New Omani Personal Data Protection Law Comes into Force

On 13 February 2023, Royal Decree No. 6 of 2022 on Personal Data Protection Law (the “PDPL”) of the Sultanate of Oman entered into force, a year after its publication in the Official Gazette No. 1429, on 13 February 2022. The PDPL comes into effect by repealing Chapter 7 of the Electronic Transaction Law issued by Royal Decree No. 69 of 2008 and provides a more robust data protection regime and core privacy principles to align Oman’s data protection landscape with global data protection laws.

The Ministry of Transport, Communications, and Information Technology (“MTCIT”) will be the responsible data protection regulatory authority and shall issue the Executive Regulation of the Oman PDPL and shall also issue the necessary decisions for implementing its provisions which will give additional details on how to operationalize the Oman PDPL. There is no indication when the Executive Regulation will be issued and until the Executive Regulation is issued there will be implications in terms of the effectiveness and enforceability of the Oman PDPL. The MTCIT role will complement, but not conflict with that of the Cyber Defence Centre, which is responsible for cybersecurity matters, separate from data protection privacy matters.

Key Provisions:

Application and Scope: 

The provisions of the Oman PDPL shall apply to personal data being processed. It applies to any data that makes a natural person directly or indirectly identifiable, by reference to one or more identifiers, such as name, civil number, electronic identifiers data, or by reference to one or more factors related to genetic, physical, mental, psychological, social, cultural, or economic identity. Additionally, it applies to any genetic, health, and biometric data being processed. There are specific exceptions to the application of the Oman PDPL, including where the processing of personal data is in the interest of national security or public interest; where it is required to implement apparatus of the state and public legal persons; where processing is required to implement a legal obligation imposed on the controller; where processing is necessary to protect the economic and financial interests of the state; where it is necessary to prevent a crime; where processing is necessary to protect the vital interest of the data subject; where processing is necessary for the execution of an existing contract to which the data subject is a party; where it is necessary for the purposes of historical, statistical, scientific, literary, or economic research by entities authorised to carry out such works if the processing is in a personal or family context and where the data is available to the public and in a manner that does not violate the provisions of the Oman PDPL.

Consent of the Data Subject: 

Consent is the primary lawful basis or legal basis for processing personal data under the Oman PDPL. Article 10 of the Oman PDPL poses an outright ban on processing personal data unless the controller has obtained the data subject’s express consent and can provide proof of the written consent. The requests for consent to processing personal data shall be written in a clear, explicit, and understandable manner. Unlike other data protection laws, there is no alternative legal basis for processing than consent. However, there are certain “exceptions” to the scope of application of the Oman PDPL, as discussed above. If the processing falls within one or more of these exceptions, then consent is not required and consequently, the remainder of the Oman PDPL does not apply to the exceptions.

Principles of Data Protection: 

It is not permitted to process personal data except within the framework of transparency, honesty, and respect for human dignity, and after the explicit consent of the data subject.

Sensitive Data Processing:

A key derogation from core international data protection principles is that there is no definition of “Sensitive Personal Data” or “Special Categories of Personal Data” (as found in other laws), and further there are no “conditions” or specific safeguards for processing such data. Instead, the Oman PDPL poses an outright, complete ban on processing personal data relating to genetic data, biometric data, health data, racial origin, sexual life, political or religious opinions, philosophical beliefs, criminal convictions, or those relating to security measures, except and unless after obtaining a permit for such processing from the MTCIT, in accordance with the controls and procedures specified by the Executive Regulation.

Children’s Data: 

The Oman PDPL prohibits processing the personal data of a child except with the approval of his or her guardian, such processing shall be based on the best interest of the child in accordance with the controls and procedures determined by the Executive Regulation. This provision is in line with international data protection best practices and reflects the special protection granted to children as vulnerable data subjects.

Data Subject Rights: 

The Oman PDPL grants the data subject-specific rights. Such rights include the right to revoke consent to the processing of their personal data (without prejudice to any processing which took place before such withdrawal), the right to rectify, update, erase, or block personal data, the right to obtain a copy of their processed personal data, the right to be notified of a breach, the right to complain to the MTCIT and the right to data portability. The Executive Regulation is expected to shed further light and details on the controls and procedures for the exercise of these rights.

Breach of Personal Data: 

The controller shall, in the event of a personal data breach that leads to its destruction, alteration, disclosure, access, or processing in an illegal manner, notify the MTCIT and the data subject of the breach, in accordance with the controls and procedures determined by the Executive Regulation and failure to do so is punishable by a fine of no less than OMR 15,000 and not more than OMR 20,000.

Obligation of the Controller and the Processor:

The controllers have certain core duties under the Oman PDPL, which include assessing the impact and risk that the data subjects will be exposed to as a result of the processing, implementing appropriate procedures and controls for data transfers, and ensuring that appropriate technical and procedural measures are in place to allow adherence to the Oman PDPL. Other than the obligation to obtain the necessary consent from the data subject to process their personal data, the controller shall ensure the confidentiality of personal data and shall not publish, transmit or advertise it without the prior consent of the data subject and in the manner determined by the Executive Regulation. A violation of this provision of the Oman PDPL is punishable by a fine of no less than OMR 1,000 and not more than OMR 5,000.

The controller shall provide the data subject with certain information before beginning the processing of any personal data, such as the main details of the controller and processor; the contact details of the Personal Data Protection Officer (DPO); the purpose of processing personal data and the source from which it was collected; the rights of data subjects; a description of the processing and the procedures in place; and any other information that may be necessary to fulfill the processing conditions.

Data Retention: 

The controller and processor shall keep the documents of the data processing operations in accordance with the data retention period determined by the Executive Regulations. A violation of the data retention obligation will be punishable by a fine of no less than OMR 1,000 and not more than OMR 5,000.

Data Transfer: 

Without prejudice to the competencies prescribed to the Cyber Defence Centre, the controller may transfer personal data and permit its transfer outside the borders of the Sultanate of Oman, in accordance with the controls and procedures determined by the Executive Regulation.

The Oman PDPL prohibits transferring personal data which has been processed in violation of its provisions or if the transfer would cause harm to the data subject.

A violation of these provisions of the Oman PDPL is punishable by a fine of no less than OMR 100,000 and not more than OMR 500,000.

Appointment of a DPO: 

The controller shall identify a personal data protection officer (DPO), and the Executive Regulation shall determine the controls for selecting this officer and his duties.

How can we help?

As experts in data privacy, our Digital & Data (Tech | Media | Telecoms) practice team are well-positioned to support clients and organisations with their need to comply with data privacy laws. Our team enjoys a varied and interesting practice that deals with uniquely different data protection issues in the region and provides a comprehensive range of legal services across the Middle East including Oman. If there is anything that we can help you with or upon which you would like more information on the Oman PDPL, please do not hesitate to contact us.