New Changes to Qatar Financial Center Data Protection Regulation | Denton
With the growing demand and rapid developments in the technology industry, data privacy has become paramount. Many businesses find tremendous value in collecting, sharing, and using data in their day-to-day business operations. In particular, companies must ensure compliance with the regulations when this data concerns personal data. In short, data privacy is a branch of data security that concerns the proper processing of data, including consent, notification, and regulatory obligations.
The changes aim to bring the existing DPR up to the standards of the General Data Protection Regulation 2016/679 (GDPR), which will eventually require companies operating from the QFC to be more diligent in their data compliance practices. The new DPR also aims to ensure proper monitoring and regulation of QFC companies in the context of data protection. Some of the most significant changes introduced by the new DPR include:
- The establishment of eight main principles in the context of the processing of personal data, which mirror those found in the GDPR.
- The extension of the definition and the conditions to be met in order to process personal data and obtain the consent of the persons concerned.
- The establishment of a Data Protection Office and the appointment of a Data Protection Commissioner within the QFC. The Data Protection Office will be dedicated to the compliance of QFC companies with the new DPR and will monitor these activities. The Commissioner, who will determine the procedures and overall management of the independent QFC institution, will have broad powers of investigation if QFC companies fail to comply with the new DPR.
- The extension of the rights of data subjects in relation to their personal data, including the right of access, the right of rectification, the right of erasure, the right of opposition, the right of restriction, the right to portability data and the right not to be subject to a decision based on automated processing or profiling.
- The obligation of the controller to carry out an impact assessment before processing personal data, if the type of processing is likely to result in a high risk to the rights and legitimate interests of data subjects.
- The imposition of significant financial penalties up to a maximum of US$1.5 million for QFC companies that fail to comply with the new DPR or an order from the Data Protection Office.
Besides the significant financial consequences, there could be reputational damage to companies that do not comply with the new DPR. In light of this, QFC companies are encouraged to review the new DPR to ensure that all collection and processing of personal data complies with the new DPR from June 19, 2022. The Data Protection Office will provide also training, guidance and tools on the new DPR. DPR, which QFC companies can benefit from.