Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Mar 2024
LinkedIn Created with Sketch. Twitter Created with Sketch.

Oman: Executive Regulations of the PDPL - an overview

Data Protection OfficerChildren's DataData Subject RightsPrivacy Law Concepts

In this Insight article, Nick O'Connell and Fatma Al Zadjali, from Al Tamimi & Company, delve into Oman's recent strides in data protection, highlighting the significance of the newly revealed Executive Regulation (the Regulation) of the Omani Personal Data Protection Law (PDPL).

sittitap / Essentials collection / istockphoto.com

The Ministry of Transport, Communication and Information Technology (MTCIT) has revealed the long-awaited Regulation of the Omani PDPL. This development marks a crucial step forward in the country's commitment to safeguarding individual privacy and promoting responsible data handling practices. The Regulation was published in this week’s Official Gazette 1531 dated February 4, 2024, and shall be effective from the day following the date of its publication.

The Legal Framework: Oman's PDPL and associated Regulation

The Oman PDPL was issued on February 9, 2022, and comprises 32 Articles, which include data protection principles designed to align the country's legislative framework more closely with international data protection laws. Additionally, the Oman PDPL stipulated that the Minister of MTCIT will issue the executive regulations to supplement the PDPL as well as the necessary decisions required for its implementation and enforcement. The new Regulation issued consists of 9 Chapters and 45 Articles, which aim to regulate the processing, protection, and transfer of personal data in Oman. Below are the main provisions of the Regulation.

Key provisions

Permit procedures

Chapter 2 of the Regulation outlines the procedures for obtaining a permit from the MTCIT before processing any personal data, as stipulated in Article 5 of the PDPL. Articles 5, 6, 7, 8, 9, and 10 of the Regulation specify the required documents, fees, duration, and renewal of the permit, as well as the conditions for its cancellation. As per the Regulation, the controller applying for a permit from the MTCIT to process personal data must submit a form that includes the following information: the name, address, and email of the data protection officer; the purpose of processing the personal data; the identification and classification of the personal data to be processed; the processor contracted to process the personal data (if any); the entities or third parties to whom the personal data will be disclosed; the locations where the personal data will be transferred or stored; the systems for managing and protecting the personal data; and any other information requested by the MTCIT. The MTCIT must study the permit application and decide on it within a period not exceeding 45 days from the date of completing the required information and documents, and the decision must be justified in case of rejection. The permit will be issued by the Minister of MTCIT and will be valid for five years, applicable to being renewed for a similar period.

Processing of children's personal data

The Regulation stipulates the following conditions and obligations for the controller or the processor, as the case may be when processing the personal data of a child:

  • the controller or the processor must obtain the explicit consent of the child's parent or guardian before processing the child's personal data;
  • the controller or the processor must comply with the following controls when processing the child's personal data:
    • the purpose of the processing must be clear, direct, safe, and free of deception or misrepresentation;
    • the processing must be limited to the minimum data necessary to achieve the specified purpose; and
    • the controller or the processor must provide the means for the child's parent or guardian to access, update, and modify the child's personal data; and
  • the controller or the processor may not disclose the child's personal data or share it with others, except after obtaining the explicit consent of the child's parent or guardian for that purpose.

Personal data subject rights

Chapter 4 of the Regulation outlines the rights of the personal data holder, clarifying that a personal data holder has the right to exercise any of his rights as stated in Article 11 of the PDPL, such as the right to access, correct, delete, transfer, object, or withdraw consent to the processing of their personal data. According to the Regulation, the personal data holder may exercise any of his rights by submitting a written request to the data controller, and the data controller is obligated to respond to such request within 45 days. The chapter also sets the grounds for the controller to reject such requests. As per the Regulation, the controller may reject the personal data holder request application in the following cases:

  • fulfillment of a legal obligation imposed on the controller under any law, court judgment, or ruling; and

  • a dispute between the controller and the personal data subject.

