Saturday, 29 October 2011

Qatar Financial Centre Data Protection Regulations

On 1 Aug 2011 I referred to an article by James Mitchell of "Privacy Laws and Business" which claimed that the DIFC Data Protection Law made in 2007 was the first data protection law in any Arab country (see "DIFC Data Protection Law", 1 Aug 2011). It seems that Mr. Mitchell and I may have been wrong because the Qatar Financial Centre Data Protection Regulations were made by Mohamed bin Ahmed bin Jassim Al Thani, Minister of Economy and Commerce of the State of Qatar, as long ago as 17 Oct 2005.

Overview
Like the DIFC Data Protection Law, the QFC Regulations seem to have been influenced by the EU Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L 281 , 23/11/1995 P 31 - 50) and the British Data Protection Act 1998. Doubtless that is because art 25 (1) of the Directive requires EU member states to
"provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection."
Accordingly, the QFC regulations provide for notification, conditions for legitimate processing, rights of access for data subjects and a range of remedies. The regulations are admirably brief cramming these provisions into 17 pages. They are supplemented by the Data Protection Rules which take up another 12 pages.

Application
These regulations came into force on the 17 Oct 2005 and apply to the Qatar Financial Centre. Art 2 of the Regulations provide that to the fullest extent permitted by the QFC law Qatari the laws concerning the subject matter of the legislation that apply to the rest of Qatar shall not apply to the Centre.

The QFC Authority
The Regulations are administered by the QFC Authority, the body whose powers and constitution were considered in my article on the Qatar Financial Centre of 1 April 2011. Art 19 (2) confers upon the Authority powers to:
(a) access personal data processed by data controllers or data processors;
(b) collect all the information necessary for the performance of its supervisory duties;
(c) prescribe forms to be used for any of the purposes of the Regulations;
(d) issue warnings or admonishments and make recommendations to data controllers; and
(e) bring contraventions of the regulations to the attention of ant tribunal.
The Authority keeps a register of personal data processing pursuant to art 18 of the Regulations. It has power to make rules to implement the Regulations under art 21.

Duty to Keep Records
Data controllers are required by art 17 (1) to establish and maintain a record of all wholly or partly automatic personal data processing operations or set of such operations intended to secure a single purpose or several related purposes. Rule 4.1 of the Rules specify that such records must include:
(a) a description of the personal data processing being carried out;
(b) an explanation of the purpose for the personal data processing;
(c) the data subjects or class of data subjects whose personal data is being processed;
(D) a description of the class of personal data being processed; and
(E) a list of the jurisdictions to which personal data may be transferred by the data controller, along with an indication as to whether the particular jurisdiction has been assessed as having adequate levels of protection for the purposes of the transfer prohibition provisions to be discussed below.

Duty to Notify
Rule 4.2 of the Rules require data holders to "notify the QFC Authority of any of the following Personal Data Processing operations undertaken other than in accordance with a permit issued by the QFC Authority:
(A) any Personal Data Processing operation or set of operations involving the Processing of Sensitive Personal Data; and
(B) any Personal Data Processing operation or set of operations involving the transfer of Personal Data to a Recipient outside of the QFC which is not subject to laws and regulations which ensure an adequate level of protection."
Such notification must include:
"(A) the name of the Data Controller;
(B) the address of the Data Controller;
(C) the name, address, telephone number, fax number and e-mail address of the Person within the Data Controller responsible for making the application for the permit;
(D) the reason for which notification is being provided;
(E) a general description of the Personal Data Processing being carried out;
(F) an explanation of the purpose of the Personal Data Processing;
(G) the Data Subjects or class of Data Subjects whose Personal Data is being processed;
(H) a description of the class of Personal Data being processed; and
(I) a statement of which jurisdictions to which Personal Data will be transferred by the Data Controller, along with an indication as to whether the particular jurisdiction has been assessed as having adequate level of protection for the purposes of Articles 9 and 10 of the Data Protection Regulations."
Data Controllers' Obligations
Art 6 (1) of the Regulations requires data controllers to ensure that the personal data that they process is:
(A) processed fairly, lawfully and securely;
(B) processed for specified, explicit and legitimate purposes in accordance with the data subject’s rights and not further processed in a way incompatible with those purposes or rights;
(C) adequate, relevant and not excessive in relation to the purposes for which it is collected or further processed;
(D) accurate and, where necessary, kept up to date; and
(E) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data was collected or for which they are further processed.
Data controllers are obliged by art 6 (3) to establish and maintain systems and controls that enable the to satisfy themselves that they comply with the above requirements.

Legitimate Processing
The conditions for legitimate data processing are set out in art 7:
(1) the data subject has unambiguously given his consent;
(2) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(3) Processing is necessary for compliance with any legal obligation to which the data controller is subject;
(4) Processing is necessary in order to protect the vital interests of the data subject;
(5) Processing is necessary for the performance of a task carried out in the interests of the QFC or in the exercise of QFC Authority, Regulatory Authority, Tribunal or Appeals Body functions or powers vested in the data controller or in a third party to whom the personal data is disclosed; or
(6) Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the third party or parties to whom the personal Data is disclosed, except where such interests are overridden by compelling legitimate interests of the data subject relating to the data subject's particular situation.

