Guidance Hub

National Cyber Governance and Assurance Affairs has developed a set of guidelines to support organizations in understanding their obligations under the PDPPL and to provide a degree of clarity around these requirements as well as where possible providing checklists and template documents to support controllers with compliance with the PDPPL. The guidelines are also intended to provide guidance to individuals so they understand what their rights are under the PDPPL. These detailed guidelines are set out through the links below.

National Cyber Governance and Assurance Affairs will take all measures we see fit to implement the provisions of the PDPPL and oversee compliance with it. This guidance performs an integral part of those measures.

What personal data processing do these guidelines apply to?

These guidelines apply to any personal data that is processed electronically, through a combination of electronic and non-electronic means or where acquired through non-electronic means in anticipation of processing electronically. They apply to any organization that processes personal data.

These guidelines do not apply to personal data processed by Individuals themselves within the scope of their personal or familial lives.

These guidelines do not apply to personal data processed for purposes of collecting official statistical data pursuant to the Law No 2 of the year 2011 on Official Statistics.

How do Regulated Entities use these guidelines?

Privacy is about ensuring people can trust controllers/processors to use their data fairly and responsibly. If controllers/processors collect information about individuals for any reason other than their own personal, family or household purposes, controllers/processors need to comply.

Every organization is different and there is no one-size fits-all answer. The PDPPL is not prescriptive. Regulated entities need to take a risk-based approach, based on the key privacy principles which are addressed in the guidelines. This means that the PDPPL is flexible and can be applied to entities, whether a multinational company operating globally or a local convenience store sharing personal data only with a local Qatari bank.

Whatever the size of the regulated entity or the situations in which they operate, it doesn’t act as a barrier to doing new things in new ways. A result of this flexibility is that regulated entities must consider the ways in which they process personal data and take responsibility for what they do with it. It is incumbent on regulated entities to review and understand the requirements of the PDPPL to determine how they apply to their organization and what they need to do to comply. To comply with a number of the principles, for example, they may be required to put in place a Personal Data Management System (PDMS) to protect personal data and individuals’ rights.

These guidelines have been created to help regulated entities navigate their responsibilities under the PDPPL and include templates and examples to support them on their compliance journey. National Cyber Governance and Assurance Affairs, however, cannot decide exactly which precautions regulated entities need to take, and how they should implement them, based on their specific organizational circumstances for them. They are best placed to determine, and be able to justify, the approach they take as they know their organization best and they are accountable for doing so.

How do Individuals use these guidelines?

The PDPPL includes a set of individuals’ rights and obligations of regulated entities toward certain rights that individuals have with respect to their personal data. It also provides individuals with the right to the protection and the lawful processing of their personal data. This means that individuals can expect their personal data to be processed in accordance with the PDPPL, and therefore, if they do believe that their personal data is not being protected or processed lawfully, the PDPPL requires controllers to enable individuals to make complaints to them about how their personal data is being processed.

The PDPPL also enables individuals to make complaints to National Cyber Governance and Assurance Affairs about the processing practices of any organization where the individual believes that their personal data is not being processed in accordance with the PDPPL.

These guidelines set out each right in more detail and have been developed to help individuals understand when and how they can exercise them, how individuals should make complaints to controllers and National Cyber Governance and Assurance Affairs and how National Cyber Governance and Assurance Affairs may behave when investigating them.

The use of social media platforms often involves sharing personal data. Guidelines have been developed to set out precaution’s individuals should take when using social media to protect their personal data and privacy.

What guidelines are available?

From time to time National Cyber Governance and Assurance Affairs will update guidelines or develop additional guidelines to address issues arising.

When National Cyber Governance and Assurance Affairs publishes updated and new guidelines, they will be published at the privacy publications page, regulated entities should check this page periodically to ensure they are up to date with the latest guidelines. Individuals are also, invited to check these guidelines to get a better understanding of what are their rights under the PDPPL.

For any queries about any requirements in the PDPPL, please contact