Law No. 13 of 2016 Promulgating the Protection of the Privacy of Personal Data Law

Similar documents
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

PERSONAL INFORMATION PROTECTION ACT

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

AGREEMENT Agreement for the Provision of Serial Subscription Services. Made and executed this day of, 2013 by and between

Qatar Law No. 15 of 22 August 2017 which relates to domestic workers

The Act on Processing of Personal Data

*Federal Law by Decree No. 3 of 2003-Telecom Law

Coordinated text from 10 August 2011 Version applicable from 1 September 2011

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

REGULATION ON THE APPROVAL AND IMPORTATION OF TELECOMMUNICATIONS EQUIPMENT CONNECTED TO PUBLIC TELECOMMUNICATIONS NETWORKS. Article 1 Definitions

CHAPTER 308B ELECTRONIC TRANSACTIONS

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

Data Protection Policy. Malta Gaming Authority

1. THE SYSTEM AND INFORMATION ACCESS

DATA PROTECTION (JERSEY) LAW 2005

In the Name of Allah, the Gracious, the Merciful. Republic of the Sudan Provisional Order The Money Laundering and Terrorism Financing Bill 2009

Royal Decree No Promulgating the Law on the protection of the Topographies Rights of Integrated Circuits

Terms and Conditions of Outward Interbank Giro System and Automated Payment System Plus

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Purposes of the Law. Information of Public Importance. Public Authority Body. Legal Presumptions of Justified Interest

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

SUPPLEMENTARY INFORMATION Appendix AML- (i) Amiri Decree Law No. 4 (2001)

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

DATA PROTECTION (JERSEY) LAW 2018

Communications Act 8 of 2009 section 86

No.: /2006/ND-CP Hanoi, THE GOVERNMENT DECREES: Chapter I GENERAL PROVISIONS

AIA Australia Limited

This article shall be known as and referred to as "The Small Loan Privilege Tax Law" of this state.

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

THE PERSONAL DATA (PROTECTION) BILL, 2013

Federal- Act No. 18 of Concerning Organizing Trade Agencies. We, Zayed Bin Sultan Al Nahyan, President of the United Arab Emirates,

Airtime Purchase. INSP Airtime Purchase. Inventory Ownership. Submission of Short and Long Form Material. Terms & Conditions Definitions

CENTURYLINK ZONE USER AGREEMENT TERMS OF SERVICE

32000D0520. Official Journal L 215, 25/08/2000 P

CHAPTER 370 INVESTMENT SERVICES ACT

Law No. 3 of 2005 Promulgating the Law on the Protection of Competition and the Prohibition of Monopolistic Practices

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

-Unofficial Translation - Accounting Professions Act B.E (2004)

The Telecom Regulatory Authority of India Act, 1997

CAPITAL MARKET AUTHORITY

SUDAN Patents Act Act No. 58 of 1971 ENTRY INTO FORCE: October 15, 1971

Appendix 1 Data Processing Agreement

THE PRIVACY (PROTECTION) BILL, 2013

SAMPLE FORMS - CONTRACTS DATA REQUEST AND RELEASE PROCESS NON-DISCLOSURE AGREEMENT, Form (See Attached Form)

THE FREEDOM OF INFORMATION ACT, Arrangement of Sections PART I PRELIMINARY

Personal Data Protection Law

AKTIVA sistem doo, Novi Sad

The NATIONAL CONGRESS decrees: CHAPTER I PRELIMINARY PROVISIONS

ARTICLE 29 Data Protection Working Party

NON-DISCLOSURE AGREEMENT BETWEEN. EDOTCO MALAYSIA SDN BHD (formerly known as Celcom Services Sdn Bhd) (Company No H) AND

Act CVIII of on certain issues of electronic commerce services and information society services 1

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Annex 1: Standard Contractual Clauses (processors)

License Agreement. 1.4 Named User License A Named User License is a license for one (1) Named User to access the Software.

COMMON TERMS AND CONDITIONS FOR CASH MANAGEMENT PRODUCTS & SERVICES

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

Privacy policy. 1.1 We are committed to safeguarding the privacy of our website visitors.

Ministry of Industry & Trade Competition Directorate. The. Competition Law. Law No. 33 of the Year 2004

EWR, INC. PARTICIPANT AGREEMENT

CHAPTER 359 FINANCIAL ADMINISTRATION AND AUDIT ARRANGEMENT OF SECTIONS PART I PRELIMINARY SECTION. 1. Short title. 2. Interpretation.

