Qatar was first. Law No. 13 of 2016 Concerning Personal Data Privacy Protection — the PDPPL — was the first comprehensive data-protection law in the Gulf, in force since 2017, years ahead of Saudi Arabia and the UAE. If you run an online form that collects data from people in Qatar, it has applied to you for a while, and the National Cyber Security Agency’s data-privacy office now enforces it. Here is what your form has to do.
1. Get explicit consent, with a narrow set of exceptions
Article 4 requires the controller to obtain the individual’s explicit consent before processing personal data, unless the processing is necessary for a lawful purpose of the controller or recipient. For a public-facing form, you are almost always relying on consent — so it has to be a clear, affirmative act, not a pre-ticked box or a line buried in a policy.
2. The “special nature” data permit — the trap most forms miss
This is the PDPPL rule that surprises people. Data of a “special nature” — health, ethnicity, religion, criminal record, marital relationships, and children’s data — cannot be processed without permission from the Competent Department. That is a permit you obtain before you start collecting, not a checkbox on the form. A health-intake form, a form that asks about religion, or anything aimed at children needs that clearance first. Most teams discover this after they have already launched.
3. Name the controller and the purpose
The individual has to be able to see who is collecting their data, for what purpose, and how to exercise their rights — on the form, at the point of collection. The tenant running the form is the controller; the platform is the processor. The form has to name the controller.
4. Honour the five data-subject rights
The PDPPL gives individuals five rights: to withdraw consent, to object to unnecessary or unlawful processing, to have data erased, to have it corrected, and to access what is held. A form that collects data needs a real, monitored channel for someone to later say “erase what I submitted” or “I withdraw my consent.”
5. Don’t bolt marketing onto the form
Direct marketing has its own bar: no marketing message without the individual’s explicit and unambiguous consent, and every message must identify the controller, say plainly that it is marketing, and carry a working way to opt out. A registration or contact form that quietly enrols people into a mailing list fails this twice — the consent is not specific, and it is not unambiguous.
6. Have a 72-hour breach plan
Where a breach may cause serious harm, the controller must notify both the affected individuals and the regulator within 72 hours of detection. The guidelines flag exactly the scenarios a form touches: sensitive data, third-party data collection, direct marketing, employee data, and cross-border transfers. For a form, the breach surface is the submission store and anywhere submissions are forwarded.
What this costs to get wrong
Financial penalties run from QAR 1,000,000 to QAR 5,000,000, scaled by severity. The PDPPL is penalty-only — no imprisonment — but the “special nature” permit and the marketing-consent rules are the two places teams most often trip, and both are avoidable with a form designed around them.
Where Sahl fits
In Qatar, Sahl runs as forms.qa— its own domain and tenant pool, for teams that want their forms and data kept on a Qatar-facing footing. The platform carries the controller notice on every public form, records consent as an affirmative act, separates marketing consent from the rest, and is Arabic-first so plain-language consent is the default, not an afterthought.