Data protection and privacy are important considerations for all businesses. Failing to treat personal information in accordance with legislative requirements and best practice can have an adverse effect on a company's reputation and its relationship with its employees and customers.
Specific data protection regimes are now in place in many jurisdictions. Awareness of the implications of data protection and privacy issues is increasing around the globe, including in the Middle East, where there have been a number of developments in recent months.
This article provides a brief overview of data protection and privacy in the Qatar Financial Centre (QFC).
Background
The QFC has an extensive data protection regime which is comprised of the QFC Data Protection Regulations (QFC Regulation No. 6 of 2005), and the QFC Data Protection Rules (together the QFC DP Regulations).
The QFC DP Regulations have adopted many of the data protection principles and concepts that are applicable in the European Union. The QFC DP Regulations classify data as belonging to one of two categories: Personal Data (which is any information relating to an identified or identifiable natural person), and Sensitive Personal Data (which is Personal Data revealing or relating to racial or ethnic origin, political views, religious affiliation, health and sex life).
Any person in the QFC who determines the purposes and means of processing Personal Data is considered a "Data Controller". According to the QFC DP Regulations, the term "processing" is broadly defined to include:
"any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."
Data Controllers are required to establish and maintain systems and controls that enable them to satisfy themselves that processing Personal Data complies with the requirements of the QFC DP Regulations, and companies in the QFC are required to complete a comprehensive data protection form (Form Q10) prior to processing any Personal Data.
Processing Personal Data
According to the QFC DP Regulations, Data Controllers must ensure that the Personal Data that they process is:
(a) processed fairly, lawfully and securely;
(b) processed for specified, explicit and legitimate purposes in accordance with the rights of the Data Subject (i.e. the individual to whom the Personal Data relates) and not further processed in a way incompatible with those purposes or rights;
(c) adequate, relevant and not excessive in relation to the purposes for which it is collected or further processed;
(d) accurate and, where necessary, kept up to date; and
(e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data was collected or for which they are further processed.
Furthermore, Personal Data may only be processed where:
(a) the Data Subject has unambiguously given his consent;
(b) Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c) Processing is necessary for compliance with any legal obligation to which the Data Controller is subject;
(d) Processing is necessary in order to protect the vital interests of the Data Subject;
(e) Processing is necessary for the performance of a task carried out in the interests of the QFC or in the exercise of QFC Authority, Regulatory Authority, Tribunal or Appeals Body functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data is disclosed; or
(f) Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the Third Party or parties to whom the Personal Data is disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation.
Although it is permissible to transfer data to other jurisdictions, the QFC DP Regulations set out specific guidelines with which QFC companies must comply. The QFC DP Regulations categorise jurisdictions as either (i) a jurisdiction with adequate levels of protection, or (ii) a jurisdiction without adequate levels of protection. The QFC Authority (QFCA) does not maintain a list of "adequate" jurisdictions. Rather, the Data Controller must determine whether a jurisdiction has adequate protection, taking into account:
(a) the nature of the data;
(b) the purpose and duration of the proposed data processing operations; and
(c) any relevant laws to which the recipient of the data is subject.
It is generally advisable to seek the approval of the QFCA prior to transferring data out of the QFC (although it is generally understood that a jurisdiction that has a similar data protection regime to that applicable in the QFC will be considered to offer an adequate level of protection). A specific permit is required where a QFC entity intends to transfer data to a jurisdiction without an adequate level of protection. Furthermore, a QFC entity is required to obtain a specific permit from the QFCA if it processes Sensitive Personal Data.
Rights of Data Subjects
A Data Subject has the right to require and obtain from the Data Controller upon request and without expense:
- confirmation as to whether Personal Data relating to him is being processed and, if so, information at least as to the purposes of the processing, the categories of Personal Data concerned and the recipients or categories of recipients to whom the Personal Data is disclosed;
- communication to him in an intelligible form of the Personal Data undergoing processing and of any available information as to its source; and
- as appropriate, the rectification, erasure or blocking of Personal Data the processing of which does not comply with the provisions of the QFC DP Regulations.
A Data Subject also has the right to object (on reasonable grounds) to the processing of his Personal Data, and to be informed before his Personal Data is disclosed to a third party.
The Qatari Penal Code
Although the QFC is an independent commercial jurisdiction, the provisions of Law No. 11 of 2004 promulgating the Qatar Penal Code (Qatari Penal Code) are applicable to entities in the QFC. According to the provisions of the Qatari Penal Code, it is illegal for a person who has gained knowledge by virtue of his job, occupation, or profession to disclose sensitive information without the permission of the person or people to whom the sensitive information relates. If such an illegal disclosure is made, the person disclosing the information will be subject to a fine of up to QAR 10,000 (approx USD 2,750) and/or imprisonment for up to two years.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
