The New Qatar NationalPrivacy Law:First of its Kind in the GCCPresenter: Kelly Tymburski

17 January 2017

1. Background and the Existing State of the Law in Qatar on Privacy

2. Setting the Scene

• Key data protection / privacy terminology and principles – an international perspective

3. New National Privacy Law – Application and Key Features

• A case study - review

• What is "personal data" and "sensitive personal data"?

• What are the core principles under which data can be processed?

• Consent requirements

• Exemptions from the Law

• Cross border transfers of information

• Websites targeting children

• Electronic communications for direct marketing

• Enforcement & penalties

4. Compliance - What to do Next?

• Coming into force – grace period

• Your compliance "to-do list"

• Case study - observations

5. Q & A Session

2

Overview

• Privacy rights and obligations appear across various laws

• Qatari Constitution - a general right of privacy for individuals

• "the sanctity of human privacy shall be inviolable, and therefore interference into privacy of aperson, family affairs, home of residence, correspondence, or any other act of interference thatmay demean or defame a person may not be allowed save as limited by the provisions of the lawstipulated therein."

• Qatar Penal Code

• prohibits dissemination of news, photos or information "related to secrets of private life, orfamilies, or individuals" – even if the information is true

• Cybercrime Prevention Law

• Various clauses that criminalize unauthorized access, use or interception of information usingelectronic means

• Many such laws are also sector specific

• Electronic Commerce and Transactions Law

• Telecommunications Law

3

Background and Existing State of the Law in Qatar on Privacy

• Qatar Financial Centre

• QFC Data Protection Regulations

• QFC Data Protection Rules

• Modeled on EU Directive 95/46/EC

• QFC law 7 of 2005: 'the QFC Laws and Regulations shall apply to The Contracts, Transactions andarrangements conducted by the entities established in, or operating from The QFC, with parties orEntities located in The QFC or in the State but outside The QFC, unless the parties agree otherwise.'

• Under the QFC DP regime – all data must be:

(i) processed fairly, lawfully and securely;

(ii) processed for specified, explicit and legitimate purposes in accordance with the Data Subject’s rights and notfurther processed in a way incompatible with those purposes or rights;

(iii) adequate, relevant and not excessive in relation to the purposes for which it is collected or furtherprocessed;

(iv) accurate and, where necessary, kept up to date; and

(v) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposesfor which the Personal Data was collected or for which they are further processed.

• Further obligations are also imposed relating to security, data subject rights, controls on transfersoutside of QFC - largely in line with wider EU Directive position

4

Background and Existing State of the Law in Qatar on Privacy (Cont'd)

New National Privacy Law –Application and Key Features

5

In the slides that follow, we will discuss each of the following key aspects of the new Law:

• What is "personal data" and "sensitive personal data"?

• What are the core principles under which data can be processed?

• Consent requirements

• Exemptions from the Law

• Cross border transfers of information

• Websites targeting children

• Electronic communications for direct marketing

• Enforcement & penalties

6

New National Privacy Law – Application and Key Features

In the fact scenario set out on the hand-out, try toidentify as many "red flags" as you can in connectionwith the activities being conducted by Qatar Private Co.("QP Co.") from the perspective of the application andenforcement of the new Qatar Data Privacy Law.

7

New National Privacy Law – Case Study Instructions

QP Co. is a Qatar company operating in the marketing and promotional sector from various officeslocated across the State, with approximately 60 employees. Its primary activities are acting on behalfof its Qatar-based clients for advertising and promotional campaigns to help promote its client'sproducts and events. QP Co. has recently been retained by a new client that has a huge upcomingsporting event ("Q-Sports 2017") being hosted in Qatar that it needs help advertising and marketing.

Because the Q-Sports 2017 event is going to require a huge amount of work, QP Co. decides to hireanother 10 employees. The QP Co. HR Department maintains a portal and database whereindividuals can submit their CVs electronically in order to be contacted by QP Co. for any potentialopen positions. Reema, the HR Manager, starts contacting individuals who have submitted their CVover the past couple of months and finds 9 of the 10 new employees they wish to hire. Struggling tofind the tenth, she then goes back searching through the previous two years of CVs and startscontacting those individuals.

Meanwhile, Adam (the Managing Director for QP Co.) is hard at work getting the promotionalcampaign for Q-Sports 2017 underway. He decides he will start sending promotional messages andevent updates for Q-Sports 2017 by email and SMS to a list of contacts that he has from another clientearlier in the year. He receives requests from a number of the individuals on the list to stopcontacting them about the Q-Sports 2017 event – but the system that QP Co. has in place doesn'tallow for the removal of individual contact details from existing distribution lists, so he keeps onsending them the messages and updates anyway. Back in the HR Department, Reema is receiving andfiling the relevant paperwork for the new employees containing the results of their medical tests, inorder to issue their residency permits.

