Doha, Qatar: The National Cyber Security Agency, NCSA, issued the Individuals’ Rights Guidelines that provide information to help understand rights under the Personal Data Privacy Protection Law.
It urged individuals to know their rights, how to exercise these rights and their roles in the protection of personal data privacy in Qatar.
The Agency stated that under the Personal Data Privacy Protection Law in the State of Qatar, individuals have a set of rights that enable them to protect their personal data and control how it is processed.
Below is an explainer on what the rights are and the roles of concerned entities.
What is Personal Data Privacy Protection Law?
Under the Law No. (13) of 2016 concerning the Protection of Personal Data Privacy (PDPPL), one is granted the right that allows one to protect, manage, and control personal data.
These rights include the right to access data, request its correction or deletion, object to its processing, withdraw consent at any time, be informed of data processing, be notified of or object to the disclosure of inaccurate data, in addition to the right to have personal data protected and processed lawfully.
What rights do individuals have under the Personal Data Privacy Protection Law?
-The right to protection and lawful processing
-The right to be notified of inaccurate disclosure
-The right to withdraw consent
-The right to be notified of processing
-The right to erasure
-The right to object
-The right to access
-The right to request correction
What is your responsibilities as an individual?
As the first guardian of data, individuals have a responsibility to read before you agree, think before you share, and choose applications carefully.
What is the responsibility of companies and applications?
As the controller of the data, companies and applications that are trusted with the collected data, are expected to protect and process the data. They are expected to collect only what is necessary, protect what is collected, and do not track or share without consent.
What is the role of competent department in Law Enforcement?
The competent authorities have the responsibility to enforce this law and raise awareness about it. They are expected to legislate, monitor compliance, and protect the individual's rights when violated.
Individual Rights Under the Law
The Personal Data Privacy Protection Law provides clear protections to ensure every personal data is handled responsibly.
Article (3) — The Right to Protection and Lawful Processing
For Individuals: Each Individual has the right to protection of Personal Data. Personal Data must be processed with transparency, honesty, and respect for human dignity
For Regulated Entities: Controllers must implement practices to ensure that personal data is protected and to ensure it is processed lawfully
Article (5/1) — The Right to Withdraw Consent for Processing
For Individuals: An Individual may withdraw prior consent for Personal Data Processing at any time
For Regulated Entities: Controllers must allow withdrawal of consent at any time, stop processing upon withdrawal, respond promptly, and ensure the process is simple without penalising individuals
Article (5/2) — The Right to Object
For individuals: An Individual may object to processing of Personal Data if such processing is not necessary, excessive, discriminatory, unfair, or unlawful
For Regulated Entities: Controllers must:
-Review the objection
-Cease processing where appropriate
-Provide human review for automated decisions
Article (5/3) — The Right to Erasure
For individuals: An Individual may request omission or erasure of Personal Data when:
-The purpose of processing no longer exists
-There is no legal justification for retaining the data
For Regulated Entities: Controllers must respond to erasure requests within 30 days, delete personal data when applicable, inform third parties where data was shared, and explain decisions if the request is rejected
Article (5/4) — The Right to Request Correction
For Individuals: An Individual may request correction of inaccurate Personal Data, supported with proof of accuracy
For Regulated Entities: Controllers must respond to erasure requests within 30 days, delete personal data when applicable, inform third parties where data was shared, and explain decisions if the request is rejected
Article (6) — The Right to Access
For Individuals: An Individual may access the Personal Data thereof and review it. An Individual has the right to:
-Be notified of processing and its purposes
-Be notified of inaccurate disclosure of Personal Data
For Regulated Entities: Controllers must:
-Inform individuals how their personal data is being processed, including categories of data, purposes, retention periods, sharing, and processing location
-Notify individuals of inaccurate disclosures, provide accurate records to third parties for correction, and confirm the correction to the individual
The Individuals' Rights Guidelines, which provide complete information to help understand this law can be accessed here.
