Qatar MandateMandatory· Law No. 13 of 2016 (effective 2017)

PDPPL: Personal Data Privacy Protection Law

Law No. 13 of 2016 on the Protection of Personal Data Privacy — issued by Promulgated by HH the Emir, supervised by NCSA's National Data Privacy Office (NDPO).

Take the Free PDPPL Assessment Explore the Compliance Platform

Legal instrument

Law No. 13 of 2016

Promulgated

13 November 2016 by HH the Emir

Effective

2017

Regulator

National Data Privacy Office (NDPO), NCSA

Maximum fine

QAR 5,000,000 (~USD 1.4M) per violation

Breach notification

Within 72 hours of detection

OVERVIEW

What is PDPPL?

The Personal Data Privacy Protection Law (PDPPL) is Qatar's primary personal data protection statute, promulgated by His Highness the Emir on 13 November 2016 as Law No. 13 of 2016 and entering into force in 2017. It established Qatar as one of the first GCC jurisdictions with a comprehensive data protection regime, predating Saudi Arabia's PDPL by several years.

PDPPL applies to any natural or legal person processing personal data within the State of Qatar — both public and private sector. It establishes core data subject rights (access, correction, withdrawal of consent, the right to be informed of processing purposes), defines obligations for data controllers and processors, and mandates appropriate organisational and technical security measures calibrated to the nature and sensitivity of the data being processed.

Supervision is performed by the National Data Privacy Office (NDPO), which sits within the National Cyber Governance and Assurance Affairs (NCGAA) division of NCSA. The NDPO has issued a series of executive guidelines clarifying breach notification timelines (72 hours), the requirement for a Personal Data Management System (incorporating DPIAs and Records of Processing Activities), and the calculation of penalties — which range from QAR 1 million to QAR 5 million per violation. Active enforcement began in earnest in 2024-2025 with public compliance orders against ICT and e-commerce operators.

APPLICABILITY

Who must comply with PDPPL?

01Any natural or legal person processing personal data within the State of Qatar
02All Qatar-based public sector entities (ministries, agencies, statutory bodies)
03All private sector organisations operating in Qatar — irrespective of size
04Foreign organisations processing personal data of individuals located in Qatar
05Data processors acting on behalf of controllers (joint and several liability for security failings)

CONTROL DOMAINS

PDPPL structure at a glance

The PDPPL framework is organised into the following control areas. Vantage GRC pre-maps each one so evidence collected once contributes to your compliance picture across overlapping frameworks.

Data Subject Rights

Right to be informed of processing purposes

Right of access to personal data held

Right to request correction of inaccurate data

Right to obtain a copy (subject to reasonable service charge)

Right to withdraw prior consent

Right to object to processing for direct marketing

Controller & Processor Obligations

Lawful basis for processing — primarily consent-based

Purpose limitation and data minimisation

Personal Data Management System (PDMS)

Records of Processing Activities (RoPA)

Data Protection Impact Assessments (DPIA) for high-risk processing

Appropriate organisational and technical security measures

Special Categories & Cross-Border

Enhanced protection for personal data of children

Restrictions on processing data of special nature (health, beliefs, etc.)

Cross-border transfer controls and safeguards

Direct marketing consent requirements

Breach notification within 72 hours to NDPO and (where appropriate) data subjects

KEY REQUIREMENTS

What PDPPL requires you to do

1Establish and maintain a Personal Data Management System (PDMS) covering processing activities, breach notification procedures, and data subject rights fulfilment.
2Maintain Records of Processing Activities (RoPA) for all personal data processing operations.
3Conduct Data Protection Impact Assessments (DPIAs) for processing likely to result in high risk to data subjects.
4Implement organisational and technical security measures commensurate with the nature, volume, and risk of the data processed.
5Notify NDPO of personal data breaches within 72 hours of becoming aware, with notification to affected data subjects where their rights are at material risk.
6Honour data subject rights requests within statutory timelines and provide a clear redress mechanism.

HOW VANTAGE HELPS

Vantage's approach to PDPPL

Vantage GRC includes a pre-built PDPPL control library aligned to NDPO executive guidelines — covering RoPA templates, DPIA workflows, breach notification routing, data subject rights tracking, and consent management. Mapped against NIA, ISO 27001, and GDPR controls, evidence collected for one obligation simultaneously satisfies overlapping requirements in the others. Particularly valuable for organisations operating across Qatar and the EU who need parallel PDPPL and GDPR compliance.

Book a 30-Min Consultation Explore the Platform

FREE TOOL · NO SIGN-UP

Score your PDPPL readiness in under 5 minutes

Answer 17 questions across all PDPPL control domains, get an instant maturity score, a scored gap analysis, and a downloadable PDF report with prioritised remediation guidance.

Start Free Assessment →

RELATED FRAMEWORKS

PDPPL works alongside

Qatar Mandate

NIA

National Information Assurance Framework

International

ISO 27001

Information Security Management System

International

GDPR

EU General Data Protection Regulation

FAQ

PDPPL questions

Who must comply with Qatar PDPPL?

PDPPL applies to any natural or legal person processing personal data within the State of Qatar — covering both public and private sector, of any size, and including foreign organisations processing the personal data of individuals located in Qatar.

What are the maximum penalties under PDPPL?

Penalties range from QAR 1 million to QAR 5 million (~USD 275,000 to ~USD 1.4 million) per violation. Failure to put in place appropriate security precautions carries fines up to QAR 5 million per violation, applied equally to controllers and processors. PDPPL does not include imprisonment provisions — it is a purely financial penalty regime.

How quickly must data breaches be notified?

The NDPO's executive guidelines require notification within 72 hours of the breach occurring or being detected. Notifications must include details of the nature of the breach, the data affected, the number of data subjects involved, and the measures taken to address and mitigate the breach.

How does PDPPL differ from GDPR?

PDPPL is consent-centric and lacks GDPR's broader range of lawful bases (legitimate interest, contract performance, etc.). It applies a fixed financial penalty range rather than GDPR's percentage-of-turnover model. However, it shares core principles — purpose limitation, data minimisation, security by design, and data subject rights. Organisations operating across both regimes typically build a unified privacy programme that satisfies the stricter requirement on each dimension.

Is PDPPL actively enforced?

Yes. Public enforcement actions began in earnest in 2024-2025. In December 2024, the NDPO issued a compliance ruling against an ICT sector company; in March 2025, an e-commerce operator received an order to enhance its administrative, technical, and financial procedures for personal data protection. Active enforcement is now the operating reality.

Ready to operationalise PDPPL compliance?

Talk to a Vantage GRC consultant about your PDPPL programme — pre-mapped controls, evidence management, and audit-ready dashboards. Doha-based.

Take the Free Assessment Book a Consultation