Access Alert | The New Personal Data Protection Law of Oman

Access Alert | The New Personal Data Protection Law of Oman

Oman recently issued Sultani Decree No. 6/2022 on Personal Data Protection (PDPL).  Organisations operating in the Sultanate or those processing data of Omani residents have one year to comply with the new regulations.

Any statutory provisions which conflict with the PDPL, including Chapter 7 of Sultani Decree No. 69/2008 issuing the Oman Electronic Transactions Law, have been revoked.  The finer details will be confirmed in the Executive Regulations within a few months of the PDLP’s enforcement date. These are likely to be published by the Ministry of Transport, Communications and Information Technology (“MTCIT”), the supervisory authority for the law’s application.

Businesses should note the following important requirements set out in the PDPL:

Consent: It is prohibited to process personal data without express written consent from the personal data subject.  Further, personal data relating to genetics, health, ethnicity, sexuality, political or religious opinions or beliefs and criminal convictions or security measures must not be processed without prior permission from the MTCIT.

Obligations of Controllers/Processors: Prior to processing personal data, any person in possession of such data (referred to as a “Controller”), is required to notify the personal data subject in writing with the following information: the contact details of the Controller; the contact details of the person processing the data on behalf of the Controller (the “Processor”); the purpose of processing the personal data; a description of the data processing procedures; and the rights available to the personal data subject.

Personal Data: Data that identifies a natural person or makes them identifiable, directly or indirectly, by reference to one or more identifiers. This includes a person’s name, civil number, electronic identifiers, or factors specific to a person’s genetic, physical, mental, psychological, social, cultural, or economic identity.

Personal Data Transfer: Controllers may transfer personal data outside Oman in accordance with the Executive Regulations. It is prohibited to transfer personal data processed in violation of the PDPL or when the transfer would cause harm to the Personal Data Subject.

Breach Notification: Controllers must notify the MTCIT and the Personal Data Subject in the event of a breach of the personal data subject’s personal data that may lead to destruction, alteration, disclosure, or unauthorised access or processing of the personal data. Detailed notification requirements will be set out in the Executive Regulations.

Penalties for non-compliance: There are various fines detailed in the PDPL, the most substantial being a maximum of OMR 500,000 (approx. USD 1.3million) in the case of data transfer breaches.

Similar to the recently introduced legislation in Saudi Arabia and the United Arab Emirates, there is no express acknowledgment of a controller’s “legitimate interests” as a basis for the processing of personal data. This is often relied upon by companies as the legal justification for processing under legislation such as the EU General Data Protection regulation (GDPR).

All businesses operating in Oman or processing the data of Omani residents should start assessing their activities and security systems in preparation for the law’s implementation. Corporate policies and procedures must align with the PDPL, and internal staff must be trained on the core principles and obligations of the Law.

Access Partnership is closely monitoring all developments regarding Data Protection in the Middle East. For more information regarding this matter please contact Nada Ihab at nada.ihab@accesspartnership.com or Hussein Abul-Enein at hussein.abul-enein@accesspartnership.com.

Subscribe to our news alerts here.

Related Articles

Access Alert | South African government intends to forge ahead with the National Cloud and Data Policy

Access Alert | South African government intends to forge ahead with the National Cloud and Data Policy

The South African government is resuscitating its consultation process on the National Cloud and Data Policy, for which a draft...

2 Jun 2023 Opinion
Charting a Path Forward: The US Government’s Quest to Regulate Artificial Intelligence in 2023

Charting a Path Forward: The US Government’s Quest to Regulate Artificial Intelligence in 2023

In the first half of 2023 alone, advancements in Artificial Intelligence (AI) and its increased prevalence in people’s daily lives...

2 Jun 2023 AI Policy Lab
How the Digital Divide Affects the LGBTQ+ Community

How the Digital Divide Affects the LGBTQ+ Community

Around the world, a broad spectrum of advocacy groups, think tanks, and international fora have increasingly called for the need...

1 Jun 2023 Opinion
Independent Thinkers on Digital | The Evolution of IoT

Independent Thinkers on Digital | The Evolution of IoT

IoT with Matt Hatton of Transforma Insights Matt and William wrote a book together in 2020 called “The IoT Myth”...

1 Jun 2023 Multimedia