Access Alert | The New Personal Data Protection Law of Oman

Access Alert | The New Personal Data Protection Law of Oman

Oman recently issued Sultani Decree No. 6/2022 on Personal Data Protection (PDPL).  Organisations operating in the Sultanate or those processing data of Omani residents have one year to comply with the new regulations.

Any statutory provisions which conflict with the PDPL, including Chapter 7 of Sultani Decree No. 69/2008 issuing the Oman Electronic Transactions Law, have been revoked.  The finer details will be confirmed in the Executive Regulations within a few months of the PDLP’s enforcement date. These are likely to be published by the Ministry of Transport, Communications and Information Technology (“MTCIT”), the supervisory authority for the law’s application.

Businesses should note the following important requirements set out in the PDPL:

Consent: It is prohibited to process personal data without express written consent from the personal data subject.  Further, personal data relating to genetics, health, ethnicity, sexuality, political or religious opinions or beliefs and criminal convictions or security measures must not be processed without prior permission from the MTCIT.

Obligations of Controllers/Processors: Prior to processing personal data, any person in possession of such data (referred to as a “Controller”), is required to notify the personal data subject in writing with the following information: the contact details of the Controller; the contact details of the person processing the data on behalf of the Controller (the “Processor”); the purpose of processing the personal data; a description of the data processing procedures; and the rights available to the personal data subject.

Personal Data: Data that identifies a natural person or makes them identifiable, directly or indirectly, by reference to one or more identifiers. This includes a person’s name, civil number, electronic identifiers, or factors specific to a person’s genetic, physical, mental, psychological, social, cultural, or economic identity.

Personal Data Transfer: Controllers may transfer personal data outside Oman in accordance with the Executive Regulations. It is prohibited to transfer personal data processed in violation of the PDPL or when the transfer would cause harm to the Personal Data Subject.

Breach Notification: Controllers must notify the MTCIT and the Personal Data Subject in the event of a breach of the personal data subject’s personal data that may lead to destruction, alteration, disclosure, or unauthorised access or processing of the personal data. Detailed notification requirements will be set out in the Executive Regulations.

Penalties for non-compliance: There are various fines detailed in the PDPL, the most substantial being a maximum of OMR 500,000 (approx. USD 1.3million) in the case of data transfer breaches.

Similar to the recently introduced legislation in Saudi Arabia and the United Arab Emirates, there is no express acknowledgment of a controller’s “legitimate interests” as a basis for the processing of personal data. This is often relied upon by companies as the legal justification for processing under legislation such as the EU General Data Protection regulation (GDPR).

All businesses operating in Oman or processing the data of Omani residents should start assessing their activities and security systems in preparation for the law’s implementation. Corporate policies and procedures must align with the PDPL, and internal staff must be trained on the core principles and obligations of the Law.

Access Partnership is closely monitoring all developments regarding Data Protection in the Middle East. For more information regarding this matter please contact Nada Ihab at nada.ihab@accesspartnership.com or Hussein Abul-Enein at hussein.abul-enein@accesspartnership.com.

Subscribe to our news alerts here.

Related Articles

Brazil and the Future of Democracy in the Age of Disinformation

Brazil and the Future of Democracy in the Age of Disinformation

Fake news is far from new. That said, digital tools such as social media and online bots have changed the...

25 Jan 2023 Opinion
GDPR: Is it still fit for purpose? 

GDPR: Is it still fit for purpose? 

The EU’s landmark General Data Protection Regulation (GDPR) has fundamentally changed how personal privacy is respected and protected. However, cracks...

25 Jan 2023 Opinion
Access Alert | Environmental Footprint and Data Collection by ARCEP

Access Alert | Environmental Footprint and Data Collection by ARCEP

The impact of the deployment of electronic communications networks, mass production of terminals, operation of data centres, and ever-expanding data...

23 Jan 2023 Opinion
Access Alert | The International Telecommunication Union Focuses on Metaverse 

Access Alert | The International Telecommunication Union Focuses on Metaverse 

The International Telecommunication Union’s Standardization Sector (ITU-T) has established a new Focus Group that will take the first steps towards...

20 Jan 2023 Metaverse Policy Lab