The New Data Protection Law to Come into Play in The Sultanate of Oman.

Lukshila Akshini | 14 September 2022

“Personal Data Protection Law (PDPL)” Oman has become the newest nation in the Middle East to adopt national privacy legislation. The Personal Data Protection Law was officially enacted in February 2022 by Royal Decree 6/2022. The Personal Data Protection Law is expected to become effective in the year 2023 Since the law doesn’t truly take effect until a year after it was issued, which is the transition period. A subsequent executive regulation from the Minister of Transportation, Communications and Information Technology will complete it. While Oman’s Personal Data Protection Law contains provisions that are common to most other data protection laws worldwide, it does offer an intriguing perspective on residents’ rights to data privacy. Anyone who looks at this new law for the first time will probably remark how wide it seems in some circumstances. This is primarily due to the fact that additional executive regulations to enhance this law are anticipated to be published prior to its implementation.

Chapter seven of the Electronic Transactions Law, which has established a few restricted requirements relating to the protection of private data in the context of electronic transactions, would be repealed and replaced by the Personal Data Protection Law. The new law contains a more thorough set of regulations that, unless they fall within the exempt circumstances will be applied to all fields.

The law is interpreted to apply to any information that can be used directly or indirectly to identify a natural person, either by reference to one or more identifiers like;

• A name
• Civil Identification number
• Electronic identifier
• Reference to one or more aspects of a person’s physical, mental, genetic, or psychological identity
• Reference to cultural, social and economic identity

The following situations are exempt from the provisions of the Personal Data Protection Law;

• Information pertaining to issues of relevance to national security
• Information about the state’s financial and economic interests
• Information pertaining to the country’s key interests and internal affairs
• Information pertaining to the person’s (the data subject’s) essential interests
• Information formally requested by the investigating entities for the purpose of criminal detection or deterrence
• Information pertaining to the performance of a contract to which the data subject is the party
• Information that is processed in a private or familial setting
• Information used by competent authorities for historical, statistical, scientific, literary or economic research that does not link it to a specific natural person
• Data that is open to the public and does not violate the terms of this law

The data protection law’s many components are in line with other contemporary data protection laws, with certain differences. Several important aspects include;

1. Notification

   Before processing any personal data, the data controller, who chooses the reason and means for doing so, must notify the data subject and include certain mandatory information, such as the reason for processing their data, the identity of the controller and processor, the rights of the data subject, and the extent of disclosure of that data.

2. Consent

   One of the essential characteristics of the data protection law is that, except in cases where one of the aforementioned excluded categories applies, personal data may only be processed within a framework of transparency, respect and honesty for human dignity and only after having obtained the express written consent of the data subject. The data protection law also stipulates that delivering advertisements and marketing materials to such data subjects requires their express written consent.

3. Rights of Data Subjects

   The data protection law gives data subjects a number of rights. These include the right to transfer their personal data to another controller, the right to have their personal data erased, the right to receive a copy of the personal data that has been processed about them, the right to withdraw their consent, the right to amend, update, or block their personal data, and the right to be informed if there has been any breach or infringement of their personal data.

4. Personal Sensitive Data

   It is generally prohibited to process personal “sensitive” data such as genetic and biometric data, health information, information pertaining to ethnic origin, sexual orientation, sex life, political and religious beliefs, criminal convictions or security measures, without express approval, processing of a child’s personal information is not allowed unless it is necessary for the child’s best interests.

5. Obligations of the Data Controller and the Data Processor

   The data protection law mandates that the controllers (and not the processors) designate a data protection officer, keep records and put controls and processes in place to protect personal data. In order to ensure that they are complying with the Data Protection Law, controllers and processors may be compelled to appoint external auditors.

6. International Transfers

   The data protection law permits the transfer of personal data outside of Oman, but only in line with controls and measures stipulated in the regulations. No transfer, nevertheless, may occur if it would be detrimental to the data subject.

7. Notification of Breach

   The controller is expected to notify the Ministry and data subjects in accordance with the procedures and mechanisms that will be outlined in the regulations if a personal data breach results in destruction, alteration, disclosure, access, or illegal processing.

If data subjects perceive or consider that the processing of these personal data is not in line with the data protection law, they have the right to make a complaint with the ministry. Furthermore, the ministry may take any additional steps it considers appropriate to protect personal data, including ordering the correction and deletion of personal data, suspending processing, preventing the transfer of personal data, and so forth, if it suspects a violation of the data protection law.

The data protection law specifies different penalties for specific offences. The steepest fine is up to OMR 500,000 for the unauthorized export of personal data from Oman. There are several types of liability outside just corporate liability.