Controller and processor obligations

The Regulation sets a number of responsibilities that the controller and processor are obliged to follow while processing personal data. The obligations imposed on the controller and processer as per the Regulation are as follows:

  • establish a policy for the protection of personal data that is accessible to the personal data holder before processing their data. The policy must include the mechanism and procedures for the personal data holder to exercise their rights under the PDPL and the Regulation;
  • before sending any advertising, marketing, or commercial material to the personal data subject, the controller shall obtain the written consent of the personal data subject, inform the personal data subject of the means of sending advertising, marketing, or commercial materials, determine the mechanism for suspension of the receipt of advertising, marketing, or commercial materials and suspend sending advertising, marketing, or commercial materials immediately upon receiving a suspension request from the personal data subject without compensation;
  • appoint an external auditor that is licensed before the MTCIT and provide the Competent Administrative Division at the MTCIT with a copy of the external auditor report within a period not exceeding 60 days from the date of appointing the external auditor;
  • not publish, share, or disclose the personal data stipulated in Article 5 of the PDPL except within the limits and cases stipulated by PDPL, or if it is in implementation of a court judgment or ruling;
  • shall retain documents of the processing operations, considering the fact that the reason for keeping processing documents shall be specific and lawful, that the retention period shall be determined according to the processing purpose, and that the technical protection systems shall be provided for the safe preservation of processing documents;
  • notify the competent authority and the personal data holder of any data breach;
  • maintain records of processing activities that should be updated continuously; and
  • ensure the confidentiality and security of the data.

Data breach notification

Article 30 of the Regulation imposes an obligation on the data controller to notify the competent administration and the personal data holder of any data breach that poses a serious or high risk to the personal data holder’s rights within 72 hours of becoming aware of it, and the data controller should describe the nature, impact, and remedial measures of the breach. The Regulation also provides that the data controller will have to maintain a record of the data breach cases, explaining their causes, consequences of their occurrence, and the corrective measures that have been taken.

Appointment of a DPO

The responsibilities of the data protection officer (DPO), appointed by either the controller or processor, are outlined in the PDPL and the Regulation. As per the Regulation, the controller shall appoint a qualified DPO who is familiar with the PDPL and the Regulation, is competent in terms of being professional, and is capable of dealing, regularly and correctly, with all issues related to personal data protection. Article 35 of the Regulation sets the following tasks that a data protection officer shall undertake:

  • submittal of proposals and consultations to the controller or the processor regarding their obligations stipulated in the PDPL and the Regulation;
  • follow up on the implementation of the controller or the processor policies related to personal data protection;
  • follow up on the controller or the processor implementation of their obligations stipulated in the PDPL and the Regulation; and
  • coordination with the Competent Administrative Division at the MTCIT on issues related to personal data processing.

Furthermore, the controller is mandated to disclose information about the DPO and allow personal data holders to contact them regarding their data processing concerns.

Transferring personal data outside Oman

Chapter 8 of the Regulation governs the transfer of personal data outside the borders of Oman. Article 23 of the PDPL states that a controller may transfer personal data and allow its transfer outside the borders of Oman in accordance with the controls and procedures specified by the regulations. The new Regulation issued by the MTCIT makes it clear now that explicit consent of the personal data holder is required before a controller transfers personal data outside the borders of Oman, unless the transfer is in accordance with an international obligation under an international agreement to which Oman is a party, or the transfer was carried out in a way that does not reveal the identity of the personal data holder. The chapter also requires the data controller to ensure that the foreign entity that receives the data provides an adequate level of protection that is not less than the level of protection specified in the PDPL and the Regulation. 

Complaints and penalties

Article 40 of the Regulation grants individuals the right to file a complaint with the competent authority regarding any breach of the PDPL or Regulation within a period not exceeding 30 days from the date of being aware of the violation. The competent authority is required to resolve the complaint within 60 days of its submission. Additionally, the Minister of the MTCIT is empowered to impose administrative penalties for violations, such as warnings, permit suspensions, and fines of up to OMR 2000 (approx. $5,000) per infringement. The Regulation also allows the violator to appeal the administrative decisions to the Minister of the MTCIT within 60 days of notification, while the Minister is required to render a decision within 30 days upon receipt of the appeal, failing which the appeal is deemed rejected.

Nick O'Connell Partner
[email protected]
Fatma Al Zadjali Associate
[email protected]
Al Tamimi & Company, Oman

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback