QFC DPR

Qatar Financial Centre Data Protection Regulations 2021

Flag of QA
Qatar Financial Centre (QFC)Opt-inFinancial Free Zone
Qatar PDPPL
Back to Regulations Guide

Key Facts

Effective Date
June 19, 2022
Enacted
December 21, 2021
Enforcing Authority
QFC Data Protection Office
Consent Model
Opt-in
Applies To
All data controllers and processors operating within the Qatar Financial Centre

Overview

The QFC DPR is the standalone data protection regulation for the Qatar Financial Centre, enacted in 2021 and effective from June 2022. It operates separately from Qatar's national PDPPL and is closely aligned with GDPR principles. The QFC has actively enforced the regulations, issuing fines for data breach violations. Penalties are cumulative per provision infringed at up to USD 1,500,000 each.

What This Means for Your Website

  • Consent or another lawful basis is required before processing personal data of QFC users
  • Cookie controls must be easily accessible to data subjects
  • Controllers must demonstrate compliance under the accountability principle
  • Data processors have direct compliance obligations
  • Written contracts are required between controllers and processors
  • Penalties accumulate per provision infringed, creating significant financial exposure

Key Requirements

The QFC Data Protection Office enforces the regulations with penalties up to USD 1,500,000 per provision infringed, applied cumulatively. The accountability principle requires controllers to actively demonstrate compliance. Cookie controls must be easily accessible. Written contracts between controllers and processors are mandatory, and processors have direct compliance obligations — not just contractual ones.

How ConsentStack Handles This

ConsentStack provides easily accessible cookie controls for QFC users, meeting the explicit requirement for accessible consent mechanisms and supporting the accountability principle through documented consent records.

Penalties

Up to USD 1,500,000 per provision infringed (cumulative).

Maximum Fine
USD1,500,000 per violation

Key Requirements

  • Consent or other lawful basis required for processing
  • Accountability principle: controllers must demonstrate compliance
  • Direct compliance obligations on data processors
  • Written contracts required between controllers and processors
  • Cookie controls must be easily accessible to data subjects
  • Data breach notification requirements

Notable Provisions

  • Penalties cumulative per provision (up to USD 1.5M per provision, not capped)
  • Cookie controls must be easily accessible
  • Accountability principle explicitly incorporated
  • Active enforcement — QFC has issued fines for data breach violations

Other Middle East & North Africa Regulations

KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.

Frequently Asked Questions

How do QFC penalties work?

Penalties are up to USD 1,500,000 per provision infringed, applied cumulatively. Multiple violations can result in total penalties far exceeding USD 1.5M.

Does the QFC DPR require specific cookie controls?

Yes. Cookie controls must be easily accessible to data subjects under the QFC regulations.

Is the QFC DPR separate from Qatar national law?

Yes. The QFC has its own standalone Data Protection Regulations, separate from Qatar's national PDPPL (Law 13/2016).

Stay compliant with QFC DPR

ConsentStack helps you implement Opt-in consent for Qatar Financial Centre (QFC) automatically.

Get started free