April 2024

1. Governing Texts

Until recently, the protection of personal data in Oman was not subject to a comprehensive legislative text, and the matter was mainly addressed in the digital context under Chapter 7 of Royal Decree No. 69/2008 promulgating the Electronic Transactions Law ('the Electronic Transactions Law'). The country's personal data protection framework changed considerably with the enactment of Royal Decree 6/2022 promulgating the Personal Data Protection Law (only available in Arabic here) ('Oman PDPL').

1.1. Key acts, regulations, directives, bills

The Oman PDPL was issued on February 9, 2022, and is now considered effective and in force as of  February 13, 2023. It repeals Chapter 7 of the Electronic Transactions Law and introduces much more robust privacy provisions as well as core privacy law principles with a view to align Oman's data protection landscape with global best practice enshrined in laws such as the European Union's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

1.2. Guidelines

The provisions of the Oman PDPL have been clarified and supplemented by the Executive Regulations ('the Regulations') (only available in Arabic here), which were issued on January 28, 2024. Additionally, decisions issued by the Minister of Transport, Communications, and Information Technology ('the Minister') serve to complement the Oman PDPL and the Regulations. With the issuance of the Regulations, there is now a clearer framework for the application of the Oman PDPL.

1.3. Case law

Since the Oman PDPL was only recently adopted, there has been no case law on its implementation. It is expected that the courts will hear cases regarding the Oman PDPL after the end of the transition period.

2. Scope of Application

2.1. Personal scope

The provisions of the Oman PDPL apply to personal data that is processed. As such, it applies to the data of natural persons.

2.2. Territorial scope

The territorial scope of the Oman PDPL is not expressly determined by its provisions. However, it is expected that the Oman PDPL will apply to data subjects, controllers, and processors located within the territory of the Sultanate of Oman.

2.3. Material scope

The Oman PDPL does not apply to any processing of personal data where:

• it is in the interest of national security or public interest;
• where it is required to implement apparatus of the state and public legal persons;
• where processing is required to implement a legal obligation imposed on the controller;
• where processing is necessary to protect the economic and financial interests of the state;
• where processing is necessary to protect the vital interest of the data subject;
• where processing is necessary for the execution of an existing contract to which the data subject is a party (but not its conclusion);
• where it is necessary to prevent a crime;
• where it is necessary for the purposes of historical, statistical, scientific, literary, or economic research by entities authorized to carry out such works;
• where it is in a personal or family context; and
• where the data is available to the public and in a manner that does not violate the provisions of the Oman PDPL.

It is highlighted that while other laws include the above-mentioned cases as exceptions to the obligation to obtain the data subject's consent, the Oman PDPL goes further by not being applicable when one or more of these exceptions apply.

Employment Contracts

As noted above the Oman PDPL does not apply to any processing of personal data where processing is necessary for the execution of an existing contract to which the data is subject. However, it is crucial to recognize that employment contracts can fall under the purview of the PDPL, depending on the type of data being processed. Here are some key considerations:

• certain data, such as the employee's name, identification number, and bank account details, is necessary for the execution of the employment contract. These details are essential for salary payments, contractual obligations, and compliance with labor regulations;
• other data, like medical information required for medical insurance coverage, is processed to provide specific benefits. This might include sensitive health data, which will require the written consent of the employee, and under the PDPL there is an additional requirement to obtain approval from the Minister as it involves health data. In this case, the employment contract is not covered under the exclusion to consent; and
• in the case of company device usage, data stored on company laptops or phones provided to the employee might not necessarily fall within the 'execution of contract' legal basis. These devices often contain additional personal data that goes beyond the scope of the employment contract.

Currently, the application of the PDPL remains somewhat unclear due to the absence of executive regulations supplementing the PDPL. These regulations are meant to provide essential clarity and comprehensive guidance on the PDPL's practical implementation within Oman. There is no precise indication of when they might become available. As a result, there exists a certain level of ambiguity surrounding how the PDPL applies in practice, particularly within the context of employment contracts.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The key data protection regulatory authority overseeing the practical implementation and enforcement of the Oman PDPL will be the Ministry of Transport, Communications and Information Technology ('Ministry'). The Ministry's role will complement, but not conflict with that of the Cyber Defense Centre, which deals with cybersecurity matters, separate from data protection privacy matters.

