Privacy Policy for Sheen Services WLL Websites
At Sheen Services WLL, we are committed to safeguarding the privacy of our website visitors and clients. This Privacy Policy outlines how we collect, process, and and protect your personal information when you interact with our websites in accordance with the Qatar Personal Data Privacy Law (Law No. 13 of 2016) and General Data Protection Regulation (GDPR).
This Privacy Policy outlines how we collect, use, disclose, we adhere to the highest standards of data protection and comply with applicable laws and regulations regarding personal data. By using our websites, you consent to the practices described in this policy, ensuring that your privacy is respected and protected at all times.
Qatar Personal Data Privacy Law
Below is a detailed overview of Qatar’s Personal Data Privacy Protection Law (Law No. 13 of 2016), tailored to provide a comprehensive understanding of its scope, provisions, and implications. focuses on key aspects of the law without reproducing the full legal text.
Overview of Qatar Personal Data Privacy Law (Law No. 13 of 2016)
Qatar’s Personal Data Privacy Protection Law (PDPPL), enacted as Law No. 13 of 2016, marks a significant milestone as the first comprehensive national data protection legislation in the Gulf Cooperation Council (GCC) region. Promulgated on 13 November 2016 by HH the Emir Sheikh Tamim bin Hamad Al-Thani, the law came into effect in 2017, with a grace period for compliance extended to January 2018. Its primary objective is to safeguard individuals’ personal data while balancing the needs of businesses and public authorities operating within Qatar. The law applies broadly to personal data processed electronically or in preparation for electronic processing, reflecting Qatar’s growing digital economy.
Scope and Applicability
The PDPPL applies to:
Personal Data: Any information relating to an identifiable individual, including data processed electronically, obtained for electronic processing, or processed through a combination of electronic and traditional methods.
Territorial Scope: It governs data processing activities within Qatar, excluding the Qatar Financial Centre (QFC), which operates under its own data protection framework.
Exemptions: The law does not apply to personal data processed by individuals for private or family purposes or data collected for official statistical purposes under Law No. 2 of 2011.
A notable feature is the designation of “special personal data,” which includes sensitive categories such as ethnic origin, health, religious beliefs, marital status, criminal records, and data concerning children. Processing such data requires explicit prior approval from the competent authority unless specific exemptions apply.
Key Provisions
The PDPPL establishes a framework for data protection, imposing obligations on data controllers and processors while granting rights to individuals (data subjects). Below are its core elements:
- Principles of Data Processing
Data controllers must adhere to the following principles:
Lawfulness and Transparency: Personal data must be processed honestly, legally, and with clear disclosure to the data subject.
Purpose Limitation: Data should only be collected for specified, legitimate purposes and not retained beyond what is necessary.
Data Security: Controllers must implement technical, administrative, and financial measures to protect data from loss, damage, or unauthorised access.
Consent: Processing generally requires the individual’s prior consent, except where mandated by law or necessary for a lawful purpose (e.g., public interest or contractual obligations). For children’s data, consent must come from a parent or guardian.
- Rights of Data Subjects
Individuals are granted several rights under the PDPPL, including:
Right to Information: Data subjects must be informed about the identity of the controller, the purpose of processing, and any third-party involvement.
Right to Access and Correction: Individuals can request access to their data and seek corrections if inaccurate.
Right to Withdraw Consent: Consent can be withdrawn at any time, and controllers must maintain records of consent.
Right to Erasure: Data subjects may request the deletion of their data under certain conditions.
- Obligations of Data Controllers and Processors
Internal Systems: Controllers must establish a personal data management system to handle data processing, breach notifications, and individual rights requests.
Data Protection Impact Assessments (DPIA): Articles 11 and 13 imply a requirement to assess privacy risks before initiating new processing activities, though this is clarified further in subsequent guidelines (see below).
Breach Notification: Processors must notify controllers of any breach likely to cause “serious damage” to data or privacy. The controller must then inform affected individuals and the competent authority.
Record-Keeping: Controllers must maintain detailed records of processing activities and disclosures.
- Breach Notification and Timelines
While the original law does not specify a notification timeline, the 2021 guidelines issued by the Ministry of Transport and Communications (MOTC) / Ministry of Communications and Information Technology (MCIT) introduced a 72-hour deadline for controllers to notify the National Cyber Governance and Assurance Affairs (NCGAA) and affected individuals following a detected breach. “Serious harm” may arise from processing sensitive data or automated decision-making.
