QATAR Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Dean Jaloudi and Jehan Saleh, GLA & Company
points of players, their movements and position - ing during the FIFA World Cup 2022. Accord - ing to the PDPPL, this is considered process - ing. However, even if the GDPR and the PDPPL require prior express consent, an examination has concluded that, in the context of the FIFA World Cup, the players impliedly consented to the processing of such personal data by the World Cup organisers. Henceforth, the criteria are based on prior express consent, though in certain circum - stances (as mentioned above) the collection and processing may occur in the context of implied consent. Application of the “Data Privacy by Design and by Default” Concept The PDPPL requires controllers to implement appropriate administrative, technical and finan - cial precautions to protect personal data. These precautions must be proportionate to the risk of serious damage to individuals. This is known as “Data Privacy by Design and by Default”. Data controllers are currently invited to integrate pri - vacy tools and techniques into their processing activities and practices, starting from the design stage, throughout the life of the activity. The best-known example would be the approach provided by data controllers, requiring individu - als to opt in not opt out. Furthermore, the Data Protection Impact Assess - ment (DPIA) and a Record of Personal Data Pro - cessing are key components of any personal data management system. This aligns with the provisions in Articles 13 and 11(1) of the PDPPL. In the State of Qatar, the protection of personal data based on the “Data Privacy by Design and by Default” concept requires the organisation or entity to implement or use built-in products and
systems that are considered as privacy-friendly and as protecting the personal data of each con - cerned individual. Implementation of Internal/External Policies and Data Subject Rights According to the PDPPL and Guidelines issued in the State of Qatar, organisations and control - lers are bound to implement policies and proce - dures to enable individuals and data subjects to exercise their rights, including the right to with - draw consent and to request erasure or correc - tion of personal data. Data controllers have 30 days to respond to such requests. Data Subject Rights In the State of Qatar, the PDPPL provides that the data controller should ensure that the data collected is: • being processed fairly, lawfully and securely; • being processed for specified, explicit and legitimate purposes in accordance with the data subject’s rights and not further pro - cessed in a way incompatible with those purposes or rights; • adequate, relevant and not excessive in rela - tion to the purposes for which it is collected or further processed; • accurate and, where necessary, kept up to date; and • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data was collected or for which it is further pro - cessed. Fairness and Impact Analysis The Guidelines issued in the State of Qatar pro - vide for a DPIA before undertaking any process - ing activities. This would be applicable in circum - stances where special or sensitive data is being
347 CHAMBERS.COM
Powered by FlippingBook