3.2. Main powers, duties and responsibilities

The Ministry will undertake the responsibility of implementing the Oman PDPL and in particular:

• preparing and adopting the controls and procedures relating to the protection of personal data, including determining the necessary safeguards, required measures, and code of conduct relating to the protection of personal data;
• issuing the necessary controls and procedures for processing personal data and verifying the compliance of the controller and processor with them;
• receiving reports and complaints filed by data subjects and deciding on them, within the period determined by the Executive Regulations;
• cooperating with the entities competent with the protection of personal data in other states;
• providing advice and support to, and coordinating with, units of the administrative apparatus of the state and other public legal persons in any matter relating to the protection of personal data;
• issuing and revoking licenses to service providers entrusted with studying and evaluating the compliance of the controller and the processor with the provisions of the Oman PDPL, in accordance with the controls and provisions determined by the Executive Regulations;
• preparing guidance forms for the purpose of the implementation of the provisions of this law, whenever necessary;
• preparing periodic reports on its activities in the field of the protection of personal data, and publishing them on its website; and
• preparing a register in which controllers and processors who meet the prescribed conditions are recorded, in the manner determined by the Executive Regulations.

Enforcement

The Ministry shall, for the purpose of protecting the rights of data subjects, undertake any of the following measures:

• warning the controller or processor for committing a violation of the Oman PDPL;
• ordering a rectification and erasure of personal data processed in violation of Oman PDPL;
• suspending the processing of personal data temporarily or permanently;
• suspending the transfer of personal data to another state or an international organization; or
• requesting a copy of the assessment report prepared by the data controller to check the adequacy of the level of protection provided by the third-party processor.

4. Key Definitions

Data controller: The person who determines the purpose and means of the processing of personal data, and carries out this processing themself or entrusts it to someone else.

Data processor: The person who processes personal data on behalf of the controller.

Personal data: Data that identifies a natural person or makes them identifiable, directly or indirectly, by reference to one or more identifiers such as the name, civil number, or electronic identifiers data or spatial data, or by reference to one or more factors specific to the genetic, physical, mental, psychological, social, cultural, or economic identity.

Sensitive data: The Oman PDPL does not provide a definition for 'sensitive data'.

Health data: Personal data relating to physical, mental, and psychological health.

Biometric data: Personal data resulting from specific technical processing relating to physical, psychological, or behavioral characteristics such as facial images or genetic fingerprint data.

Pseudonymization: The Oman PDPL does not provide a definition for 'pseudonymization'.

5. Legal Bases

5.1. Consent

Similarly to the GDPR and other laws on data protection, the primary lawful basis for processing personal data under the Oman PDPL is the data subject's consent. However, unlike other laws on data protection, there are no alternative legal bases for processing other than consent (e.g. there is no concept of legitimate interest). Instead, the scope of applicability of the Oman PDPL is limited by the exceptions outlined above (see section on material scope above).

Further to the above, requests for consent to processing must be written in a clear, honest, and understandable manner and controllers must be able to prove that written consent of data subjects to the processing of their data has been obtained (Article 10 of the Oman PDPL).

The Regulations specify the conditions for obtaining consent for processing personal data. Before processing personal data, the data controller must obtain the explicit consent of the data subject and the following conditions shall be required for the consent to be taken into account:

• the consent shall be issued by a fully qualified person;
• the consent shall be issued in a clear manner and without coercion; and
• the approval shall be given in writing, electronically, or by any other means determined by the data controller.

The Oman PDPL enhances the controller's obligation to obtain consent by establishing that controllers must guarantee the confidentiality of personal data and its non-publication except with the prior consent of the data subject, in the manner determined by the Executive Regulations and failure to do so is punishable by a fine no less than OMR 15,000 (approx. $38,967) and not exceeding OMR 20,000 (approx. $51,957).

5.2. Contract with the data subject

The provisions of the Oman PDPL do not apply to the processing of personal data when executing a contract to which the data subject is a party.

5.3. Legal obligations

Article 3 of the Oman PDPL stipulates the legal obligations outlined in the application of the PDPL.

5.4. Interests of the data subject

The provisions of the Oman PDPL do not apply to the processing of Personal data if it is to protect the vital interests of the data subject.

5.5. Public interest

The provisions of the Oman PDPL do not apply to the processing of Personal data if it relates to the protection of economic and financial interests of the state or in the interests of national security or public interest.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Under the Oman PDPL, it is not permitted to process personal data except within the framework of transparency, honesty, and respect for human dignity, and after the explicit consent of the data subject. However, the Oman PDPL falls short of incorporating commonly established data protection principles such as data minimization or purpose limitation.

7. Controller and Processor Obligations

7.1. Data processing notification

Controllers and processors who meet the prescribed conditions are to be recorded in a register prepared by the Ministry. The Executive Regulations are expected to provide further details on this register.

7.2. Data transfers

Without prejudice to the competencies prescribed to the Cyber Defense Centre, the controller may transfer personal data and permit its transfer outside the borders of the Sultanate of Oman, in accordance with the controls and procedures determined by the Regulations.