ENT CREDIT UNION ELECTRONIC DEPOSIT AGREEMENT

Skyrocket LLC Terms of Use for

Dubai Municipality. Local Order No. 96 of Concerning Licensing and Regulating the Social Clubs in the Emirate of Dubai

Royal Decree No 38/2014 Promulgating the Omani Citizenship Law

The 5-Min Video Challenge Participation Terms & Conditions ( The 5-Min Video Challenge Terms )

1. This is the Country Addendum (Vietnam) to the UOB Business Internet Banking Service Agreement (the Agreement ).

ARRANGEMENT OF SECTIONS PART I PRELIMINARY

The Pondicherry Vacant Lands in Urban Areas ( Prohibition of Alienation ) Regulation, 1976

Brussels, 16 May 2006 (Case ) 1. Procedure

Law No. 38 of 2005 on the acquisition of Qatari nationality 38 / 2005 Number of Articles: 26

LAW OF GEORGIA GENERAL ADMINISTRATIVE CODE OF GEORGIA

Copyright Juta & Company Limited

THE LAW OF TRADEMARKS

ELECTRONIC COMMUNICATIONS AND TRANSACTIONS ACT, ACT NO. 25 OF 2002 [ASSENTED TO 31 JULY 2002] [DATE OF COMMENCEMENT: 30 AUGUST 2002]

EWR, INC. PEANUT PARTICIPANT AGREEMENT. THIS AGREEMENT is entered into as of the day of, by and between EWR,

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

DRAFT ENFORCEMENT RULES OF THE PERSONAL DATA PROTECTION ACT

Decade of the Persons with Disabilities in Peru Year of Peru s economic and social consolidation

RESTREINT UE/EU RESTRICTED

Mobil Serv Lubricant Analysis Sample Scan Application: Terms of Use Agreement

CHAPTER 1 RECORDS RETENTION AND DISPOSITION

THE SURVEILLANCE AND COMMUNITY SAFETY ORDINANCE

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

Data Protection Act 1998

Presidential Decree No. 513 of 10 November 1997

Site Access Agreement. (hereinafter referred to as the

CHAPTER 74:01 BOTSWANA POWER CORPORATION ARRANGEMENT OF SECTIONS PART I Preliminary

Policy Framework for the Regional Biometric Data Exchange Solution

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Law No. 3 of 2005 Promulgating the Law on the Protection of Competition and the Prohibition of Monopolistic Practices

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Regulations for Application of the Public Procurement Act

International Mutual Funds Act 2008

Annexure D. Political Parties (Registration and Regulation of Affairs, etc.) Act, 2011

THE GENERAL ADMINISTRATIVE CODE OF GEORGIA

POLE ATTACHMENT LICENSE AGREEMENT SKAMANIA COUNTY PUD

Terms and Conditions GDPR Ready Data

Freedom Of Access To Information Act For The Republika Srpska 18/5/2001

Transcription:

Law No. 13 of 2016 Promulgating the Protection of the Privacy of Personal Data Law

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior permission of Sultan Al-Abdulla & Partners. SULTAN AL-ABDULLA & PARTNERS 2017 2

Law No. 13 of 2016 Promulgating the Protection of the Privacy of Personal Data Law 3

Law No. 13 of the Year 2016 Promulgating the Protection of the Privacy of Personal Data Law We, Tamim bin Hamad Al Thani, The Emir of the State of Qatar, After perusal of the Constitution, and The Law on Telecommunications as enacted by virtue of the Law No 34 of the year 2006, and The Law on Electronic Transactions and E-Commerce as enacted by virtue of the Law No 16 of the year 2010, and The Law No 2 of the year 2011 on Official Statistics, as amended by virtue of the Law No 4 of the year 2015, and The Law on Combating Cybercrimes, as enacted by virtue of the Law No 14 of the year 2014, and The Emiri Decree No 42 of the year 2014 on Establishing the Communication Regulatory Authority, and The Emiri Decree No 8 of the year 2016 on the Organizational Structure of the Ministry of Transport and Communication, and The Proposal submitted by the Minister of Transport and Communication, and The Bill submitted by the Council of Ministers, and Having consulted the Shura Council, We hereby decree as follows: Chapter One Definitions and General Provisions Article 1 For purposes of implementing the present Law, the following words and terms shall have the meanings assigned thereto unless the context requires otherwise: The Ministry The Ministry of Transport and Communication. The Minster The Minister of Transport and Communication. The Competent The administrative Department Department The Competent Authority concerned within the Ministry. Any governmental authority with the competence by law to organize any 4