- Penalties for Non-Compliance
The PDPPL imposes financial penalties for violations, with no provision for imprisonment:
– Breaches of Articles 4, 8, 9, 10, and 11 (e.g., unlawful processing or failure to secure data) incur fines up to QAR 1,000,000 (approximately USD 275,000).
– Breaches of Articles 13, 16, and 17 (e.g., failure to notify breaches or respect data subject rights) may result in fines up to QAR 5,000,000 (approximately USD 1,375,000).
Penalties are enforced by the NCGAA, part of the National Cyber Security Agency (NCSA), which oversees compliance.
Regulatory Guidelines (2021)
In December 2020, the MOTC (MCIT)’s Compliance and Data Protection Department (CDP) released 14 guidelines to supplement the PDPPL, effective from 31 January 2021. These guidelines align the law with international standards, such as the EU’s General Data Protection Regulation (GDPR), and clarify ambiguous provisions:
DPIA Requirement: Controllers must conduct a DPIA for high-risk processing activities, with a fine of up to QAR 1,000,000 for non-compliance. Records must be kept if a DPIA is not conducted.
Privacy Notices: More detailed requirements for informing data subjects about processing activities.
Records of Processing Activities (ROPA): Controllers must maintain comprehensive logs of data processing.
Special Nature Data: Processing sensitive data requires CDP authorisation.
Data Subject Requests: Controllers have 30 days to respond to requests, with clear policies to facilitate rights exercise.
These guidelines signal a shift towards stricter enforcement and greater accountability for organisations.
Enforcement and Oversight
The NCGAA, under the NCSA, serves as the competent authority responsible for:
– Supervising compliance with the PDPPL.
– Issuing guidance and promoting best practices.
– Investigating complaints and imposing penalties.
Unlike some jurisdictions, there is no mandatory registration requirement for data controllers with the NCGAA.
Implications for Businesses
The PDPPL and its guidelines impose significant compliance burdens on organisations operating in Qatar:
Operational Adjustments: Businesses must review and update internal policies, IT systems, and staff training to align with the law.
Cross-Border Data Transfers: While the law does not explicitly restrict international transfers, any transfer violating its provisions (e.g., inadequate protection) can be penalised.
Sector-Specific Impact: Banks, telecoms, and other data-intensive industries may face challenges, particularly with sensitive data processing (e.g., KYC requirements), requiring MOTC (MCIT) approval in some cases.
Conclusion
Qatar’s Law No. 13 of 2016 establishes a robust foundation for personal data protection, reflecting global privacy trends while addressing local needs. Its emphasis on consent, transparency, and security, coupled with the 2021 guidelines, positions Qatar as a leader in data privacy within the GCC. Organisations must proactively adapt to its requirements to avoid substantial fines and ensure trust in their data-handling practices.
General Data Protection Regulation (GDPR)
Below is a detailed explanation of the General Data Protection Regulation (GDPR), written in UK Queen’s English as per your preference. It provides a comprehensive overview of the regulation, its purpose, scope, and key provisions.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a landmark data protection law enacted by the European Union (EU) to safeguard the privacy and personal data of individuals within the EU and the European Economic Area (EEA). Officially known as Regulation (EU) 2016/679, it was adopted on 14 April 2016 and became enforceable on 25 May 2018, replacing the earlier Data Protection Directive 95/46/EC. The GDPR is widely regarded as one of the most comprehensive and stringent data protection frameworks globally, setting a benchmark for privacy laws worldwide.
Purpose of the GDPR
The GDPR aims to:
Protect Personal Data: Ensure that individuals’ personal information is processed lawfully, fairly, and securely.
Empower Individuals: Grant data subjects (individuals whose data is processed) greater control over their personal data.
Harmonise Laws: Standardise data protection regulations across EU member states, facilitating the free flow of data within the single market while maintaining high privacy standards.
Address Digital Challenges: Respond to the evolving digital landscape, including the rise of big data, cloud computing, and cross-border data transfers.
Scope and Applicability
The GDPR applies to:
Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, email address, location data, IP address, or biometric data).
Territorial Scope:
– Organisations within the EU/EEA, regardless of where data processing occurs.
– Organisations outside the EU/EEA that process personal data of EU/EEA residents when offering goods or services (even if free) or monitoring their behaviour (e.g., tracking online activity).
Entities: Both data controllers (who determine the purpose and means of processing) and data processors (who process data on behalf of controllers) are subject to the regulation.