Before transferring personal data outside the borders of Oman, the data controller is required to ensure that the third-party processor has an adequate degree of protection for personal data that is not less than the level of protection established in accordance with the Oman PDPL and the Regulations. The data controller must conduct an assessment of the level of protection provided by the third-party processor and the risks of transferring personal data, provided that the assessment includes the following:

• a description of the nature and size of the personal data to be transmitted or transferred, and its sensitivity;
• the purpose of personal data processing, the scope of processing, and the parties with whom the personal data will be shared;
• the time period for personal data processing and whether it will be carried out in a restricted or occasional manner;
• the stages of transmission or transfer of personal data, the countries it may pass through, and the determination of the final destination of the personal data; and
• the effect and risk that may result from the transmission or transfer process and the extent of their impact on the personal data subjects.

The Oman PDPL prohibits transferring personal data which has been processed in violation of its provisions or if the transfer would cause harm to the data subject.

A violation of these provisions of the Oman PDPL is punishable by a fine no less than OMR 100,000 (approx. $259,775) and not exceeding OMR 500,000 (approx. $1.29 million).

7.3. Data processing records

The Regulations now require the creation of a special record of personal data processing activities by the data controller or the data processor. This record must include details such as:

• data of the personal data protection officer ('DPO');
• description of the categories of personal data and details of persons permitted to access it;
• processing time periods, restrictions, and scope;
• mechanisms for erasing, modifying, or processing personal data;
• purpose of processing the personal data;
• entities to which personal data is disclosed and purposes of disclosure;
• data related to the transmission and processing of personal data across borders;
• technical and organizational procedures for information security and processing operations; and
• details of any personal data breach, including its effects and remedial actions taken.

7.4. Data protection impact assessment

Controllers have a general obligation to determine the risks that the data subject will be exposed to as a result of the data processing. Article 39 of the Regulations outlines the requirements for the data controller to assess the level of protection provided by a third-party processor when transferring personal data. The assessment should include:

• description of the type and sensitivity of the personal data;
• purpose, scope, and parties involved in the processing of personal data;
• duration and frequency of personal data processing;
• details of the transmission process, including countries involved and destination of the data; and
• identification of potential effects and risks on the data subject resulting from the transmission or transfer process.

7.5. Data protection officer appointment

 The Regulations require the appointment of a DPO based on specific criteria:

• they must be qualified to carry out the tasks stipulated in Article 35 of the Regulations;
• they should be familiar with the Oman PDPL, the Regulations, and the personal data protection practices followed by the data controller or the data processor; and
• they must be professionally competent and capable of dealing regularly and correctly with all issues related to personal data protection.

Article 35 outlines the role of the DPO, which include providing proposals and consultations regarding obligations under the Oman PDPL and the Regulations, following up on policy implementation related to personal data protection, ensuring compliance with obligations under the Oman PDPL and the Regulations, and coordinating with the Ministry on matters related to personal data processing.

 Article 36 requires that the data controller must publish data related to the personal data protection officer, including their name and contact information. The data subject has the right to contact the DPO in all matters related to the processing of their personal data.

A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 1,000 (approx. $2,597) and not exceeding OMR 5,000 (approx. $12,989).

7.6. Data breach notification

In the event of a personal data breach that leads to the destruction, alteration, disclosure, access, or processing in an illegal manner of personal data, the controller must notify the Ministry and the data subject of the breach, in accordance with the controls and procedures determined by the Regulations.

The Regulations stipulate that in the event of a personal data breach, the data controller is required to promptly inform the Ministry. This notification must include comprehensive details such as the nature of the breach, contact information, potential consequences and steps taken to address the breach. Upon receiving this report, the Ministry may assess the data controller's procedures, direct notifications to affected data subjects, or provide necessary guidance and support. Furthermore, if the breach poses serious harm to data subjects, they must be notified within a specified timeframe. Additionally, the Regulations require the documentation of all breaches, including their causes, consequences, and the measures taken to mitigate them.

 A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 15,000 (approx. $38,966) and not exceeding OMR 20,000 (approx. $51,955).

7.7. Data retention

The data retention period applicable to data processing operations will be determined by the data processor or the data controller.

In accordance with the Regulations, the data controller, or the data processor, as applicable, must retain documents related to processing operations. This obligation is subject to the following controls:

• the purpose for retaining processing documents must be clearly specified and lawful;
• a retention time limit aligned with the processing purpose must be established; and
• technical protection systems must be implemented to ensure secure storage of processing documents.