Individual Controller Processor Personal Data Processing Data Personal Cross-boundary Data Flow Legitimate Purpose works or procedures relating to processing and supervising Personal Data. A natural person whose Personal Data is being processed. A natural and/ or legal person who, whether acting individually or jointly, determines how Personal Data may be processed and determines the purpose(s) of any such processing. A natural and/ or legal person who processes Personal Data for the Controller. Data belonging to an Individual with specified or reasonably specifiable identity whether through such Personal Data or through combining the same with any other Data. Conducting a process or a group of processes on the Personal Data, including, but are not limited to, collection, receipt, recording, organization, storing, configuration, changing, retrieval, use, disclosure, publication, transmission, preclusion, disposal, erasing and/ or cancellation. Accessing, watching, retrieving, using and/or using Personal Data without regard to the boundaries of the State. The purpose for which Personal Data of an Individual is being processed pursuant to applicable law. Acceptable Practices Processing activities determined or approved by the Competent Department with regard to various types of Legitimate Purposes. Direct Marketing Telecommunications Service of any promotional and/ or marketing material by any means to specific persons. Sending, transmitting and/ or receiving signals, codes, images, material, audio, 5

video, data, scripts and/ or information of any type and/ or nature via means of telecommunications, radio, video, any other electro- magnetic means of communication and/ or any other similar means of communication. E- communication Any communication made by any means of Telecommunications. Establishing an E- communication Website Operator Establishing, sending and/ or transmitting an E-communication; causing the same or directing the Processor to do it. A person operating a website on the Internet, promoting products or services thereon, while collecting or processing Personal Data of the users of visitors of such website. Article 2 The present Law shall apply to Personal Data upon e-processing thereof, where such Personal Data are received, collected or mined in any other way in anticipation of e-processing the same, or where such Personal Data are processed through combining e- processing and traditional processing techniques. The present Law shall not apply to Personal Data processed by Individuals themselves within the scopes of their personal or familial lives, nor shall the present Law apply to Personal Data processed for purposes of collecting official statistical data pursuant to the Law No 2 of the year 2011 referred to hereinabove. Chapter Two Individuals Rights Article 3 Every Individual shall have the right to the protection of their Personal Data. Such Personal Data may not be processed save within the binding limits of transparency, honesty, respect to human dignity and the Acceptable Practices as per the provisions of the present Law. 6

Article 4 Unless the processing is necessary to meet a Controller s Legitimate Purpose or a Legitimate Purpose of a receiving third party, the Controller may only process Personal Data after obtaining the Individual s consent. Article 5 An Individual may at any time: 1. Withdraw their previously given consent to processing the Personal Data thereof; and 2. Object to processing the Personal Data thereof if such processing is not necessary to achieve the purposes for which such Personal Data have been collected or where such collected Personal Data are beyond the extent required, discriminatory, unfair and/ or illegal; and 3. Request omission or erasing of the Personal Data thereof in any of the cases provided above (1 and 2), upon cessation of the Purpose for which the processing was conducted, or where all justifications of storing such Personal Data by the Controller cease to exist; and 4. Request corrections to the Personal Data thereof. A request so made shall be accompanied with proof of the accuracy of such request. Article 6 An Individual may, at any time, access the Personal Data thereof and request revision of the same from any Controller. Particularly, an individual shall have the right to: 1. Be notified of processing the Personal Data thereof and the purposes for which such processing is to be conducted; and 7

2. Be notified of any disclosure of any inaccurate Personal Data thereof; and 3. Obtain a copy of the Personal Data thereof after paying an amount that shall not exceed the service fee. Article 7 The controls and procedures governing the exercising of Individuals right provided for in the previous two Articles shall be determined by a decree by the Minister. Chapter Three Obligations of the Controller and the Processor The Controller shall: Article 8 1. Process the Personal Data honestly, integrally and legitimately; and 2. Process the controls on designing, changing and/or developing Personal Data- related products, systems and services; and 3. Take appropriate administrative, technical and physical precautions as necessary to protect Personal Data, in accordance with what is determined by the Competent Department; and 4. Abide by the privacy protection policies as developed by the Competent Department and decreed by the Minister. Article 9 Prior to proceeding with any processing of any Personal Data, the Controller shall notify the Individual of: 1. The Controller s details or those of any other party conducting the processing for the Controller or to 8