Exemptions include data processed for personal/household activities, national security, or law enforcement (covered by separate EU directives).
Key Provisions
The GDPR establishes a robust framework with principles, rights, and obligations. Below are its core elements:
- Principles of Data Processing
The regulation mandates that personal data be:
– Processed lawfully, fairly, and transparently.
– Collected for specified, explicit, and legitimate purposes and not used beyond those purposes.
Adequate, relevant, and limited to what is necessary (data minimisation).
Accurate and kept up to date.
– Retained only for as long as necessary.
– Protected with appropriate security measures against unauthorised access, loss, or damage.
Lawful processing requires a legal basis, such as consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests of the controller.
- Rights of Data Subjects
The GDPR grants individuals extensive rights over their personal data:
Right to be Informed: Individuals must be told how their data is collected, used, and shared, typically via a privacy notice.
Right of Access: Data subjects can request confirmation of whether their data is being processed and obtain a copy of it.
Right to Rectification: Individuals can correct inaccurate or incomplete data.
Right to Erasure (“Right to be Forgotten”): Data subjects can request deletion of their data under specific conditions (e.g., when it’s no longer necessary or consent is withdrawn).
Right to Restrict Processing: Individuals can limit how their data is used in certain circumstances.
Right to Data Portability: Data subjects can obtain and reuse their data across services in a machine-readable format.
Right to Object: Individuals can object to processing, including for direct marketing or profiling.
Rights Regarding Automated Decision-Making: Protection against decisions based solely on automated processing (e.g., AI) that produce significant effects, with a right to human intervention.
- Obligations of Controllers and Processors
Accountability: Controllers must demonstrate compliance through policies, records, and impact assessments.
Data Protection by Design and Default: Privacy must be embedded into systems and processes from the outset.
Data Protection Impact Assessments (DPIAs): Required for high-risk processing activities (e.g., large-scale monitoring).
Data Protection Officers (DPOs): Mandatory for public authorities or organisations involved in large-scale systematic monitoring or sensitive data processing.
Breach Notification: Controllers must notify supervisory authorities within 72 hours of discovering a data breach likely to risk individuals’ rights and freedoms, and inform affected individuals without undue delay.
Cross-Border Transfers: Data transfers outside the EU/EEA are restricted unless the recipient ensures an “adequate level of protection” (e.g., via EU-approved mechanisms like Standard Contractual Clauses or adequacy decisions).
- Penalties for Non-Compliance
The GDPR imposes severe fines for violations:
– Up to €20 million or 4% of annual global turnover (whichever is higher) for serious breaches (e.g., violating core principles or data subject rights).
– Up to €10 million or 2% of annual global turnover for lesser breaches (e.g., failure to maintain records or notify breaches).
Supervisory authorities (one per EU member state, e.g., the UK’s Information Commissioner’s Office pre-Brexit) enforce the regulation and can also issue warnings, reprimands, or processing bans.
Enforcement and Oversight
Each EU/EEA country has a national data protection authority (DPA) responsible for monitoring compliance, handling complaints, and imposing sanctions. The European Data Protection Board (EDPB) coordinates efforts across DPAs, ensuring consistency. The “one-stop-shop” mechanism allows organisations operating in multiple EU countries to deal primarily with the DPA in their main establishment.
Implications for Businesses and Individuals
For Businesses: The GDPR requires significant investment in compliance, including updating IT systems, training staff, and revising contracts. Non-EU companies targeting EU residents must appoint an EU representative.
For Individuals: It enhances privacy protections, giving people greater control and visibility over their data, particularly in the digital age.
Global Influence: The GDPR has inspired similar laws worldwide (e.g., California’s CCPA, Brazil’s LGPD) and raised global privacy standards.
Post-Brexit Relevance in the UK
Following the UK’s exit from the EU on 31 January 2020, the GDPR was retained in UK law as the “UK GDPR” under the Data Protection Act 2018, with minor adjustments. It remains aligned with the EU GDPR, though the UK is now treated as a “third country” for EU data transfers, subject to adequacy decisions.
Conclusion
The GDPR represents a transformative approach to data protection, prioritising individual rights and imposing strict accountability on organisations. Its extraterritorial reach and hefty penalties make it a critical consideration for any entity handling EU/EEA personal data, fostering a culture of privacy and trust in an increasingly data-driven world.
If you’d like further details on specific aspects (e.g., compliance steps or comparisons with Qatar’s PDPPL), feel free to ask!
