Whistleblowing | Workplace Compliance

Qatar Personal Data Privacy Protection Law (PDPPL)

Qatar's first national data protection statute requiring organizations that process personal data electronically to secure consent, protect sensitive information, and report serious breaches to the National Cyber Security Agency.

Region: Qatar/
Sector: Public & Private/
Effective date: 12/29/2016/
Last regulatory update: 04/01/2025/
Mandatory:Yes/
Schedule a Consultation

Table of contents

    What Is the Qatar Personal Data Privacy Protection Law?

    Qatar’s Law No. 13 of 2016 on Protecting Personal Data Privacy (PDPPL) was published in Qatar’s Official Gazette on December 29, 2016. It entered into force 30 days later, with a six-month transition period for organizations to bring their existing data processing activities into compliance.

    It was the first national-level data protection law in the Gulf Cooperation Council (GCC) region and remains broadly aligned with principles later codified in the EU’s General Data Protection Regulation (GDPR), although it predates it and uses fixed administrative fines rather than turnover-based penalties.

    The law applies to any controller or processor, public or private, that processes personal data electronically or prepares it for electronic processing within Qatar, including foreign organizations that handle the personal data of individuals located there. The Qatar Financial Center operates its own, separate data protection regime and falls outside the PDPPL's scope.

    Individuals protected under the law are any natural person whose personal data is processed, referred to in the statute as the Individual. The law grants individuals specific rights over their personal data rather than protection from retaliation, distinguishing it from whistleblower or speak-up legislation.

    Key PDPPL Provisions

    Consent Requirement (Article 4)

    Controllers must obtain an individual's consent before processing personal data, except where processing is otherwise permitted by law.

    Special Nature Data

    Data concerning children, health, religion, ethnicity, marital status, or criminal record cannot be processed without prior permission from the competent department.

    Breach Notifications (Article 13, 14)

    Processors must notify controllers immediately of a security incident, and controllers must notify the regulator and affected individuals of breaches that may cause serious damage.

    Cross-Border Transfer (Article 15)

    Data transfers outside Qatar are generally permitted, but the regulator can intervene where a transfer would violate the law or cause serious harm.

    Direct Marketing Restrictions

    Electronic marketing communications require prior consent and must identify the sender and provide an opt-out method.

    Who Is Responsible for the Qatar PDPPL?

    The National Cyber Security Agency (NCSA) administers the PDPPL through its National Cyber Governance and Assurance Affairs divisions and the National Data Privacy Office. The NCSA took over this role from the Ministry of Transport and Communications’ Compliance and Data Protection Department.

    NCSA investigates complaints, issues binding rectification decisions, and publishes implementing guidelines that supplement the statutory text, including the 72-hour breach notification window.

    Where a violation also constitutes a crime under the law, authorized ministry employees work in coordination with the Public Prosecutor to investigate and refer the matter for prosecution. Organizations can challenge NCSA decisions through Qatar's ordinary administrative and judicial appeal channels.

    What Are the Possible Penalties Under the Qatar PDPPL?

    Articles 23, 24, and 25 set out the Law’s administrative fines. Violations involving data security, breach disclosure, or unauthorized direct marketing carry fines of up to QAR 1,000,000 (~$275,000). More serious violations, including unlawful processing of special nature data or failure to protect children’s data, carry fines of up to QAR 5,000,000 (~$1,370,000).

    Companies found responsible may be fined up to QAR 1,000,000, in addition to any criminal liability incurred separately by the individuals responsible for the violation within the entity. The NCSA's National Data Privacy Office has issued a growing number of binding compliance decisions since 2024, including orders against ICT, e-commerce, and contracting companies, typically giving organizations a fixed period, such as 60 days, to remediate.

    What Does the Qatar PDPPL Require?

    Organizations must obtain an individual’s consent before processing their personal data unless another lawful basis applies, and must give prior notice covering the controller’s identity, the purpose of processing, and the extent of any disclosure to third parties.

    Before processing personal data of a special nature (e.g., health, religion, ethnicity, or criminal records), organizations must obtain prior permission from the competent department at the NCSA, as the individual’s consent alone is not sufficient.

    If a security incident occurs, the processor must notify the controller immediately, and the controller must, in turn, notify the NCSA and any affected individuals if the breach may cause serious damage. Regulatory guidance sets this notification window at 72 hours after the breach is detected.

