Qatar’s Data Protection Law (Law 13 of 2016) came into effect in 2016. It was not drafted with GDPR in mind. The Data Protection Authority contemplated in the law has not yet been established, and the associated Regulations have not yet been established.
Under the Data Protection Law, processors have an unqualified obligation to notify data controllers of breach type events, whereas there is a materiality consideration (‘serious damage’) beyond which data controllers would be required to notify data subjects and the Data Protection Authority. Associated penalties include fines of up to QAR 5,000,000 or USD 1.3 million (for processors failing to notify) and QAR 1,000,000 or USD 2.6 million (for data controllers failing to notify).
Otherwise, loss or damage arising out of such events could be captured under other Qatar law provisions, such as those providing for remedy where someone causes damage to another. Depending on the circumstances of a data breach (and in the absence of a Data Protection Authority as contemplated in the Data Protection Law), it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.
Separate to the generally applicable Data Protection Law, a licensing authority in Qatar, the Qatar Financial Centre, has a modern data protection law applicable to entities licensed by it. The QFC Data Protection Regulation 2005 was not prepared with GDPR in mind, although it bears some similarity to the European Data Protection Directive 95/46. It is unclear whether it is currently being reviewed in order to make it more consistent with GDPR.