Breaking News: Executive Regulation of the Omani Personal Data Protection Law is finally Released!

We are excited to announce that a significant milestone has been reached in Oman’s data protection landscape, the Ministry of Transport, Communication and Information Technology (“MTCIT”) has revealed the long-awaited Executive Regulation (“Regulation”) of the Omani Personal Data Protection Law (“PDPL”). This development marks a crucial step forward in the country’s commitment to safeguarding individual privacy and promoting responsible data handling practices. Let’s dive into the details of this regulatory framework and consider its implications for both businesses and individuals.

The Regulation was published in this week’s Official Gazette 1531 dated 4 February 2024 and shall be effective from the day following the date of its publication. The Regulation consists of 9 chapters and 45 articles, which aim to regulate the processing, protection and transfer of personal data in Oman.

The first chapter defines the terms and general provisions of the regulation, stating that the words and phrases of this Regulation such as personal data, data controller, data processor, processing, personal data holder, shall have the same meaning as stipulated in the PDPL. Additionally, in this Regulation it defines further terms such as permit, disclosure, data breach and the competent administrative.

The second chapter outlines the procedures for obtaining a permit from the MTCIT before processing any personal data, as stipulated in article 5 of the PDPL. The chapter specifies the required documents, fees, duration and renewal of the permit, as well as the conditions for its cancellation. As per the Regulation, the controller applying for a permit from the MTCIT to process personal data must submit a form that includes the following information: the name, address, and email of the data protection officer; the purpose of processing the personal data; the identification and classification of the personal data to be processed; the processor contracted to process the personal data (if any); the entities or third parties to whom the personal data will be disclosed; the locations where the personal data will be transferred or stored; the systems for managing and protecting the personal data; and any other information requested by the MTCIT. The MTCIT must study the permit application and decide on it within a period not exceeding 45 days from the date of completing the required information and documents, and the decision must be justified in case of rejection. The permit will be issued by the Minister of MTCIT and will be valid for 5 years, applicable of being renewed for a similar period.

The third chapter addresses the processing of children’s personal data. The chapter requires the data controller or processor to obtain the explicit consent of the child’s guardian, to limit the processing to the minimum necessary data, to provide the means for the guardian to access, update and modify the data, and to refrain from disclosing or sharing the data with third parties without the guardian’s consent.

The fourth chapter outlines the rights of the personal data holder, clarifying that a personal data holder has the right to exercise any of his rights as stated in Article 11 of the PDPL, such as: the right to access, correct, delete, transfer, object or withdraw consent to the processing of their personal data. According to the Regulation, the personal data holder may exercise any of his rights by submitting a written request to the data controller, and the data controller is obligated to respond to such request within 45 days. The chapter also sets the grounds for the controller to reject such requests.

The fifth chapter imposes obligations on the data controller and processor, such as establishing a policy for the protection of personal data that is accessible to the personal data holder before processing their data. The policy must include the mechanism and procedures for the personal data holder to exercise their rights under the PDPL and the Regulation. Additionally, it sets out the requirements to appoint an external auditor that is licensed before the MTCIT, notify the competent authority and the personal data holder of any data breach, maintaining records of processing activities that should be updated continuously, and ensuring the confidentiality and security of the data.

The sixth chapter covers the data breach provisions, Article 30 of the Regulation imposes an obligation on the data controller to notify the competent administration and the personal data holder of any data breach that poses a serious or high risk to the personal data holder’s rights within 72 hours of becoming aware of it, and the data controller should describe the nature, impact, and remedial measures of the breach. The chapter also provides that the data controller will have to maintain a record of the data breach cases, explaining their causes, consequences of their occurrence and the corrective measures that have been taken.

The seventh chapter sets out the duties of the data protection officer, who is appointed by the controller or the processor to oversee the compliance with the PDPL and the Regulation. The data protection officer is responsible for providing advice and consultation to the controller or the processor regarding their obligations under the PDPL and the Regulation. The data protection officer is also responsible for monitoring the implementation of the policies of the controller or the processor related to the protection of personal data. The chapter further obliges the controller to publish the data related to the data protection officer, and to allow the personal data holder to contact them in all matters related to the processing of their personal data.

The eighth chapter governs the transfer of personal data outside the borders of Oman. Article 23 of the PDPL stated that a controller may transfer personal data and allow its transfer outside the borders of Oman in accordance with the controls and procedures specified by the Regulations. The Regulation issued by the MTCIT makes it clear now that an explicit consent of the personal data holder is required before a controller transfers personal data outside the borders of Oman, unless the transfer is in accordance with an international obligation under an international agreement to which Oman is a party, or the transfer was carried out in a way that does not reveal the identity of the personal data holder. The chapter also requires the data controller to ensure that the foreign entity that receives the data provides an adequate level of protection that is not less than the level of protection specified in the PDPL and Regulation.

The ninth and final chapter prescribes the complaints and penalties for violating the provisions of the PDPL and the Regulation. Article 40 of the Regulation allows the personal data holder to file a complaint to the competent administration about any violation of the provisions of the PDPL or the Regulation within a period not exceeding 30 days from the date of being aware of the violation. The competent administration must decide on the complaint within 60 days from the day following the submission of the complaint. According to this chapter, the Minister of the MTCIT is authorized to impose administrative sanctions in case of violation of the provisions of the Regulation. These sanctions include warning, suspension of the permit, and administrative fines up to OMR 2000 per violation. The chapter also allows the violator to appeal the administrative decisions to the Minister of the MTCIT within 60 days of being notified, and the Minister to decide on the appeal within 30 days of receiving it, otherwise the appeal is considered rejected.

How can we help:

As specialists in data privacy, our Digital & Data (Tech | Media | Telecoms) practice team is adept at assisting clients and organizations in adhering to data privacy regulations. With a diverse and engaging practice, we handle a wide range of data protection challenges in the region, offering comprehensive legal services throughout the Middle East, including Oman. If you require assistance or further details regarding the Oman PDPL and its Regulation, please feel free to reach out to us at your convenience.