QATAR Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Dean Jaloudi and Jehan Saleh, GLA & Company
nisms to supervise AI-driven decision-making and mitigate bias. Additionally, the QCB recently issued guide - lines to ensure the ethical use of AI in the finan - cial sector. These guidelines mirror the PDPPL safeguards by stating that AI systems must only collect and process personal data necessary for their intended function, and must not be used beyond the defined purpose. Financial institu - tions must provide clear explanations to users about how their data is processed by AI sys - tems. Customers should be informed if AI-driven decisions affect them, and about the reasoning behind the decisions. AI-driven systems must obtain explicit consent from individuals before processing their data. 1.6 Interplay Between AI and Data Protection Regulations As previously mentioned, all AI guidelines in Qatar are closely tied to the PDPPL, ensuring that AI systems handling personal data comply with national privacy laws. AI deployers must ensure that AI models only process data for lawful and predefined purposes, in line with the PDPPL’s consent and data minimisation princi - ples. 2. Privacy Litigation 2.1 General Overview Requirement to Appoint Privacy Protection Officers The PDPPL does not provide for an express obligation on organisations in Qatar or the QFC to appoint a data protection officer. Neverthe - less, there is an obligation on the data controller to specify processors responsible for protect - ing personal data, to train them appropriately
on the protection of personal data and to raise their awareness in relation to protecting personal data. Criteria Necessary for Collection and Processing The collection and processing of data must be conducted in compliance with the PDPPL. The controller is bound to process data honestly and legally. The criteria followed for collection and processing of data in the State of Qatar is based on the principle of consent. The data controller or any other party who is conducting data pro - cessing is obliged to provide a lawful purpose for which the data is being processed; specifi - cally, describing the activities and the degrees of disclosure of personal data and any other infor - mation deemed necessary and required for the satisfaction of personal data processing. Those obligations align with the provisions stipulated in Articles 13 and 8 of the PDPPL. An individual may, at any time, have access to their personal data and request its review, in the presence of any observer. In the same vein, any individual whose data is being processed or col - lected has the right to require and obtain from the data controller – upon request, at reason - able intervals and without excessive delay or expense – a confirmation as to whether personal data relating to them is being processed and, if so, information at least as to the purposes of the processing, the categories of personal data con - cerned and the recipients or categories of recipi - ents to whom the personal data is disclosed. Other than as mentioned above, no person may request access to any personal information held by an authority, other than their personal data. As recently discussed, a practical example explaining the criteria necessary for collection and processing is the collection and tracking of
346 CHAMBERS.COM
Powered by FlippingBook