor in line with its powers under the law. The competent department, as listed in the PDP - PL, will issue a rectification decision, ordering the violating entity to rectify the violation within a fixed period, as per Article 26 of the PDPPL. Previously it was understood that the competent department was the MCIT; however, recently the NCSA clarified that this department was not yet designated. The controller or processor has the right to file a “grievance” against such order to the relevant minister within 60 days from the date of notification. The decision issued by the minister related to such grievance shall be deemed final, according to Article 26 of the PDP - PL. According to Article 29 of the PDPPL, the judicial officers and/or law enforcement officers designated by the NCSA have the power to seize and document any crimes related to violations of the provisions of the law.
Furthermore, at the QFC level, if the DPO deter - mines a contravention or violation of the law by any data controller, a direction would be issued to the data controller to undertake the follow - ing, in compliance with Article 22 of the QFC Regulations: • to act or omit from performing any step; and • to refrain from processing any personal data specified in the direction or to refrain from processing personal data for a purpose or in a manner specified in the direction. 1.4 Data Protection Fines in Practice Increasing activity has been seen by the regu - lators in both the State of Qatar and the QFC; however, no more than a handful of publicly announced fines or actions have occurred, and the NCSA and QFC have not disclosed the names of the offending companies. 1.5 AI Regulation The NCSA recently issued the Guidelines for Secure Adoption and Usage of Artificial Intel - ligence. This publication aims to provide guid - ance to organisations on how to securely deploy AI systems and products. The guidelines address critical risks such as privacy violations, AI bias, security vulnerabilities and compliance challenges, particularly in sectors where AI pro - cesses personal data (such as finance, health - care and law enforcement). Safeguards include role-based access controls and strong encryp - tion to secure AI data processing. Further, AI systems must comply with PDPPL requirements for data minimisation, purpose limitation and lawful processing. AI models must incorporate auditability, traceability and docu - mentation requirements. Additionally, organi - sations must adopt adaptive risk management frameworks and human-in-the-loop mecha -
345 CHAMBERS.COM
Powered by FlippingBook