Oman recently issued Sultani Decree No. 6/2022 on Personal Data Protection (PDPL). Organisations operating in the Sultanate or those processing data of Omani residents have one year to comply with the new regulations.
Any statutory provisions which conflict with the PDPL, including Chapter 7 of Sultani Decree No. 69/2008 issuing the Oman Electronic Transactions Law, have been revoked. The finer details will be confirmed in the Executive Regulations within a few months of the PDLP’s enforcement date. These are likely to be published by the Ministry of Transport, Communications and Information Technology (“MTCIT”), the supervisory authority for the law’s application.
Businesses should note the following important requirements set out in the PDPL:
Consent: It is prohibited to process personal data without express written consent from the personal data subject. Further, personal data relating to genetics, health, ethnicity, sexuality, political or religious opinions or beliefs and criminal convictions or security measures must not be processed without prior permission from the MTCIT.
Obligations of Controllers/Processors: Prior to processing personal data, any person in possession of such data (referred to as a “Controller”), is required to notify the personal data subject in writing with the following information: the contact details of the Controller; the contact details of the person processing the data on behalf of the Controller (the “Processor”); the purpose of processing the personal data; a description of the data processing procedures; and the rights available to the personal data subject.
Personal Data: Data that identifies a natural person or makes them identifiable, directly or indirectly, by reference to one or more identifiers. This includes a person’s name, civil number, electronic identifiers, or factors specific to a person’s genetic, physical, mental, psychological, social, cultural, or economic identity.
Personal Data Transfer: Controllers may transfer personal data outside Oman in accordance with the Executive Regulations. It is prohibited to transfer personal data processed in violation of the PDPL or when the transfer would cause harm to the Personal Data Subject.
Breach Notification: Controllers must notify the MTCIT and the Personal Data Subject in the event of a breach of the personal data subject’s personal data that may lead to destruction, alteration, disclosure, or unauthorised access or processing of the personal data. Detailed notification requirements will be set out in the Executive Regulations.
Penalties for non-compliance: There are various fines detailed in the PDPL, the most substantial being a maximum of OMR 500,000 (approx. USD 1.3million) in the case of data transfer breaches.
Similar to the recently introduced legislation in Saudi Arabia and the United Arab Emirates, there is no express acknowledgment of a controller’s “legitimate interests” as a basis for the processing of personal data. This is often relied upon by companies as the legal justification for processing under legislation such as the EU General Data Protection regulation (GDPR).
All businesses operating in Oman or processing the data of Omani residents should start assessing their activities and security systems in preparation for the law’s implementation. Corporate policies and procedures must align with the PDPL, and internal staff must be trained on the core principles and obligations of the Law.
Access Partnership is closely monitoring all developments regarding Data Protection in the Middle East. For more information regarding this matter please contact Nada Ihab at nada.ihab@accesspartnership.com or Hussein Abul-Enein at hussein.abul-enein@accesspartnership.com.
Subscribe to our news alerts here.
