June 2023

1. Governing Texts

Until recently, the protection of personal data in Oman was not subject to a comprehensive legislative text and the matter was mainly addressed in the digital context under Chapter 7 of Royal Decree No. 69/2008 promulgating the Electronic Transactions Law ('the Electronic Transactions Law'). The country's personal data protection framework changed considerably with the enactment of Royal Decree 6/2022 promulgating the Personal Data Protection Law (only available in Arabic here) ('Oman PDPL').

1.1. Key acts, regulations, directives, bills

The Oman PDPL was issued on 9 February 2022 and is now considered effective and in force as of 13 February 2023. It repeals Chapter 7 of the Electronic Transactions Law and introduces a much more robust privacy provisions as well as core privacy law principles with a view to align Oman's data protection landscape with global best practice enshrined in laws such as the European Union's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

1.2. Guidelines

The provisions of the Oman PDPL will be clarified and complemented by Executive Regulations as well as the decisions issued by the Minister of Transport, Communications, and Information Technology ('the Minister'). There is no indication when the Executive Regulations will be issued and until the Executive Regulations are issued there will be implications in terms of effectiveness and enforceability of the Oman PDPL. 

1.3. Case law

Since the Oman PDPL was only recently adopted, there has been no case law on its implementation. It is expected that the courts will hear cases regarding the Oman PDPL after the end of the transition period.

2. Scope of Application

2.1. Personal scope

The provisions of the Oman PDPL apply to personal data that is processed. As such, it applies to the data of natural persons. 

2.2. Territorial scope

The territorial scope of the Oman PDPL is not expressly determined by its provisions. However, it is expected that the Oman PDPL will apply to data subjects, controllers, and processors located within the territory of the Sultanate of Oman.

2.3. Material scope

The Oman PDPL does not apply to any processing of personal data where:

• it is in the interest of national security or public interest;
• where it is required to implement apparatus of the state and public legal persons;
• where processing is required to implement a legal obligation imposed on the controller;
• where processing is necessary to protect the economic and financial interests of the state;
• where processing is necessary to protect the vital interest of the data subject;
• where processing is necessary for the execution of an existing contract to which the data subject is a party (but not its conclusion);
• where it is necessary to prevent a crime;
• where it is necessary for the purposes of historical, statistical, scientific, literary, or economic research by entities authorized to carry out such works;
• where it is in a personal or family context; and
• where the data is available to the public and in a manner that does not violate the provisions of the Oman PDPL.

It is highlighted that while other laws include the above-mentioned cases as exceptions to the obligation to obtain the data subject's consent, the Oman PDPL goes further by not being applicable when one or more of these exceptions apply. 

Employment Contracts

As noted above the Oman PDPL does not apply to any processing of personal data where processing is necessary for the execution of an existing contract to which the data is subject. However, it is crucial to recognize that employment contracts can fall under the purview of the PDPL, depending on the type of data being processed. Here are some key considerations:

• certain data, such as the employee's name, identification number, and bank account details, is necessary for the execution of the employment contract. These details are essential for salary payments, contractual obligations, and compliance with labor regulations;
• other data, like medical information required for medical insurance coverage, is processed to provide specific benefits. This might include sensitive health data, which will require the written consent of the employee, and under the PDPL there is an additional requirement to obtain approval from the Minister as it involves health data. In this case, the employment contract is not covered under the exclusion to consent; and
• in the case of company device usage, data stored on company laptops or phones provided to the employee might not necessarily fall within the 'execution of contract' legal basis. These devices often contain additional personal data that goes beyond the scope of the employment contract.

Currently, the application of the PDPL remains somewhat unclear due to the absence of executive regulations supplementing the PDPL. These regulations are meant to provide essential clarity and comprehensive guidance on the PDPL's practical implementation within Oman. There is no precise indication of when they might become available. As a result, there exists a certain level of ambiguity surrounding how the PDPL applies in practice, particularly within the context of employment contracts.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The key data protection regulatory authority overseeing the practical implementation and enforcement of the Oman PDPL will be the Ministry of Transport, Communications and Information Technology ('Ministry'). The Ministry's role will complement, but not conflict with that of the Cyber Defence Centre, which deals with cybersecurity matters, separate from data protection privacy matters.

