Cross-border Personal Data Transfers Under The Qatar Financial Centre Regulations

• Published date: 19 May 2023
• Subject Matter: Privacy, Data Protection
• Law Firm: Sultan Al-Abdulla & Partners
• Author: Mr Ribal Fattal

The processing of personal data in the Qatar Financial Centre ("QFC") is governed by the QFC Data Protection Regulations 2021 ("QDPR 2021"), and the QFC Data Protection Rules ("Rules") (together, the "Regulations"). The Regulations apply to the processing of personal data by a data controller or data processor incorporated or registered in the QFC. These Regulations also apply to the processing of personal data by a data controller or data processor that is not incorporated or registered in the QFC, if, as part of ongoing arrangements, that data controller or data processor processes personal data through a data controller or data processor that is incorporated or registered in the QFC. In the latter case, the Regulations apply only to the extent of that processing activity.

Under Article 23 of the QDPR 2021, any processing of personal data which involves the transfer to a recipient located in a jurisdiction outside the QFC may take place if the QFC's Data Protection Office ("DPO") has decided that the jurisdiction has an adequate level of data protection. Processing that involves transferring personal data to a recipient located in a jurisdiction outside the QFC that the DPO has decided has an adequate level of protection does not require any specific authorization from, or notification to, the DPO.

As of April 2023, the following jurisdictions have been designated by the DPO as having an adequate level of protection:

Andorra, Argentina, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Faroe Islands, Finland, France, Germany, Greece, Guernsey, Hungary, Iceland, Ireland, Isle of Man, Italy, Japan, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Qatar, Republic of Korea, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom, and Uruguay.

Notwithstanding the foregoing, Article 24 of the QDPR 2021 stipulates that a transfer of personal data to a recipient located in a jurisdiction outside the QFC and without adequate protection may only take place if:

• the controller or processor in question has provided appropriate safeguards including enforceable rights and effective legal remedies for data subjects - the appropriate safeguards referred to may be provided by (i) a legally binding and enforceable arrangement between public authorities or bodies, or a legally binding and enforceable agreement between the parties that includes the standard...