    Organizations should also maintain a personal data management system, including a record of processing activities and, where processing may pose a meaningful risk to an individual’s privacy, a data protection impact assessment. Failure to conduct an assessment or document why one was not necessary can result in a fine.

    Individuals can exercise their right to access their personal data, request corrections, withdraw consent, and object to processing they believe is unnecessary or unlawful. Cross-border transfers of personal data are not prohibited outright, but the NCSA can restrict a transfer if it would breach the law or expose an individual to serious harm.

    Core PDPPL Requirements

    Lawful Basis & Consent

    Obtain and record consent for processing, with additional prior consent required for electronic direct marketing.

    Sensitive Data Permission

    Secure the competent department's prior permission before processing data of a special nature.

    Breach Notification Chain

    Processor notifies controller immediately; controller notifies the NCSA and affected individuals within the 72-hour notification window, where serious harm may occur.

    Data Protection Impact Assessment

    Assess privacy risk before new processing activities, or document why an assessment was not performed.

    Individual Rights Handling

    Provide channels for access, correction, consent withdrawal, and objection requests.

    Cross-Border Transfer Safeguards

    Document the legal basis for transfers outside Qatar and be prepared to justify them if the NCSA raises concerns.

    Why Is the Qatar Personal Data Privacy Protection Law Important?

    Qatar was the first GCC member state to pass a generally applicable data protection law, moving enforcement from an awareness-raising phase into active investigation and sanction. Since late 2024, the NCSA’s National Data Privacy Office has issued binding decisions against companies across the ICT, e-commerce, and contracting sectors, showcasing real regulatory exposure.

    Organizations that already maintain a GDPR-aligned privacy program are well-positioned to comply with the Qatar PDPPL, as the two share core principles such as purpose limitation, data minimization, and accountability. The main differences between the two legal texts are that the PDPPL lacks the GDPR’s broader set of lawful bases for processing and uses fixed fines.

    How FaceUp Helps Comply with the Qatar PDPPL

    The PDPPL does not require a confidential reporting channel or protect reporters from retaliation. However, it is relevant to organizations operating whistleblowing systems under local laws, such as the Qatar Financial Center Regulatory Authority (QFCRA) Whistleblowing Rules, because those systems naturally process personal data that falls within the PDPPL's scope.

    FaceUp provides organizations with an easy-to-use platform that can be deployed in as little as two hours, with multi-channel intake across web forms, 24/7 hotlines, and iOS/Android mobile apps in 113 languages, and a centralized case management system with role-based access and automatic data logging.

    FaceUp also supports compliance through strong data security controls. Its data hosting is ISO 27001- and SOC 2-certified and includes end-to-end encryption, automatic metadata removal, and no IP or device ID tracking. These features directly support the PDPPL’s security and confidentiality expectations for any personal data an organization holds, including case data generated through a reporting channel.
     

    Quick Facts

    Big Icon Whistleblowing

    Full legislation

    Applies to

    Controllers and processors handling personal data electronically within Qatar, excluding the Qatar Financial Center.

    Penalties

    Administrative fines from QAR 1,000,000 up to QAR 5,000,000, depending on severity, plus potential criminal liability for responsible individuals.

    The FaceUp Solution

    FaceUp is an anonymous reporting and compliance platform designed to help businesses meet whistleblowing regulations worldwide, including those in the US, EU, UK, and UAE.

    • Fully Anonymous Reporting

      Give staff multiple secure channels to report their concerns, complete with an anonymous two-way chat.

      • Mobile-First Accessibility

      • No IP storage, no device IDs, encrypted submissions

      • Customizable forms, categories, routing rules, and more

      Explore Reporting
    • Customizable Case Management

      Create an easily verifiable audit trail through a customizable case management system with automatic routing.

      • Supports multiple locations, subsidiaries, or units

      • Entity-specific routing and access permissions

      • Optional notifications via email, Teams, or Slack

      Explore Case Management
    • FaceUp - Risk & Compliance Analytics

      Real-Time Data Analytics

      Identify trends, repeated issues, and escalation risks early with customizable visual real-time dashboards.

      • Filter by category, region, channel, and more

      • Share without revealing sensitive information

      • ISO 27001 and SOC 2-certified local servers

      Explore Analytics

    Explore How FaceUp Can Help Your Organization