Your Rights Under Qatar's PDPPL (2026 Legal Guide) — Rules & Requirements

Researched by , Founder & Head Researcher

Primary sources cited; not legal advice.

Last verified:

Source: Law No. 13 of 2016 on Personal Data Privacy Protection (PDPPL); National Data Privacy Office (NDPO) under Ministry of Communications and Information Technology (MCIT); NDPO Compliance and Data Protection Department.

About this article

Sourced from Qatari national laws, Emiri decrees, and ministerial decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Qatari National Law

What is this right?

Qatar's Personal Data Privacy Protection Law (PDPPL) — Law No. 13 of 2016 — was the first national data-privacy statute in the Gulf, effective from 2017. The regulator is the National Data Privacy Office (NDPO), operating under the Ministry of Communications and Information Technology (MCIT). The NDPO has actively enforced since 2024: it issued compliance orders against an ICT-sector company in December 2024, an e-commerce company in March 2025, and a local contracting company in April 2025.

Core rights of data subjects under the PDPPL include: right to be informed of processing; right of access to data held about them; right to rectify, complete, or update data; right to object to processing; right to request erasure; and explicit consent requirements for processing sensitive data.

When does it apply?

  • A company / platform in Qatar holds your personal data and refuses to disclose what it holds, correct an error, or delete it.
  • You withdraw consent for processing but data continues to be processed.
  • You are a victim of a data breach.
  • A bank, telecom, hospital, or government agency discloses your sensitive personal data without lawful basis.

Using Your Rights Under Qatar's PDPPL

  1. Start with a written request to the data controller. Cite the PDPPL Law 13/2016 and the specific right you are exercising. Include Qatar ID and a reasonable response window.
  2. If the controller refuses, escalate to the NDPO. NDPO operates under MCIT. File via the National Data Privacy Office's complaint channel at assurance.ncsa.gov.qa/en/privacy/law.
  3. For banking data, file in parallel with QCB Consumer Protection. Banking-data handling is covered by QCB Customer Protection rules.
  4. For criminal-side disclosure offences, file with MOI CID via Metrash2 under Cybercrime Law Article 8.
  5. Save all correspondence. Controller responses / non-responses become evidence at NDPO.

What should you NOT do?

  • Don't skip the controller's internal channel. NDPO expects the data subject to have requested directly from the controller first.
  • Don't disclose more identification data than necessary.
  • Don't pay 'data removal services' upfront. Statutory channels are the proper route.

About Data Privacy & Digital Rights in Qatar

Qatar's Personal Data Privacy Protection Law (PDPPL — Law No. 13 of 2016) was the first national data-privacy statute in the Gulf. It took effect in 2017. The regulator is the National Data Privacy Office (NDPO) under the Ministry of Communications and Information Technology (MCIT). NDPO has been actively enforcing since 2024 — multiple compliance orders issued against ICT and e-commerce operators in 2024–2025.

For NCII and unauthorised intimate imagery, the criminal framework is the Cybercrime Prevention Law (Law No. 14 of 2014), particularly Article 8 (privacy / image-based offences — up to 3 years' imprisonment and QR 100,000 fine) and the 2025 Article 8 bis amendment on unauthorised photography. Investigation runs through MOI CID via Metrash2. Victims should also use StopNCII.org (18+) or takeitdown.ncmec.org (under-18) — both free, both work in Qatar.

Common Questions

Is the PDPPL fully enforced?

Yes — Law 13/2016 has been effective since 2017. The National Data Privacy Office (NDPO) has been actively enforcing since 2024, with multiple compliance orders issued in 2024–2025 against ICT, e-commerce, and contracting operators. Qatar's enforcement maturity is more developed than several other Gulf jurisdictions.

Who is the regulator?

The National Data Privacy Office (NDPO), operating under the Ministry of Communications and Information Technology (MCIT). NDPO has compliance-investigation authority and can issue corrective orders against controllers found to be in breach of the PDPPL.

What are the data subject rights?

The PDPPL grants data subjects the right to: be informed of processing; access data held about them; rectify, complete, or update data; object to processing for legitimate reasons; request erasure where appropriate; and provide explicit consent before sensitive data is processed. Confirm the gazetted text via Al Meezan or assurance.ncsa.gov.qa for precise statutory wording.

Does the PDPPL apply to foreign companies?

The PDPPL applies to personal data processed within Qatar. Foreign companies processing Qatari residents' data should treat the law as having practical reach via NDPO's enforcement against operators with Qatari presence. Confirm specific cross-border applicability for high-stakes matters with qualified Qatari counsel.

What is the your rights under qatar's personal data privacy protection law (pdppl) right in Qatar?

Qatar's Personal Data Privacy Protection Law (PDPPL) — Law No. 13 of 2016 — was the first national data-privacy statute in the Gulf, effective from 2017. The regulator is the National Data Privacy Office (NDPO), operating under the Ministry of Communications and Information Technology (MCIT). The NDPO has actively enforced since 2024: it issued compliance orders against an ICT-sector company in December 2024, an e-commerce company in March 2025, and a local contracting company in April 2025.Core rights of data subjects under the PDPPL include: right to be informed of processing; right of acces...

When does it applyyour rights under qatar's personal data privacy protection law (pdppl)?

A company / platform in Qatar holds your personal data and refuses to disclose what it holds, correct an error, or delete it.You withdraw consent for processing but data continues to be processed.You are a victim of a data breach.A bank, telecom, hospital, or government agency discloses your sensitive personal data without lawful basis.

What rights do I have under Qatar's Personal Data Privacy Protection Law?

Start with a written request to the data controller. Cite the PDPPL Law 13/2016 and the specific right you are exercising. Include Qatar ID and a reasonable response window.If the controller refuses, escalate to the NDPO. NDPO operates under MCIT. File via the National Data Privacy Office's complaint channel at assurance.ncsa.gov.qa/en/privacy/law.For banking data, file in parallel with QCB Consumer Protection. Banking-data handling is covered by QCB Customer Protection rules.For criminal-side disclosure offences, file with MOI CID via Metrash2 under Cybercrime Law Article 8.Save all correspon...

What should you NOT doyour rights under qatar's personal data privacy protection law (pdppl)?

Don't skip the controller's internal channel. NDPO expects the data subject to have requested directly from the controller first.Don't disclose more identification data than necessary.Don't pay 'data removal services' upfront. Statutory channels are the proper route.

More in Data Privacy & Digital Rights

Removing Non-Consensual Intimate Imagery (NCII)NCII in Qatar runs on three paths. Criminal: MOI CID under Cybercrime Law 14/2014 Article 8 — up to 3 years and QR 100,0...Read more →Cyberstalking and Online Harassment in QatarCyberstalking and online harassment in Qatar are criminal under Cybercrime Law 14/2014, particularly Article 8 (privacy ...Read more →
← Browse all Data Privacy & Digital Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission