Guardian Middle East LLC

Guardian logo
+974 7770 2602

Privacy Notice

Accredited · Recognised · Verified UAF logo UAF United Accreditation Foundation USA · Management Systems IAS logo IAS International Accreditation Service USA · Management Systems IAF MLA logo IAF MLA IAF Multilateral Recognition International · MLA Signatory QS logo QS Qatar Standards RB066-26 · ISO 9001/14001/45001

Guardian Middle East LLC processes personal data under Qatar PDPPL Law 13/2016 and the QFC Data Protection Regulations. Personal data is collected for defined purposes, processed on documented lawful bases (consent, contract, legal obligation, legitimate interests), retained for stated periods, and subject to data subject rights (access, correction, deletion, portability, objection, restriction). Personal Data Breaches are notified to the QFC Data Protection Office within 72 hours. Data subjects may exercise their rights via info@guardian.qa. 

Defined Terms

In this Privacy Notice, the following terms have the meanings ascribed:

Term

Meaning

Guardian / we / us / our

Guardian Middle East LLC, a limited liability company incorporated in the Qatar Financial Centre under QFC Licence 03870. Learn more about who Guardian Middle East LLC is, including its regulatory status and governance structure.

PDPPL

Qatar Law No. (13) of 2016 concerning Personal Data Privacy Protection.

QFC DPR

QFC Data Protection Regulations and Rules issued by the Qatar Financial Centre Authority.

Personal Data

Any data relating to an identified or identifiable natural person — including name, identification number, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Sensitive Personal Data

Personal data revealing ethnic origin, religious beliefs, political opinions, criminal records, health, or other categories afforded enhanced protection under PDPPL.

Data Subject

The natural person to whom the personal data relates.

Processing

Any operation performed on personal data — collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Personal Data Breach

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

DPO

The Data Protection Officer — the named individual within Guardian responsible for data protection oversight.

Scope of This Notice

This Privacy Notice applies to all personal data processed by Guardian Middle East LLC in connection with:

  1. Inquiries received through the website, email, telephone, or in-person.
  2. Certification engagements — from inquiry through application, audit, certification decision, and the 3-year certification cycle. The contractual relationship governing these activities is described in our contractual terms — including confidentiality.
  3. Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) under QFC AML/CFTR 2019. Additional information regarding CDD requirements, sanctions screening, and beneficial ownership verification is available in our CDD-related processing detail page.
  4. Inspection-services engagements under ISO/IEC 17020.
  5. Resources, training, and information access through the website.
  6. Complaints, appeals, and feedback submissions.
  7. Recruitment and engagement with personnel, contractors, technical experts, and auditors.
  8. Cooperation with accreditation bodies (UAF, IAS, QS) and regulators (QFCA, QFCRA, FIU Qatar).
  9. Marketing communications, where opted in.

This Notice does not cover personal data handled by third parties (including the issuing certification bodies — Guardian Assessment Pvt Ltd, TNV Global Limited, the Third-Party CB) under their own privacy notices, except where Guardian Middle East LLC acts as the local representative or co-processor.

Categories of Personal Data We Collect

Category

Examples

Identity data

Name, title, date of birth, nationality, identification documents (passport, Qatar ID, driving licence).

Contact data

Postal address, email address, telephone numbers, business address.

Professional data

Job title, employer, professional qualifications, certifications held, work experience (where relevant to engagement).

Beneficial ownership data

For CDD purposes — beneficial owner identity, residential address, source of funds declaration. Required by QFC General Rule 8A.

Sanctions and PEP data

Screening results against UN, Qatar national, OFAC, EU, UK sanctions lists; PEP status indicators.

Financial data

Bank account details (for invoicing), payment records, fee history.

Audit data

Notes from interviews, observations, statements made during audits — to the extent they relate to identifiable individuals.

Technical data

IP address, browser type and version, time-zone setting, browser plug-in types and versions, operating system and platform — through website use.

Marketing data

Marketing preferences and consent records.

Sensitive personal data

Generally NOT collected. Where collected (e.g., disability adjustments for an audit visit), processed only with explicit consent and under enhanced safeguards.

We collect personal data primarily from the data subject directly. Where personal data is collected from third parties (e.g., screening service providers, accreditation bodies, regulators), the source is documented and the data subject is informed within 30 days as required by PDPPL.

Lawful Bases for Processing

Guardian Middle East LLC processes personal data on the following lawful bases under PDPPL:

Lawful Basis

When We Use This Basis

Consent

Inquiry forms and marketing communications. Consent is freely given, specific, informed, and unambiguous. Captured through unticked checkbox; recorded with timestamp and consent text version. Withdrawable at any time via info@guardian.qa 

Contract performance

Personal data processed to perform a certification or inspection engagement under contract — auditor identification, scheduling, audit conduct, certification decision, certificate issuance.

Legal obligation

Personal data processed to comply with QFC AML/CFTR 2019, Qatar AML Law 20/2019, QFC General Rule 8A (Beneficial Ownership), tax obligations, and other applicable Qatari and QFC law.

Legitimate interests

Personal data processed for our legitimate interests — e.g., responding to general inquiries, network security, fraud prevention, administrative recordkeeping. Balancing test conducted to ensure interests do not override data subject rights.

Vital interests

Used in rare emergency scenarios — e.g., emergency medical contact during an on-site audit visit.

Public interest / official authority

Where required to comply with regulator requests, court orders, or accreditation-body assessments under documented authority.

Sensitive personal data is processed only with the data subject’s explicit consent or where another applicable PDPPL safeguard applies (e.g., legal claims, vital interests).

Purposes of Processing

Personal data is processed for the following defined purposes:

  1. Service delivery — providing certification and inspection services under contract.
  2. Customer Due Diligence — onboarding, beneficial ownership identification, sanctions screening, PEP screening, EDD.
  3. Audit conduct— conducting Stage 1, Stage 2, surveillance, recertification, and inspection activities.
  4. Certification decisions — independent decision-making at Step 5 of the certification process.
  5. Records and reporting— maintaining required records under ISO/IEC 17021-1, QFC AML/CFTR, and Guardian’s Quality Manual.
  6. Regulatory cooperation— responding to QFCA, QFCRA, FIU Qatar, and accreditation body (UAF, IAS, QS) requests.
  7. Fee management— invoicing, payment processing, account reconciliation.
  8. Communications— operational communications, scheduling, technical clarifications.
  9. Marketing— communications with explicit, opted-in recipients only.
  10. Quality assurance— internal quality monitoring, complaint handling, feedback management.
  11. Legal claims— pursuing or defending legal claims, where necessary.
  12. Network and information security— protecting our systems, data, and operations from threats.

We do not use personal data for automated decision-making with legal or similarly significant effects on the data subject without the safeguards required by PDPPL.

Sharing With Third Parties

Personal data is shared with the following categories of third parties on the lawful bases stated:

Recipient

Purpose of Sharing

Lawful Basis

Issuing certification bodies

Guardian Assessment Pvt Ltd, TNV Global Limited, the Third-Party CB (IAS-Accredited MSCB 154 for ISO 22301) — for issuance and management of certificates.

Contract performance

Accreditation bodies

UAF, IAS, QS — for accreditation oversight including witnessed audits and assessment visits.

Legal obligation

Regulators

QFCA, QFCRA, FIU Qatar, Qatari government authorities — under regulatory request or notification obligation.

Legal obligation

Service providers

IT service providers, hosting providers, payment processors, courier services, sanctions-screening service providers — under data processing agreements.

Legitimate interests / contract

Professional advisers

Lawyers, auditors (financial), tax advisers, insurers — under confidentiality obligations.

Legitimate interests / legal obligation

IAF CertSearch

For accredited-certificate listings (Tier 1, 2, 3) — the certified-organisation entity name, scope, and certificate validity dates are listed publicly. Personal data of individuals is not listed.

Legal obligation / contract

Audit team and technical experts

To conduct audits and inspections under defined audit-team appointments. Bound by Guardian’s confidentiality framework.

Contract performance

Insurance providers

Professional indemnity, general liability, cyber insurance — limited disclosure for claim or policy management.

Legitimate interests

Guardian does not sell personal data to any third party. We do not share personal data with third parties for their own marketing purposes.

Cross-Border Data Transfers

Some personal data is transferred outside Qatar in the course of normal operations — primarily to:

  • India — Guardian Assessment Pvt Ltd (issuing CB for Tier 1, Tier 2 excluding ISO 22301) and TNV Global Limited (issuing CB for Tier 3).
  • United States — accreditation bodies UAF and IAS for accreditation oversight.
  • Other jurisdictions — service providers (e.g., cloud hosting, sanctions-screening providers) in jurisdictions with adequate data protection or under contractual safeguards.

Safeguards for Cross-Border Transfers

Cross-border transfers of personal data are conducted under appropriate safeguards under PDPPL, including:

  • Transfer to jurisdictions assessed by Qatar as providing adequate protection (where formally designated).
  • Transfer under contractual safeguards — Standard Contractual Clauses or equivalent contractual data-protection commitments.
  • Transfer under explicit consent of the data subject, where applicable.
  • Transfer under necessity for performance of a contract with the data subject.
  • Transfer required by legal obligation (e.g., sanctions screening through international screening services).

Detailed information on the safeguards applicable to a specific transfer is available on request to privacy@guardian.qa.

Retention Periods

Guardian retains personal data for the periods stated below, after which the data is securely deleted or anonymised. Retention periods are calibrated to regulatory minimums, operational necessity, and litigation-hold considerations.

Data Category

Retention Period

Basis

Inquiry data (no engagement progressed)

12 months from last contact

Operational necessity; legitimate interest

CDD records (active client)

Duration of engagement + 7 years

QFC AML/CFTR 2019 minimum retention

Audit records

9 years (3 cycles)

ISO/IEC 17021-1; Guardian Quality Manual

Certificate register

Indefinitely (registry record)

ISO/IEC 17021-1; accreditation body requirements

Financial records

10 years

Qatari tax law and accounting standards

Marketing data

Until consent withdrawn

Consent

Website analytics data

26 months

Operational necessity

Complaints and appeals records

9 years

ISO/IEC 17021-1; Guardian Quality Manual

Personnel and contractor records

Duration of engagement + 7 years

Qatari labour law; tax law

Personal Data Breach records

9 years

PDPPL accountability obligation

Where retention is subject to litigation hold (anticipated or actual legal proceedings), the affected data is preserved beyond the standard retention period until the hold is released.

Your Rights as a Data Subject

Under PDPPL, you have the following rights in relation to your personal data:

Right

Description

1. Right of access

To obtain confirmation of whether we are processing your personal data and, if so, to access the personal data and supplementary information.

2. Right of correction

To have inaccurate personal data corrected and incomplete personal data completed.

3. Right of deletion

To request erasure of personal data where one of the grounds in PDPPL applies (consent withdrawn; data no longer necessary; processed unlawfully). Subject to exceptions, including AML/CFT retention obligations.

4. Right of restriction

To request restriction of processing in defined circumstances — for example, while accuracy is being verified.

5. Right of objection

To object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

6. Right to portability

To receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller — where processing is based on consent or contract.

7. Right to withdraw consent

Where processing is based on consent, to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8. Right to complain

To lodge a complaint with the QFC Data Protection Office or the Qatari Compliance and Data Protection Department, in addition to any complaint to Guardian. Individuals seeking an independent review may refer to how to challenge a privacy decision.

How to Exercise Your Rights

  • Email — privacy@guardian.qa. Include your name, the right you wish to exercise, and any relevant context.
  • Postal — Data Protection Officer, Guardian Middle East LLC, Office 121–122, Floor 1, Regus Business Centre, Building 67, Doha, Qatar.
  • Verification — to protect your data, we may request information sufficient to verify your identity before responding.
  • Response time — within 30 days of a verified request. In limited circumstances (complex requests or high volume), this may be extended by up to 60 additional days; we will notify you of any extension.
  • Fees — generally no fee is charged. Where requests are manifestly unfounded, excessive, or repetitive, a reasonable administrative fee may apply or we may decline to act on the request.

Limitations on Rights

Some rights are subject to limitations under PDPPL. For example:

  • The right of deletion does not override AML/CFT retention obligations under QFC AML/CFTR 2019.
  • The right of access may be partially restricted where exercise would compromise the rights of others, ongoing investigations, or confidentiality obligations under ISO/IEC 17021-1 §8.5.

Audit-record retention obligations under ISO/IEC 17021-1 may take precedence over deletion requests.

Personal Data Breach Notification

In the event of a Personal Data Breach (as defined under PDPPL and QFC DPR), Guardian Middle East LLC will:

  1. Within 72 hours of becoming aware — notify the QFC Data Protection Office of the breach, including the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
  2. Without undue delay — notify affected data subjects directly where the breach is likely to result in a high risk to their rights and freedoms, in clear and plain language.
  3. Maintain a record— of all Personal Data Breaches, including those that did not require notification, in line with PDPPL accountability requirements.
  4. Conduct a post-incident review— to identify root causes, lessons learned, and corrective action.

Guardian operates an information security framework aligned with ISO/IEC 27001 controls. Information security incidents are escalated through documented channels to the DPO and SEF

Cookies & Website Analytics

The Guardian website (guardian.qa) uses cookies and similar technologies. A cookie banner is displayed on first visit, allowing acceptance of optional cookies (analytics, marketing). Strictly necessary cookies (e.g., session, security) are deployed without consent as they are essential to website function.

