Cross-border Personal Data Transfers Under The Qatar Financial Centre Regulations
April 27, 2023
By: Ribal Fattal, Senior Associate.
The processing of personal data in the Qatar Financial Centre (“QFC”) is governed by the QFC Data Protection Regulations 2021 (“QDPR 2021”), and the QFC Data Protection Rules (“Rules”) (together, the “Regulations”). The Regulations apply to the processing of personal data by a data controller or data processor incorporated or registered in the QFC. These Regulations also apply to the processing of personal data by a data controller or data processor that is not incorporated or registered in the QFC, if, as part of ongoing arrangements, that data controller or data processor processes personal data through a data controller or data processor that is incorporated or registered in the QFC. In the latter case, the Regulations apply only to the extent of that processing activity.
Under Article 23 of the QDPR 2021, any processing of personal data which involves the transfer to a recipient located in a jurisdiction outside the QFC may take place if the QFC’s Data Protection Office (“DPO”) has decided that the jurisdiction has an adequate level of data protection. Processing that involves transferring personal data to a recipient located in a jurisdiction outside the QFC that the DPO has decided has an adequate level of protection does not require any specific authorization from, or notification to, the DPO.
As of April 2023, the following jurisdictions have been designated by the DPO as having an adequate level of protection:
Andorra, Argentina, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Faroe Islands, Finland, France, Germany, Greece, Guernsey, Hungary, Iceland, Ireland, Isle of Man, Italy, Japan, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Qatar, Republic of Korea, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom, and Uruguay.
Notwithstanding the foregoing, Article 24 of the QDPR 2021 stipulates that a transfer of personal data to a recipient located in a jurisdiction outside the QFC and without adequate protection may only take place if:
- the controller or processor in question has provided appropriate safeguards including enforceable rights and effective legal remedies for data subjects – the appropriate safeguards referred to may be provided by (i) a legally binding and enforceable arrangement between public authorities or bodies, or a legally binding and enforceable agreement between the parties that includes the standard data protection contractual clauses adopted by the DPO;
- the data subject has been informed of the risks and has given their explicit consent to the transfer of their personal data for one or more specific purposes;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at a data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of a data subject between the controller and a third party;
- the transfer is necessary to comply with a legal obligation of the controller or processor;
- the transfer is necessary to protect the vital interests of the data subject or another individual;
- the transfer is necessary to perform a task carried out in the public interest or by the QFC Authority, QFC Regulatory Authority, QFC Civil and Commercial Court, QFC Regulatory Tribunal or a QFC Institution, each in the performance of its functions; or
- the transfer is necessary for the establishment, exercise or defence of a legal claim.
Where such a transfer cannot be based on the foregoing, then the transfer of data to a jurisdiction without adequate protection may take place only if:
- the transfer:
- is not repeating or not part of a repetitive course of transfers;
- concerns only a limited number of data subjects;
- does not contain any sensitive personal data (e., data revealing or relating to race or ethnicity, political affiliation or opinions, religious or philosophical beliefs, trade-union or organisational membership, criminal records, health or sex life, and genetic and biometric data used to identify an individual);
- is for the purposes of the legitimate interests of the controller or another entity to which the data is disclosed (unless those interests are overridden by the rights and legitimate interests of the data subject that require the data to be protected, in particular if the data subject is a child); and
- the controller has completed a documented assessment of the circumstances surrounding the data transfer and has, on the basis of that assessment, provided suitable safeguards with regard to the protection of personal data;
- a permit for the data transfer has been obtained from the DPO, and the controller applies adequate safeguards to protect the data.