8

New National Privacy Law – Case Study

The President of Q-Sports 2017 is very pleased with the interest that QP Co. has been able togenerate in the event. So much so, that he asks Adam if QP Co. can also act as the exclusiveticket vendor for them – and in turn, QP Co. will receive a percentage of every ticket sale thatthey make. Ticket sales is not an area in which QP Co. usually provides services to its clients –but the additional money to be made is extremely appealing. Adam also realizes that it wouldbe very easy to add a new portal page to their website to collect credit card information forticket purchases, which they could then process manually. He investigates the cost ofimplementing security encryption standards to the portal, but decides it is too expensive forwhat is probably going to be a one-time opportunity for a single client and event. He instructsthe QP Co. IT Department to add the new payment portal page to the website, and they begincollecting names, addresses and credit card information for ticket purchasers.

Because the Q-Sports 2017 event will also offer a number of free children's activities, Adam asksthe IT Department to also design a page specifically promoting these activities where localchildren can visit to learn more about the event and sign up to receive update messages aboutthe child activities to be offered.

18/01/2017 9

New National Privacy Law – Case Study (cont'd)

Several months later, the Q-Sports 2017 event takes place and is a great success. The client isvery happy, and tells QP Co. that it will likely plan to hold another one in 2019 - for whichthey will probably approach QP Co. to assist with once more. As a result, Adam decides itwould be sensible to retain all of the information from the Q-Sports 2017 attendees that theycollected during the lead-up to the event, including credit card info (after all, that will makefor much less work for QP Co. next time)!

This all seems like a great idea – until Adam receives a frantic call from his IT Department thefollowing weekend, telling him that their IT systems have been hacked and the attendeepersonal data, including credit card info, has been accessed. Fearful of the bad publicity thismay generate for QP Co., Adam tells the IT Department to simply take whatever steps theyneed to ensure the system is secure moving forward, and not to tell anyone about what hashappened.

18/01/2017 10

New National Privacy Law – Case Study (cont'd)

Personal Data:

"Information about an individual who has a verified identity, or can be verified reasonably;whether through such information or by combining between such information and otherdata."

Sensitive Personal Data:

"Personal data shall be deemed sensitive if related to the ethnic origin, children, health,physical or psychological condition, religion, marital relations or criminal actions."

11

"Personal Data" and "Sensitive Personal Data"

• Personal data of an individual is to be processed in accordance with certain principlesunder the Law, including those of:

• transparency

• integrity

• respect for human dignity

• acceptable practices

• The Law applies whether processing occurs by electronic or non-electronic means

• Information disclosure obligations - i.e. must inform data subjects of:

• purposes for collection

• parties to be involved in processing activities

• manner of processing

• Data controllers must limit their collection and retention of personal data to that whichis relevant and necessary to achieve the purposes for which it was collected - and maynot retain such data for any longer then the period reasonably necessary to achievethose purposes.

12

Core Principles for Data Processing

• Ongoing obligations to ensure that the personal data being held is:

• accurate;

• complete; and

• current.

• Security safeguards must be implemented –

• as appropriate taking into account the nature and importance of the data at issue

• more prescriptive standards may be issued by way of Ministerial resolution

• Rights of Data subjects - they may:

• withdraw consent to the processing of their personal data;

• object to certain processing activities;

• issue requests for the deletion or correction of their personal data; and

• request access to their personal data and related info about how / why it is being processed.

• Security breach notification requirements

• apply to both processors and controllers

• controllers to notify data subject and Ministry if breach is "likely to cause serious damages" todata or privacy of individual

• what could go wrong???

13

Core Principles for Data Processing (cont'd)

• As a general rule – consent must be obtained from data subjects prior to processing

• No specifications as to particular form that consent must take

• For "sensitive personal data", however:

• processing is prohibited unless advance approval is obtained from the Ministry

• currently unclear what form this approval process will take

• Ministry expressly reserves right to set additional precautions to protect sensitivepersonal data

14

Consent Requirements

• Generally - the Law does not apply to the processing of personal data:

• by individuals in connection with personal or family matters; or

• for official statistical purposes.

• Controllers are exempted from complying with certain aspects of the Law (includingconsent requirements) where the processing is occurring for:

• carrying out a task related to public welfare.

• implementing any legal obligation or order from a competent court.

• protecting the vital interests of an individual.

• achieving purposes of scientific research for public welfare.

• collecting information needed for investigating any crimes, upon an official request from theinvestigation bodies.

15

Exemptions from the Law

• The relevant public authorities may also decide to exempt processing activities fromcomplying with certain aspects of the Law (including data subject consent) where theprocessing is for the purpose of:

• protecting national and general security

• protecting international relations of the State

• protecting the economic or financial interests of the State

• preventing any crime or collecting information about the same or investigating it

• Further details of the above arriving via pending Ministerial resolutions.

16

Exemptions from the Law (cont'd)

Article (15)

Subject to the obligations stipulated in this Law, the controller may not take any decision orprocedure that may block the flow of personal data cross borders unless the processing ofsuch data contradicts the provisions of this Law or may cause serious damages to thepersonal data or privacy of the individual.

17

Cross Border Data Transfers

• Personal data of children is "sensitive personal data" under the Law

• Owners / administrators of websites that target children must also:

• post notices on their websites about the type of data being collected, how it is being used, andwhen it may be disclosed.

