6 October 2024, Doha – Qatar: The Data Protection Office (DPO) of Qatar Financial Centre (QFC), a leading onshore financial and business centre in the region, has imposed a reprimand and financial penalty of USD 150,000 on a QFC-licensed firm, following a significant data breach. These measures, the first of its kind in Qatar, underscores the QFC's commitment to upholding robust data protection standards and holding firms accountable for breaches that compromise the security of the personal information of data subjects.
The firm experienced a data breach that allowed unauthorised access to personal data. The investigation revealed several infringements of the QFC Data Protection Regulations 2021, including late notification, security failures and inadequate oversight. The firm failed to report the breach within the required 72-hour window, delaying notification by ten days; it failed to adequately protect the integrity, confidentiality, and availability of personal data and did not effectively ensure the proper implementation of its own security policies.
The DPO opted not to issue a public censure, acknowledging the firm’s full cooperation throughout the investigation and its substantial efforts to strengthen its data security measures.
Commenting on the decision, Daniel Patterson, Commissioner, Data Protection Office, QFC, said, “Maintaining the highest standards of data protection and security is paramount for fostering trust and confidence in Qatar's business ecosystem. This case highlights the seriousness with which we view breaches of the Data Protection Regulations, and we will continue to work closely with firms to ensure full compliance. The QFC remains dedicated to providing a secure and transparent environment for businesses and individuals alike.”
The DPO is an independent institution of the QFC, charged with administrating the QFC Data Protection Regulations 2021 and all aspects of data protection within the QFC. It provides support, advice, and guidance to the QFC community on all data protection matters, adjudicating complaints and investigating alleged contraventions of the Regulations.