3.2. Main powers, duties and responsibilities

The Ministry will undertake the responsibility of implementing the Oman PDPL and in particular:

• preparing and adopting the controls and procedures relating to the protection of personal data, including determining the necessary safeguards, required measures, and code of conduct relating to the protection of personal data;
• issuing the necessary controls and procedures for processing personal data and verifying the compliance of the controller and processor with them;
• receiving reports and complaints filed by data subjects and deciding on them, within the period determined by the Executive Regulations;
• cooperating with the entities competent with the protection of personal data in other states;
• providing advice and support to, and coordinating with, units of the administrative apparatus of the state and other public legal persons in any matter relating to the protection of personal data;
• issuing and revoking licences to service providers entrusted with studying and evaluating the compliance of the controller and the processor with the provisions of the Oman PDPL, in accordance with the controls and provisions determined by the Executive Regulations;
• preparing guidance forms for the purpose of the implementation of the provisions of this law, whenever necessary;
• preparing periodic reports on its activities in the field of the protection of personal data, and publishing them on its website; and
• preparing a register in which controllers and processors who meet the prescribed conditions are recorded, in the manner determined by the Executive Regulations.

Enforcement

The Ministry shall, for the purpose of protecting the rights of data subjects, undertake any of the following measures:

• warning the controller or processor for committing a violation of the Oman PDPL;
• ordering a rectification and erasure of personal data processed in violation of Oman PDPL;
• suspending the processing of personal data temporarily or permanently;
• suspending the transfer of personal data to another state or an international organisation; or
• any other measure it deems necessary for the protection of personal data, in the manner determined by the Executive Regulations.

4. Key Definitions

Data controller: The person who determines the purpose and means of the processing of personal data, and carries out this processing themself or entrusts it to someone else.

Data processor: The person who processes personal data on behalf of the controller.

Personal data: Data that identifies a natural person or makes them identifiable, directly or indirectly, by reference to one or more identifiers such as the name, civil number, or electronic identifiers data or spatial data, or by reference to one or more factors specific to the genetic, physical, mental, psychological, social, cultural, or economic identity.

Sensitive data: The Oman PDPL does not provide a definition for 'sensitive data'.

Health data: Personal data relating to physical, mental, and psychological health.

Biometric data: Personal data resulting from specific technical processing relating to the physical, psychological, or behavioural characteristics such as the facial image or the genetic fingerprint data.

Pseudonymisation: The Oman PDPL does not provide a definition for 'pseudonymisation'.

5. Legal Bases 

5.1. Consent

Similarly to the GDPR and other laws on data protection, the primary lawful basis for processing personal data under the Oman PDPL is the data subject's consent. However, unlike other laws on data protection, there are no alternative legal bases for processing other than consent (e.g. there is no concept of legitimate interest). Instead, the scope of applicability of the Oman PDPL is limited by the exceptions outlined above (see section on material scope above).

Further to the above, requests for consent to processing must be written in a clear, honest, and understandable manner and controllers must be able to prove that written consent of data subjects to the processing of their data has been obtained (Article 10 of the Oman PDPL).

The Oman PDPL enhances the controller's obligation to obtain consent by establishing that controllers must guarantee the confidentiality of personal data and its non-publication except with the prior consent of the data subject, in the manner determined by the Executive Regulations and failure to do so is punishable by a fine no less than OMR 15,000 (approx. €36,223) and not exceeding OMR 20,000 (approx. €48,297).

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles 

Under the Oman PDPL, it is not permitted to process personal data except within the framework of transparency, honesty, and respect for human dignity, and after the explicit consent of the data subject. However, the Oman PDPL falls short of incorporating commonly established data protection principles such as data minimisation or purpose limitation.

7. Controller and Processor Obligations

7.1. Data processing notification

Controllers and processors who meet the prescribed conditions are to be recorded in a register prepared by the Ministry. The Executive Regulations are expected to provide further details on this register.

7.2. Data transfers

Without prejudice to the competences prescribed to the Cyber Defence Centre, the controller may transfer personal data and permit its transfer outside the borders of the Sultanate of Oman, in accordance with the controls and procedures determined by the Executive Regulations.

The Oman PDPL prohibits transferring personal data which has been processed in violation of its provisions or if the transfer would cause harm to the data subject.

A violation of these provisions of the Oman PDPL is punishable by a fine no less than OMR 100,000 (approx. €241,544) and not exceeding OMR 500,000 (approx. €1,207, 719 million).

7.3. Data processing records

The Oman PDPL does not contain an express reference to an obligation to maintain data processing records. However, further clarification on this point may be included in the Executive Regulations.

7.4. Data protection impact assessment

Controllers have a general obligation to determine the risks that the data subject will be exposed to as a result of the data processing. Further clarification on this obligation may be contained in the Executive Regulations.

7.5. Data protection officer appointment

The controller shall identify a data protection offiicer ('DPO') by following the selection controls and criteria determined in the Executive Regulations (Article 20 of the Oman PDPL). A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 1,000 (approx. €2,416) and not exceeding OMR 5,000 (approx. €12,079).