• obtain express approval from the parent of the child whose personal data will be processed, viaelectronic communication or any other appropriate mean.

• provide parents (after verifying identity) with a description of the type of personal data beingprocessed, the purpose of the processing and a copy of the data processed or collected about thechild.

• delete or stop processing any personal data collected from or about the child if the parentrequests.

• ensure that the participation of the child in any game, offer of prizes or any other activity, shouldnot be conditional on the child providing personal data beyond what is necessary forparticipation.

• Query – what actual nexus with Qatar is needed by a website for these provisions toapply in practice?

18

Websites Targeting Children

Article (22)

It is prohibited to make any direct electronic communication with the individual for thepurpose of marketing without securing a prior consent from him.

The electronic communication should demonstrate the identity of the initiator and prooffor direct marketing purposes. The communication should include also a correct addressthat can be easily accessed and through which the individual can send a request to theinitiator for the purpose of stopping such communications or withdraw his previousconsent regarding the same.

19

Electronic Marketing Restrictions

• Fines of up to QAR 5,000,000 (Five Million Riyals)

• Corporate entities may also be subject to fines where violations of the Law arecommitted by their agents or representatives "in its name or for its account"

• Individuals may file a complaint with the Ministry if rights under the Law are violated -

• Ministry investigates

• May issue a binding order to controller/processor to rectify situation

• Controller/processor may file grievance to the Minister (within 60 days of order)

• Minister will decide on grievance (within 60 days of it being submitted)

• No response from Minister = deemed rejection of grievance

• Minister's decision is final

• Ministry employees tasked with enforcing the Law will have the power of judicial/lawenforcement officers and will have the power to seize and document any crimes relatedto violating the provisions of this Law.

20

Enforcement & Penalties

Article (28)

Any contract or agreement entered in violation to the provisions of this Law shall bedeemed null and void.

But - how will this clause be interpreted?

• Void in whole or in part?

• Will this apply retroactively?

• Is there a threshold as to severity of the violation?

• What about situations where voiding the agreement further disadvantages the data subject?

21

Enforcement & Penalties (cont'd)

Compliance - What to Do Next?

22

• The Law was published in the Gazette on 29 December 2016 and comes into force 30days following the date of publication

• There is, however, a 6 month 'grace period' for compliance

• So - what should you be focusing on during this time?

23

Compliance - Coming into Force & Grace Period

The Law itself provides some guidance:

1. Review privacy policies and procedures before adopting any new processing operations.

2. Determine which processors will be in-charge of protecting personal data.

3. Train and familiarize your processors about best practice methods for personal data protectionand compliance obligations under the Law.

4. Develop internal policies and rules for receiving and addressing complaints, data accessrequests, data correction or deletion requests, and make these available to individuals.

5. Develop internal policies and rules for effective management of personal data and for reportingany data security breaches.

6. Implement technologies to enable individuals to access their personal data, review and correctthe same directly.

7. Conduct a comprehensive audit and review exercise to report on the extent of compliance withpersonal data protection obligations under the Law.

8. Ensure that processors consistently comply with instructions and take the required precautionsfor protecting personal data.

24

Your Compliance "To-Do List" - Start Thinking Best Practice!

• What is it?

• What benefits does it serve?

• identify any gaps in compliance and obtain advice on how to fixthem

• officially documents a company's commitment to data protectionbest practices

• may help as a shield in the event of a compliance relatedinvestigation

• How to conduct one?

25

In Focus: the Data Protection Audit

• CV Database & HR Administration

• Obligation to keep data that is being retained current

• Limiting retention to that which is reasonable

• Additional consent & approval considerations for processing "sensitive personal data"

• Promotional Campaign

• Use of data only for legal purposes it was collected

• Rights of data subjects - withdraw consent / object to processing / request deletion of data

• Electronic marketing provision violations

• QP Co. Website & IT Systems

• Inadequate security standards for processing credit card information

• Requirement to implement additional safeguards for web page targeting children

• Unjustified retention of attendee personal data and credit card info

• Security breach notification obligations not adhered to

• Q-Sports 2017

• May also be subject to fines for violations "committed in its name or for its account"

26

Case Study - What Red Flags Did You Find?

Any Questions?

27

Thank you

Dentons & Co.

Level 18, Boulevard Plaa 2

Burj Khalifa District

PO Box 1756, Dubai

United Arab Emirates

Dentons is the world's largest law firm, delivering quality and value to clients around the globe. Dentons is a leader on the AcritasGlobal Elite Brand Index, a BTI Client Service 30 Award winner and recognized by prominent business and legal publications for itsinnovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons' polycentric approachand world-class talent challenge the status quo to advance client interests in the communities in which we live and work.www.dentons.com

© 2016 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action basedon its content. Please see dentons.com for Legal Notices.

18/01/2017 28

Kelly Tymburski

Partner - Head of TMTCorporate / CommercialD +971 4 402 0997E kelly.tymburski@dentons.com