A violation of the data retention obligation will be punishable by a fine no less than OMR 1,000 (approx. $2,597) and not exceeding OMR 5,000 (approx. $12,989).

7.8. Children's data

The Oman PDPL prohibits processing personal data of a child except with the approval of their guardian, unless such processing is in the best interest of the child. A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 15,000 (approx. $38,968) and not exceeding OMR 20,000 (approx. $51,957).

7.9. Special categories of personal data

A key derogation from core international data protection principles is that there is no definition of nor any specific safeguards applicable to the processing of 'sensitive personal data' or 'special categories of personal data'. Instead, the Oman PDPL completely bans processing of personal data relating to genetic data, biometric data, health data, racial origin, sex life, political or religious opinions, philosophical beliefs, criminal convictions, or those relating to security measures, except and unless after obtaining a permit for such processing from the Ministry. A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 15,000 (approx. $38,968) and not exceeding OMR 20,000 (approx. $51,957).

Furthermore, the controller must obtain the written consent of the data subject prior to transmitting any advertising or marketing material of a commercial nature, in the manner determined by the Executive Regulations. A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 1,000 (approx. $2,597) and not exceeding OMR 5,000 (approx. $12,989).

7.10. Controller and processor contracts

The Regulations stipulate that in the processing of personal data, the data controller may engage in contracts with the data processor. The data processor, in their dealings with third parties, are required to act on behalf of the data controller. This obligation is within the framework of civil liability provisions and administrative responsibilities before the Ministry. It is important to note that the data processor may be subject to criminal liability for any violations of the provisions outlined in the Oman PDPL and the Regulations.

8. Data Subject Rights

Under the Oman PDPL, data subjects are granted specific rights outlined below, however, the Regulations shed further light and detail on the controls and procedures for the exercise of these rights.

8.1. Right to be informed

Prior to commencing processing, the controller must provide the data subject with certain information, such as:

• the main details of the controller and processor;
• the contact details of the DPO;
• the purpose of processing personal data and the source from which it was collected;
• the rights of data subjects;
• the recipients of the personal data, and a description of the processing and the procedures in place; and
• any other information that may be necessary to fulfill the processing conditions.

Controllers may meet this requirement by having a compliant privacy policy or notice, and subsequently obtaining the data subject's consent through a click and accept procedure. A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 500 (approx. $1,299) and not exceeding OMR 2,000 (approx. $5,195).

8.2. Right to access

Article 11 of the Oman PDPL provides for a data subject's right to access personal data.

8.3. Right to rectification

Article 11 of the Oman PDPL provides for a data subject's right to rectification, update, or blocking of their personal data.

8.4. Right to erasure

Article 11 of the Oman PDPL provides for a data subject's right to erasure of their personal data unless processing is necessary for the purpose of preservation or national documentation.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Article 11 of the Oman PDPL provides for a data subject's right to data portability.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Furthermore, data subjects have the right to submit a complaint to the Ministry if they see or consider that the processing of their personal data is not in compliance with the Oman PDPL, in accordance with the controls and procedures determined by the Executive Regulations.  Under the Regulations, data subjects have the right to lodge complaints with the Ministry if they believe their personal data processing violates the Oman PDPL.   

Complaints must be submitted within 30 days of becoming aware of the violation and forwarded to the data controller by the Ministry within 7 days following submission.

Additionally, Article 11 of the Oman PDPL provides for a data subject's right to revoke consent (without prejudice to any processing which took place prior to such withdrawal).

Data subjects also have the right to be informed in the event of a personal data security breach that causes their personal data to be destroyed, altered, disclosed, accessed, or otherwise processed unlawfully as per Article 19 of the Oman PDPL.

9. Penalties

In addition to the penalties described above, a fine no less than 1,000 (approx. $2,597) and not exceeding OMR 5,000 (approx. $12,989) will be imposed on controllers and processors who:

• fail to abide by the controls and procedures prescribed by the Ministry; or
• fail to cooperate with the Ministry or provide data/documents when requested to do so.

Moreover, any legal person shall be punished by a fine no less than OMR 5,000 (approx. $12,989) and not exceeding OMR 100,000 (approx. $ 259,786), if a crime under the PDPL is committed in its name or for its account by the chairman or a member of its board of directors, its manager, or any other official by its approval, or under its concealment or gross negligence.

The competent court may, in addition to the fine, order the confiscation of the tools used in committing the crimes punishable under the Oman PDPL.

Finally, the Ministry may impose administrative penalties for offenses committed in violation of the provisions of the Oman PDPL, Executive Regulations, or the decisions issued in its implementation, provided that the administrative fine does not exceed OMR 2,000 (approx. $5,195).

9.1 Enforcement decisions

Not applicable.