QATAR Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Dean Jaloudi and Jehan Saleh, GLA & Company
processed or exported. Organisations could be subject to a fine of QAR1 million (USD275,000) for failing to carry out a DPIA. Moreover, Article 3 of the PDPPL provides that data processing must be in conformity with the law and principles of good faith. A request permit from the CDPD at the MCIT should be submitted and should iden - tify both permissible grounds and “additional conditions” for processing. In addition, the Guidelines define the process for obtaining a permit. Data controllers should fill out the “Special Nature Processing Request Form”, which must be submitted to the CDPD. In the same vein, data controllers will need to sub - mit the relevant DPIA and any other additional information that the CDPD may request. Cur - rently, such documents are submitted by email. However, an online portal that would facilitate such submissions is expected to be launched soon. Definition of Harm to National Privacy and Data Protection Under the PDPPL A personal data breach means a breach of security leading to the unlawful or accidental alteration, destruction, loss, or unauthorised disclosure of or access to personal data. This includes both accidental or incidental and delib - erate breaches. The following are examples of harm or breaches classified as violations to data subject rights: • theft or loss of IT equipment containing per - sonal or business-sensitive data; • inappropriately accessing personal data about customers/staff; • leaving confidential/sensitive files that may contain personal data unattended; • inadequate disposal of confidential files that may contain personal data material;
• unauthorised disclosure of client data; and • using client data for personal gain. Personal data breaches often result in adverse impacts being suffered by individuals, organisa - tions and/or communities, such as: • compromised personal safety or privacy; • the burden of additional legal obligations or regulatory penalties; • financial loss/commercial detriment; • disruption to business or reputational dam - age; and • the inability of individuals to access their data or exercise rights under privacy laws. The above examples are not exhaustive but are indicative of the types of breaches and conse - quences against which controllers must put pre - cautions in place for purposes of prevention and mitigation. Sensitive or Special Data In the State of Qatar, the PDPPL addresses the concept of sensitive personal data, first intro - duced in the EU in its framework on data protec - tion and human rights. The PDPPL specifically defines sensitive date as any data consisting of information as to a natural person’s: • ethnic origin/race; • physical or mental health or condition; • religious beliefs; • relationships/marital status; • criminal records; and • children. This category of “special” personal data is not available for processing except with the permis - sion of the MCIT.
348 CHAMBERS.COM
Powered by FlippingBook