7.6. Data breach notification

In the event of a personal data breach that leads to the destruction, alteration, disclosure, access, or processing in an illegal manner of personal data, the controller must notify the Ministry and the data subject of the breach, in accordance with the controls and procedures determined by the Executive Regulations. A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 15,000 (approx. €36,236) and not exceeding OMR 20,000 (approx. €48,294).

7.7. Data retention

The data retention period applicable to data processing operations will be determined by the Executive Regulations. A violation of the data retention obligation will be punishable by a fine no less than OMR 1,000 (approx. €2,416) and not exceeding OMR 5,000 (approx. €12,079).

7.8. Children's data

The Oman PDPL prohibits processing personal data of a child except with the approval of their guardian, unless such processing is in the best interest of the child. A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 15,000 (approx. €36,236) and not exceeding OMR 20,000 (approx. €48,294).

7.9. Special categories of personal data

A key derogation from core international data protection principles is that there is no definition of nor any specific safeguards applicable to the processing of 'sensitive personal data' or 'special categories of personal data'. Instead, the Oman PDPL completely bans processing of personal data relating to genetic data, biometric data, health data, racial origin, sex life, political or religious opinions, philosophical beliefs, criminal convictions, or those relating to security measures, except and unless after obtaining a permit for such processing from the Ministry. A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 15,000 (approx. €36,236) and not exceeding OMR 20,000 (approx. €48,294).

Furthermore, the controller must obtain the written consent of the data subject prior to transmitting any advertising or marketing material of a commercial nature, in the manner determined by the Executive Regulations. A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 1,000 (approx. €2,416) and not exceeding OMR 5,000 (approx. €12,079).

7.10. Controller and processor contracts

The Oman PDPL does not contain an express reference to the requirement for controllers to enter into a contract with data processors. However, further clarification on this point may be included in the Executive Regulations.

8. Data Subject Rights

Under the Oman PDPL, data subjects are granted specific rights outlined below, however the Executive Regulations are expected to shed further light and detail on the controls and procedures for the exercise of these rights.

8.1. Right to be informed

Prior to commencing processing, the controller must provide the data subject with certain information, such as:

• the main details of the controller and processor;
• the contact details of the DPO;
• the purpose of processing personal data and the source from which it was collected;
• the rights of data subjects; 
• the recipients of the personal data, and a description of the processing and the procedures in place; and
• any other information that may be necessary to fulfill the processing conditions.

Controllers may meet this requirement by having a compliant privacy policy or notice, and subsequently obtaining the data subject's consent through a click and accept procedure. A violation of this provision of the Oman PDPL is punishable by a fine no less than OMR 500 (approx. €1,207) and not exceeding OMR 2,000 (approx. €4,830).

8.2. Right to access

Article 11 of the Oman PDPL provides for a data subject's right to access personal data.

8.3. Right to rectification

Article 11 of the Oman PDPL provides for a data subject's right to rectification, update, or blocking of their personal data.

8.4. Right to erasure

Article 11 of the Oman PDPL provides for a data subject's right to erasure of their personal data unless processing is necessary for the purpose of preservation or national documentation.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Article 11 of the Oman PDPL provides for a data subject's right to data portability.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Furthermore, data subjects have the right to submit a complaint to the Ministry if they see or consider that the processing of their personal data is not in compliance with the Oman PDPL, in accordance with the controls and procedures determined by the Executive Regulations.

Additionally, Article 11 of the Oman PDPL provides for a data subject's right to revoke consent (without prejudice to any processing which took place prior to such withdrawal).

Data subjects also have the right to be informed in the event of a personal data security breach that causes their personal data to be destroyed, altered, disclosed, accessed, or otherwise processed unlawfully as per Article 19 of the Oman PDPL.

9. Penalties 

In addition to the penalties described above, a fine no less than OMR 1,000 (approx. €2,416) and not exceeding OMR 5,000 (approx. €12,079) will be imposed on controllers and processors who:

• fail to abide by the controls and procedures prescribed by the Ministry; or
• fail to cooperate with the Ministry or provide data/documents when requested to do so.

Moreover, any legal person shall be punished by a fine no less than OMR 5,000 (approx. €12,079) and not exceeding OMR 100,000 (approx. €241,544), if a crime under the PDPL is committed in its name or for its account by the chairman or a member of its board of directors, its manager, or any other official by its approval, or under its concealment or gross negligence.

The competent court may, in addition to the fine, order the confiscation of the tools used in committing the crimes punishable under the Oman PDPL.  

Finally, the Ministry may impose administrative penalties for offences committed in violation of the provisions of the Oman PDPL, Executive Regulations, or the decisions issued in its implementation, provided that the administrative fine does not exceed OMR 2,000 (approx. €4,830).

9.1 Enforcement decisions

Not applicable.