enable the Controller to use such processed Personal Data; and 2. The Legitimate Purposes for which the Controller, or any other party, desires to process the Personal Data; and 3. Full and precise description of the processing activities and the levels of disclosure of such Personal Data for the Legitimate Purposes. If the Controller is unable to do so, the Controller shall enable the Individual to access a general description of the Personal Data; and 4. Any other information necessary and required to meet the requirements of processing Personal Data. Article 10 The Controller shall verify that the Personal Data being collected thereby or therefor are relevant to the Legitimate Purposes and sufficient for meeting the same. The Controller shall also verify that such Personal Data are accurate, complete and up-to-date to meet the Legitimate Purposes. The Controller shall not keep any such Personal Data beyond the period necessary to meet such Legitimate Purposes. The Controller shall: Article 11 1. Review privacy protection measures before proceeding with new processes; and 2. Determine the Processors responsible for protection of Personal Data; and 3. Train, and raise the awareness of, the Processors in the protection of Personal Data; and 4. Develop an internal system to receive and look into complaints, data access requests and 9

omission/correction requests; and shall provide access thereto to Individuals; and 5. Develop an internal effective Personal Data management system, and report any breach of protection measures thereof; and 6. Use appropriate technologies to enable Individuals to exercise their rights to directly access, review and correct their respective Personal Data; and 7. Conduct comprehensive audits and reviews on the compliance with Personal Data protection requirements; and 8. Ensure Processors compliance with the instructions given thereto, adoption of appropriate precautions to protect Personal Data, and follow through on the same constantly. Article 12 The Controller shall, upon disclosing Personal Data or serving them to the Processor, observe its compliance with the Legitimate Purposes. The Controller shall also ensure that Personal Data are processed as per the present Law. Article 13 The Controller and the Processor shall adopt all necessary precautions to protect Personal Data against loss, damage, change, disclosure and/ or illegal / inadvertent access thereto and/ or use thereof. Precautions so adopted shall be commensurate to the nature and the importance of the Personal Data under protection. The Processor shall forthwith notify the Controller of any breach of such precautions or where any risk of threats arises to Personal Data in any way. Article 14 10

The Controller shall notify the Individual and the Competent Department of any breach of the precautions provided for in the previous Article where any such breach may cause serious damage to the Personal Data or to the Individual s privacy. Article 15 Subject to the obligations provided for in the present Law, the Controller shall not take any decision or adopt a measure that may limit the Cross-boundary Personal Data Flow unless the underlying processing falls foul of the present Law or where such processing may cause serious damage to the Personal Data or to the Individual s privacy. Chapter Four Personal Data of Special Nature Article 16 Personal Data shall be considered of a special nature if they relate to the racial origin, children, health condition, physical condition, psychological condition, religious beliefs, spousal relation, and/ or criminal crimes. The Minister may add other types of Personal Data of Special Nature where the misuse and/or disclosure of the same may cause serious damage to Individuals. Personal Data of Special Nature may only be processed after obtaining the permission from the Competent Department as per the measures and controls decreed by the Minister. Moreover, the Minister may, by virtue of a decree issued thereby, impose additional binding precautions to protect Personal Data of Special Nature. Article 17 Subject to the obligations provided for herein, the owner or the Operator of any child-based website shall: 1. Post a notice on the website in respect of what child data are, how they are used and the policies adopted for purposes of disclosure; and 11

2. Obtain explicit consents from parents of the children whose Personal Data are being processed whether then E-communication or any other appropriate means; and 3. Provide parents, upon their request and verification of identities, with a description of the type of Personal Data being processed, while stating the purpose of processing and providing a copy of the Personal Data processed or collected about the child; and 4. Upon request of parents, delete, erase or stop the processing of any Personal Data collected from or about the child; and 5. Ensure that a child s participation in a game, promotional award or any other activity is not conditional on provision of any Personal Data by the child in excess of the necessary Personal Data for purposes of such participation. Chapter Five Exemptions Article 18 The Competent Authority may decide to process certain Personal Data without regard to Articles 4, 9, 15, 17 of the present law, to achieve any of the following purposes: 1. Ensure national security, law and order; and 2. Protect international relations of the State; and 3. Safeguard the economic or financial interests of the State; and 4. Abort any criminal crime, collect any information on or investigate the same. 12

