On December 10, 2023, the Qatar Financial Centre (QFC) issued version 3 of the QFC Data Protection Rules (the 2023 Rules). In particular, the 2023 Rules are broadly similar to version 2 of the QFC Data Protection Rules (the 2021 Rules), with the only change being the introduction of new requirements for the use of Binding Corporate Rules (BCRs) for transfers of personal data outside the QFC.

What must BCRs contain?

The 2023 Rules provide that to get approval from the Data Protection Office, BCRs must specify among other things: 

• the structure and contact details of the relevant group and each of its members;
• the types of data transfers to be covered by the BCRs;
• the legally binding nature, of the BCRs both internally and externally;
• the application of the general data protection principles, including purpose limitation, data minimization, data protection by design and by default, and legal basis for processing;
• the rights of data subjects and the means to exercise those rights, including the right to obtain redress and, where appropriate, compensation for a breach of the BCRs;
• the responsibility of any person or entity within the Group in charge of monitoring compliance with the BCRs;
• the mechanisms within the group for monitoring compliance with the BCRs and cooperating with the Data Protection Office to ensure compliance;
• the procedures for reporting and recording changes to the BCRs and reporting those changes to the Data Protection Office; and
• the data protection training provided to personnel with permanent or regular access to personal data.

You can access the 2023 Rules here.