Data privacy issues in Oman - the new Personal Data Protection Law

In light of the Sultan’s National Day speech, and in accordance with the rapidly evolving digital landscape and associated increasing risks, a necessary step for the Sultanate was the introduction of comprehensive personal data protection legislation to protect the use of personal data.  

On 9 February 2022, Sultani Decree No. 6/2022 on Personal Data Protection (PDPL) was issued and comes into force 12 months later, on 13 February 2023.

Any statutory provisions which conflict with the PDPL, including Chapter 7 of Sultani Decree No. 69/2008 issuing the Oman Electronic Transactions Law, have been revoked.  Some of the finer details will be set out in Executive Regulations, likely to be published a few months after the PDPL’s subsequent enforcement date.

The current crisis has opened an opportunity for national energies to contribute to solutions, and has accelerated the pace of the government and the private sector’s digital transformation.

Application of the PDPL

The PDPL applies to Personal Data processed in Oman, except in certain circumstances (as set out at Article 3 of the PDPL).

Personal Data & Personal Data Subject

Personal Data means “the data that identifies a natural person or makes a natural person identifiable, directly or indirectly, by reference to identifiers such as name, ID number, electronic identifier data or address related data or factors such as genetic, physical, mental, physiological, social, cultural or economical identity”.

Personal Data Subject means “the natural person who can be identified using the personal data”.

Restrictions in Processing Personal Data

Generally, it is prohibited to process Personal Data without express written consent from the Personal Data Subject.  Further, Personal Data relating to genetics, health, ethnicity, sexuality, political or religious opinions or beliefs and criminal convictions or security measures must not be processed without prior permission from the Ministry of Transport, Communications and Information Technology (MTCIT), being the responsible authority for enforcing the provisions of the PDPL.

Obligations of Controllers/Processors

Prior to processing Personal Data, any person in possession of such data, (referred to as a “Controller”) is required to notify the Personal Data Subject in writing and provide the contact information of the Controller and the person processing the data on behalf of the Controller (“Processor”), the purpose of processing the Personal Data, a description of the data processing procedures and the rights available to the Personal Data Subject in respect of the Personal Data.

Controllers will be required to appoint a Data Protection Officer in accordance with the Executive Regulations.

Article 10 of the PDPL provides that:

No Personal Data may be processed unless transparency, honesty and human dignity respect are observed, and subject to the Personal Data Subject’s express prior consent.

It is for the Controller to prove that the Personal Data Subject gave their written consent to such data processing.

Pursuant to Article 13 of the PDPL, the Controller is also responsible for setting the controls and procedures required during the data processing which must be in full compliance with and adhere to the provisions of the PDPL and the controls and procedures specified in the Executive Regulations and any code of conduct to be issued subsequently by MTCIT.

Personal Data Transfer

Controllers may transfer Personal Data outside Oman in accordance with the Executive Regulations. It is prohibited to transfer Personal Data processed in violation of the PDPL or if the transfer would cause harm to the Personal Data Subject.

Breach Notification

Controllers must notify the MTCIT and the Personal Data Subject in the event of a breach of the Personal Data Subject’s Personal Data that may lead to destruction, alteration, disclosure, unauthorised access or processing of the Personal Data. Detailed notification requirements will be set out in the Executive Regulations.

Penalties for non-compliance

There are various fines set out in the PDPL, the most substantial being up to a maximum of OMR 500,000 (approx. US$1.3million) for breach of the provisions relating to data transfers.

Controllers and Processors of Personal Data processed in Oman concerning any Personal Data Subject have one year in which to put effective and compliant procedures and personnel in place so as not to fall foul of the provisions and the significant penalties applicable under the PDPL.

Kennedys’ Cyber Breach & Data Privacy Services in Oman and across the Kennedys’ worldwide network have extensive knowledge and experience in this area enabling us to provide regulatory, commercial and practical advice, assistance and representation to our clients. For further information or to find out more about our cyber breach and data privacy services and expertise, please contact Amal Al Raisi or Kelsey Evans or visit our cyber risks webpage.