Sensitive Personal Data
"Sensitive personal data" is defined as personal data revealing or relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health or sex life." Art 8 (1) provides that sensitive personal data shall not be processed unless:
(A) the data subject has given his explicit consent to the processing of that personal data;
(B) Processing is necessary for the purposes of carrying out the obligations and specific rights of the data Controller in the field of employment law;
(C) Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent;
(D) the Processing is carried out by a foundation, association or any other non-profit-seeking body in the course of its legitimate activities with appropriate guarantees that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed to a third party without the consent of the data subjects;
(E) the processing relates to personal data which is manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims;
(F) Processing is necessary for compliance with any legal obligation to which the data controller is subject;
(G) Processing is necessary to uphold the legitimate interests of the data controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by compelling legitimate interests of the data subject relating to the data subject's particular situation;
(H) Processing is necessary to comply with auditing, accounting or anti money laundering obligations that apply to a data controller; or
(I) Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where that Personal Data is processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

However, these conditions do not apply where a data controller obtains a permit to process sensitive personal data from the QFC Authority and applies "adequate safeguards" with respect to the processing of such data (art 8 (2)). Rule 2 of the Rules sets out the procedure for applying for such a permit.

Transfer of Data outside the QFC
Subject to the following exceptions, a data controller may only transfer personal data to a recipient located in a jurisdiction outside the QFC if an adequate level of protection for that personal data is ensured by laws and regulations that are applicable to the recipient (art 9 (1)). The adequacy of the level of protection depends on all the circumstances including but not limited to
(A) the nature of the data;
(B) the purpose and duration of the proposed processing operation or operations;
(C) if the data does not emanate from the QFC, the country of origin and country of final destination of the personal data; and
(D) any relevant laws to which the recipient is subject, including professional rules and security measures (art 9 (2)).
Guidance for assessing such adequacy is provided by rule 3.1 of the Rules.

Alternatively, data may be transferred outside the QFC if any of the following conditions are met:
(A) the QFC Authority has granted a permit for the transfer or the set of transfers and the data controller applies adequate safeguards with respect to the protection of the personal data;
(B) the data subject has given his unambiguous consent to the proposed transfer;
(C) the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject's request;
(D) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and a third party;
(E) the transfer is necessary or legally required on grounds important in the interests of the QFC, or for the establishment, exercise or defence of legal claims;
(F) the transfer is necessary in order to protect the vital interests of the data subject;
(G) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;
(H) the transfer is necessary for compliance with any legal obligation to which the data controller is subject;
(I) the transfer is necessary to uphold the legitimate interests of the data Controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by legitimate interests of the data subject relating to the Data Subject's particular situation; or
(J) the transfer is necessary to comply with auditing, accounting or anti money laundering obligations that apply to a data controller which is established in the QFC.
The procedure for obtaining a permit is set out in rule 3.2 of the Rules.

Information to Data Subjects
Art 11 (1) of the Regulations requires data controllers to provide the following information to their data subjects as soon as they begin to collect information from them:
(A) the identity of the data controller;
(B) the purposes of the processing for which the personal data are intended; and
(C) any further information in so far as such is necessary, having regard to the specific circumstances in which the personal data are collected, to guarantee fair processing in respect of the data subject, such as:
(i) the recipients or categories of recipients of the personal data;
(ii) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply;
(iii) the existence of the right of access to and the right to rectify the personal data;
(iv) whether the personal data will be used for direct marketing purposes; and
(v) whether sensitive personal data will be processed and whether it will be transferred outside the QFC.

If they process data that are not collected from the data subject, data controllers should supply the above information to the data subject as soon as they start to record the data together with particulars of the data or categories of data concerned. If the data are to be disclosed to a third party the data controller must supply such information at the time of the disclosure (art 12 (1) of the Regulations).

Processing by Third Parties
Art 13 of the Regulations prohibits the processing of personal data except on the instructions of a data controller unless required to do so by law.

Security of Processing
Data controllers are required by art 14 (1) to" implement appropriate technical and organisational measures" to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of processing, in particular where sensitive personal data is processed or data are transferred outside the QFC. Art 14 (2) provides that regard may be had to the cost of implementation and the nature of the data when determining the appropriateness of those measures. Data controllers who contract out their processing should choose data processors providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out, and must ensure compliance with the above measures (art 14 (3)).

Data Subjects' Rights
Art 15 of the Regulations confers on data subjects the right to request at reasonable intervals and without excessive delay or expense:
(1) confirmation as to whether personal data relating to him is being processed and, if so, information at least as to the purposes of the processing, the categories of personal data concerned and the recipients or categories of recipients to whom the personal data is disclosed;
(2) communication to him in an intelligible form of the personal data undergoing processing and of any available information as to its source; and
(3) as appropriate, the rectification, erasure or blocking of personal data the processing of which does not comply with the provisions of the regulations.

Data subjects also have the right under art 16 to:
(A) object at any time on reasonable grounds relating to his particular situation to the processing of personal data relating to him; and
(B) be informed before personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.

Enforcement
A person who believes on reasonable grounds that he has been adversely affected by a contravention of the regulations in respect of the processing of his personal data or as regards the exercise of their rights under the above articles may file a claim with the QFC Authority under art 23 of the Regulations. The process for lodging a claim is set out in rule 5.1 of the Rules and guidance is given in rule 5.2. The QFC Authority may enquire into any claim filed with it. If it believes the claim to be well founded the QFC Authority may direct the data holder:
"(A) to do or refrain from doing any act or thing within such time as may be specified in the direction; or
(B) to refrain from Processing any Personal Data specified in the direction or to refrain from Processing Personal Data for a purpose or in a manner specified in the direction."
Art 22 (2) provides a right of appeal to the tribunal referred to above.

Further Information
Anyone wishing to discuss this article, the QFC data protection law or data protection generally should call me on 0800 862 0055 or fill in my contact form.