NDPO Issues “Legally Binding Decision” involving a company in the ICT sector

The National Data Privacy Office (NDPO), part of the National Cyber Security Agency (NCSA), has issued a legally binding decision mandating a company in the ICT sector to strengthen its compliance with the Personal Data Privacy Protection Law (PDPPL). This decision obliges the company to further enhance and monitor its administrative, technical, and financial measures to safeguard personal data effectively.

The ruling, issued as Decision No. (1) Of 2024, was prompted by an investigation into the company’s processing of personal data following a formal complaint. The NDPO found the company in violation of several provisions under the PDPPL, specifically Articles 4, 8, 10, and 11, which relate to obtaining consent, implementing data protection safeguards, ensuring data accuracy, and overseeing the compliance of third-party processors.

Background of the Case

The case began on May 29, 2023, when an individual filed a complaint under Article 26 of the PDPPL. The complaint alleged that the company had used their personal data without consent and in a manner the individual had not anticipated. After a detailed investigation, the NDPO confirmed that the company’s practices violated key provisions of the PDPPL.

Article 4 of the law requires data controllers to obtain explicit consent before processing personal data unless a lawful purpose justifies otherwise. Article 8 mandates the implementation of robust safeguards to protect personal data, while Article 10 requires ensuring the accuracy, completeness, and timeliness of data. Additionally, under Article 11, data controllers are responsible for monitoring the compliance of third-party data processors.

While violations were confirmed in these areas, the NDPO found the company compliant with Article 14, which concerns data retention and processing duration.

Decision and Requirements

The NDPO has mandated the company to take immediate action to address these issues. It must review and enhance its current measures for protecting personal data, improve the accuracy and reliability of the data it processes, and establish stricter oversight of its data processors to ensure compliance with the law.

The NDPO acknowledged the company’s cooperation during the investigation and its commitment to improving its data protection practices. As a result, the agency chose not to issue a public censure of the company.

Contact Information

For further details about the PDPPL or the NDPO’s work in promoting data privacy and protection, please reach out to privacy@ncsa.gov.qa.