Categories of Cookies

  • Strictly necessary — essential for website function, security, and accessibility. Cannot be disabled.
  • Analytics — privacy-preserving website analytics to understand site usage. Deployed only with consent.
  • Marketing — currently NOT deployed. If introduced in future, the cookie banner and this Notice will be updated.

Cookie preferences can be reviewed and changed at any time via the cookie management interface accessible from any page footer.

Children's Privacy

Guardian’s services are directed at organisations and the personnel responsible for those organisations’ management systems — not at children. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly. Parents or guardians who believe a child has provided personal data may contact privacy@guardian.qa.

Changes to This Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, regulatory requirements, or operational arrangements. The current version is identified in the Version Bar at the top of the page. Material changes will be communicated:

  • Prominent notice on the website homepage.
  • Direct notification to active clients via email.
  • Published version history at the foot of this page.

Where a material change affects the lawful basis for processing or introduces a new processing purpose, we may seek fresh consent or otherwise re-establish the lawful basis as required by PDPPL.

Contact & Complaints

Data Protection Officer (DPO)

  • Emailinfo@guardian.qa 
  • Postal — Data Protection Officer, Guardian Middle East LLC, Office 121–122, Floor 1, Regus Business Centre, Building 67, Doha, Qatar
  • Telephone — +974 [PHONE], Sunday to Thursday, 09:00 to 17:00 Qatar time

External Routes

If you are not satisfied with Guardian’s response, you may also contact:

  • QFC Data Protection Office — for matters concerning processing within the QFC.
  • Compliance and Data Protection Department (Qatar) — for matters concerning processing under PDPPL.
  • The Qatari courts — for legal claims under applicable law.

GET STARTED — CONTACT GUARDIAN

Guardian Middle East LLC | Serving the Middle East
QFC Licence 03870 · Doha, Qatar

Location: Abo Hamour Area, Doha, Qatar
P.O. Box: 23277, Doha, Qatar
Mobile: +974 7770 2602 | +974 7213 7770
Email:  info@guardian.qa 
Website: www.guardian.qa

Or submit an enquiry: → Contact

Frequently Asked Questions

Email privacy@guardian.qa with your name, the right you wish to exercise, and any relevant context. We may request information sufficient to verify your identity before responding. We respond within 30 days; in limited circumstances this may be extended by up to 60 additional days, with notification.

Yes, in many circumstances. However, the right of deletion is subject to limitations — most notably, AML/CFT retention obligations under QFC AML/CFTR 2019 require retention of CDD records for 7 years from end of business relationship, which override deletion requests for those records. Other personal data not subject to such obligations is typically deletable on request, subject to operational and legal-hold considerations.

Personal data is stored on systems located primarily within the Gulf region and India, with cloud-based services hosted under contracts that include appropriate data-protection safeguards. Information about specific storage locations and safeguards is available on request to privacy@guardian.qa.

Yes — to issuing certification bodies (Guardian Assessment Pvt Ltd in India, TNV Global Limited in India, the Third-Party CB), to accreditation bodies (UAF and IAS in the United States), and to service providers in various jurisdictions. Cross-border transfers are conducted under PDPPL safeguards including contractual data-protection commitments and where applicable, jurisdiction-adequacy or explicit consent.

No. Guardian does not sell personal data to any third party. We do not share personal data with third parties for their own marketing purposes.

In the event of a Personal Data Breach, Guardian notifies the QFC Data Protection Office within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to data subject rights and freedoms, affected data subjects are notified directly without undue delay. We maintain records of all breaches in line with PDPPL accountability requirements.

Retention periods vary by data category — see §19 for the full schedule. Highlights: inquiry data without engagement progression is retained for 12 months; CDD records for engagements are retained for 7 years from end of business relationship under AML/CFT obligations; audit records for 9 years (3 cycles); financial records for 10 years.

Yes. Where processing is based on consent (e.g., marketing communications, inquiry forms), you may withdraw your consent at any time by emailing privacy@guardian.qa. Withdrawal does not affect the lawfulness of processing before withdrawal. After withdrawal, we will cease processing for the consented purpose; some data may be retained on alternative lawful bases (e.g., legal obligation).

Guardian does not use automated decision-making with legal or similarly significant effects on data subjects without the safeguards required by PDPPL. Certification decisions at Step 5 are made by human decision-makers structurally independent of the audit team — not by automated systems. Sanctions screening uses automated initial matching but human review confirms or clears any matches.

Guardian's Data Protection Officer (DPO) is the named individual responsible for data-protection oversight, accountable to the SEF. Direct contact: privacy@guardian.qa or via post to the address in §25. The DPO is the first point of contact for any privacy concern.

Let’s discuss your Iso Certification needs—reach out today