The Competent Authority shall have an ad-hoc record to keep the Data that shall achieve the purposes referred to. The aforesaid record shall be created and kept as per the conditions and controls decreed by the Minister. Article 19 The Controller shall be relieved of the obligation to comply with Articles 4, 5 (1), 5 (2), 5 (3) and 6 of the present Law where any of the following cases / purposes arises: 1. Executing a public interest- based task as per applicable laws; and/ or 2. Enforcing a legal obligation or a competent court order; and/ or 3. Protecting vital interests of an Individual; and/ or 4. Achieving public interest- based scientific research purposes; and/ or 5. Collecting Personal Data needed for a criminal crime investigation upon official request from the investigating authority. Article 20 The Controller shall be relieved of the disclosure requirement about the Controller s grounds for refusal to observe any of the Individual s rights provided for under Article 6 hereof where any such disclosure may hinder the purposes provided for under Article 18 of the present Law. Article 21 Subject to the two previous Articles, the Controller shall be relieved of the obligation to comply with Article 6 of the present Law in any of the following cases: 1. If the disclosure may cause damage to the commercial interests of another person; and/ or 13

2. If the performance of such an obligation may result in disclosing any Personal Data of another nonconsenting Individual or where any such disclosure may result in moral and/ or tangible damage(s) to that Individual or any other Individual. Chapter Six E- communications for Direct Marketing Article 22 No E- communication may be sent for purposes of direct marketing to an Individual save after obtaining such Individual s prior consent. Any E- communication so served shall include the identity of the creator thereof in addition to an explicit notice that the service is meant for direct marketing. Any such E-communication shall also include a valid verifiable easy- accessible address through which the Individual may serve a request to the creator to stop further service or withdraw the earlier consent provided to such service. Chapter Seven Penalties Article 23 Without prejudice to any stricter punishment provided for under any other law, any violation of Articles 4, 8, 9, 10, 11, 12, 14, 15 and/ or 22 of the present Law shall be punishable with a penalty not exceeding QAR 1,000,000. Article 24 Without prejudice to any stricter punishment provided for under any other law, any violation of Articles 13, 16 (3) and/ or 17 of the present Law shall be punishable with a penalty not exceeding QAR 5,000,000. Article 25 Without prejudice to the criminal liability of the subordinate natural person, any legal person violator of the present Law shall be punishable with a penalty not exceeding QAR 1,000,000 where 14

any crime incriminated herein is committed for and in such legal person s name. Chapter Eight Final Provisions Article 26 Any Individual may file a complaint with the Competent Department upon any violation of the present Law and the executive decrees thereof. The Competent Department may, following a review of any complaint so filed up to proven seriousness, issue a reasoned decision to oblige the Controller or the Processor, as the case may, to set right the violation complained of within a period specified by the Competent Department. The Controller or the Processor may, within sixty (60) days of notification, appeal any decision taken before the Minister. The Minister shall settle any appeal so filed within sixty (60) days from the date of filing. If the said sixty (60) day period elapses without a response, this shall be an implicit dismissal of the appeal. The Minister s decision shall be binding. Article 27 The Competent Department may, for purposes of implementing the provisions of the present Law, take all necessary measures, particularly to: 1. Coordinate with any professional group and/ or league or any other association representing the Controllers or the Website Operators with a view to encouraging and developing self- control, raising awareness of the present Law and developing the training and education programs; and/ or 2. Work with family organizations and societies to boost child safety on the Internet; and / or 15

3. Conduct research, capture technological developments relating to the matters provided for in the present Law, and develop reports or make recommendations thereof. Article 28 Any agreement and/ or contract falling foul of the present Law shall be null and void. Article 29 Employees of the Ministry, who shall enjoy the law enforcement legal capacity by virtue of a decree issued by the Attorney General in agreement thereto with the Minister, shall have the legal capacity to detect and prove crimes and violations of the present Law. Article 30 Those addressed by the present Law shall set right their conditions to ensure compliance therewith within six (6) months of the enforcement date hereof. The Council of Minister may, upon the Minister s proposal, extend the said six (6) month period for one or more equal periods. Article 31 The Minister shall take and issue the decisions and decrees necessary to implement the present Law. Article 32 Every Competent Authority shall respectively implement the present Law. The present Law shall be promulgated in the Official Gazette. * * * * * * 16

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback