Qatar PDPPL

Law No. 13 of 2016 Concerning Personal Data Privacy Protection

Flag of QA
State of Qatar (excluding QFC)Opt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2017
Enacted
January 1, 2016
Enforcing Authority
Compliance and Data Protection Department (CDP), Ministry of Transport and Communications
Consent Model
Opt-in
Applies To
All organizations processing personal data within Qatar (excluding the Qatar Financial Centre)

Overview

Qatar's PDPPL is the national data protection law enacted in 2016, applying throughout the country except within the Qatar Financial Centre (which has its own regulations). The law is notable for imposing only financial penalties without criminal sanctions — an unusual approach in the Middle East. The CDP published implementation guidelines in December 2020 to clarify requirements.

What This Means for Your Website

  • Consent is required before processing personal data of Qatari visitors
  • Special protections apply for sensitive data categories including children, health, and religion
  • Direct electronic marketing is restricted and requires compliance with specific provisions
  • The law does not apply within the QFC, which has its own data protection regulations
  • Breach notification is required
  • Cross-border data transfers are subject to restrictions

Key Requirements

The CDP enforces the law with financial penalties of QAR 1,000,000 to QAR 5,000,000. Unlike most Middle Eastern jurisdictions, there are no criminal penalties or imprisonment provisions. Data must be processed with transparency, fairness, and respect for human dignity. Special protections apply to sensitive data categories including children's data, health information, and religious data.

How ConsentStack Handles This

ConsentStack applies opt-in consent collection for Qatari visitors, supporting compliance with the PDPPL's consent requirements and restrictions on direct electronic marketing.

Penalties

QAR 1,000,000-5,000,000 fines. No criminal penalties (imprisonment).

Maximum Fine
QAR5,000,000 per violation

Key Requirements

  • Consent required for personal data processing
  • Special protections for sensitive data (children, health, religion, criminal records)
  • Breach notification obligations
  • Restrictions on direct electronic marketing
  • Cross-border transfer restrictions
  • Data subjects have rights of access, correction, and notification

Notable Provisions

  • Financial penalties only — no criminal penalties (unusual for the region)
  • CDP published implementation guidelines in December 2020
  • Separate regime from QFC Data Protection Regulations
  • Principles of transparency, fairness, and respect for human dignity

Related Regulations (1)

QFC DPRQatar Financial Centre (QFC)
The QFC's standalone data protection regulations applying within the financial centre, separate from Qatar's national PDPPL. Closely aligned with GDPR principles with explicit cookie-specific provisions requiring easily accessible cookie controls. Penalties are cumulative per provision infringed, and the QFC has actively issued fines for data breach violations.

Other Middle East & North Africa Regulations

KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.

Frequently Asked Questions

Does the Qatar PDPPL have criminal penalties?

No. The PDPPL imposes only financial penalties (QAR 1M-5M), with no criminal sanctions or imprisonment — unusual for the Middle East.

Does the PDPPL apply within the QFC?

No. The Qatar Financial Centre has its own separate Data Protection Regulations. The PDPPL applies throughout Qatar except within the QFC.

What are the key restrictions on marketing?

The PDPPL restricts direct electronic marketing, requiring compliance with specific provisions around consent and data subject rights.

Stay compliant with Qatar PDPPL

ConsentStack helps you implement Opt-in consent for State of Qatar (excluding QFC) automatically.

Get started free