Access Alert | The New Personal Data Protection Law of Oman

Access Alert | The New Personal Data Protection Law of Oman

Oman recently issued Sultani Decree No. 6/2022 on Personal Data Protection (PDPL).  Organisations operating in the Sultanate or those processing data of Omani residents have one year to comply with the new regulations.

Any statutory provisions which conflict with the PDPL, including Chapter 7 of Sultani Decree No. 69/2008 issuing the Oman Electronic Transactions Law, have been revoked.  The finer details will be confirmed in the Executive Regulations within a few months of the PDLP’s enforcement date. These are likely to be published by the Ministry of Transport, Communications and Information Technology (“MTCIT”), the supervisory authority for the law’s application.

Businesses should note the following important requirements set out in the PDPL:

Consent: It is prohibited to process personal data without express written consent from the personal data subject.  Further, personal data relating to genetics, health, ethnicity, sexuality, political or religious opinions or beliefs and criminal convictions or security measures must not be processed without prior permission from the MTCIT.

Obligations of Controllers/Processors: Prior to processing personal data, any person in possession of such data (referred to as a “Controller”), is required to notify the personal data subject in writing with the following information: the contact details of the Controller; the contact details of the person processing the data on behalf of the Controller (the “Processor”); the purpose of processing the personal data; a description of the data processing procedures; and the rights available to the personal data subject.

Personal Data: Data that identifies a natural person or makes them identifiable, directly or indirectly, by reference to one or more identifiers. This includes a person’s name, civil number, electronic identifiers, or factors specific to a person’s genetic, physical, mental, psychological, social, cultural, or economic identity.

Personal Data Transfer: Controllers may transfer personal data outside Oman in accordance with the Executive Regulations. It is prohibited to transfer personal data processed in violation of the PDPL or when the transfer would cause harm to the Personal Data Subject.

Breach Notification: Controllers must notify the MTCIT and the Personal Data Subject in the event of a breach of the personal data subject’s personal data that may lead to destruction, alteration, disclosure, or unauthorised access or processing of the personal data. Detailed notification requirements will be set out in the Executive Regulations.

Penalties for non-compliance: There are various fines detailed in the PDPL, the most substantial being a maximum of OMR 500,000 (approx. USD 1.3million) in the case of data transfer breaches.

Similar to the recently introduced legislation in Saudi Arabia and the United Arab Emirates, there is no express acknowledgment of a controller’s “legitimate interests” as a basis for the processing of personal data. This is often relied upon by companies as the legal justification for processing under legislation such as the EU General Data Protection regulation (GDPR).

All businesses operating in Oman or processing the data of Omani residents should start assessing their activities and security systems in preparation for the law’s implementation. Corporate policies and procedures must align with the PDPL, and internal staff must be trained on the core principles and obligations of the Law.

Access Partnership is closely monitoring all developments regarding Data Protection in the Middle East. For more information regarding this matter please contact Nada Ihab at [email protected] or Hussein Abul-Enein at [email protected].

Subscribe to our news alerts here.

Related Articles

The Saturation Point: Charting the Limits of Artificial Intelligence

The Saturation Point: Charting the Limits of Artificial Intelligence

It is postulated that AI’s rapid growth is constrained by its massive energy consumption. Training large models like GPT-3 can...

3 Jul 2025 Opinion
A New Horizon for Telecommunications in Mexico: The Telco Reform

A New Horizon for Telecommunications in Mexico: The Telco Reform

The Senate approved the new Telecommunications Law, as well as the reforms to the Federal Economic Competition Law, during an...

2 Jul 2025 Opinion
Access Alert: Takeaways from ITU Council Meeting 2025

Access Alert: Takeaways from ITU Council Meeting 2025

2025 marks the 160th anniversary of the International Telecommunications Union (ITU), the United Nations body responsible for coordinating global telecommunication...

2 Jul 2025 Opinion
Access Alert: Pioneering Pakistan’s Space Future: PSARB and Access Partnership Host High-Level Week of Engagements in Islamabad

Access Alert: Pioneering Pakistan’s Space Future: PSARB and Access Partnership Host High-Level Week of Engagements in Islamabad

Last week, the Pakistan Space Activities Regulatory Board (PSARB), together with Access Partnership in its role as appointed consultant, organised...

30 Jun 2025 Opinion