Oman: New personal data protection law – what you need to know
After an active 2021 with regards to data protection laws and developments in the Middle East, the new year has brought about yet another new data protection law, this time in the Sultanate of Oman. Namely, the Law on the Protection of Personal Data, promulgated by Royal Decree No. 6 of 2022 dated 9 February 20221 ('the Law') was published in the Official Gazette on 13 February 2022 and marks the introduction of Oman's first comprehensive data protection law. This Insight article aims to summarise the provisions of the Law and provide a breakdown of the key obligations organisations should be mindful of.
The Law boasts 32 articles, including data protection principles, a requirement to appoint a data protection officer ('DPO'), data subject rights, controller and processor obligations, and penalties for breach of the same, bringing the country's legislative regime into closer alignment with global data protection laws.
Notably, the Law provides that its provisions will be supplemented by executive regulations ('the Regulations') which will be issued by the Minister of Transport, Communications and Information Technology ('the Minister') as per Article 2 of the Law. Additionally, Article 2 of the Law further specifies that the Minister shall also issue the necessary decisions to enforce the provisions of the Law, and until the Regulations and such decisions are issued, shall work with existing provisions and decisions so long as they do not conflict with the provisions of the Law.
Furthermore, Article 7 of the Law designates the Ministry of Transport, Communications and Information Technology ('MTCIT') as the regulatory authority responsible for enforcement of the provisions of the Law.
The Law provides for definitions in Chapter 1, Article 1, including the following:
- personal data;
- genetic data;
- biometric data;
- health data;
- data subject;
- controller; and
Article 3 of the Law provides that the Law does not apply to the processing of personal data in the following contexts:
- national security or public interest;
- executing the units of the state's administrative apparatus and other public legal persons with legally prescribed powers;
- executing a legal obligation imposed on the controller under any law, rule, or decision of the court;
- protecting the country's economic and financial interests;
- protecting the vital interests of a data subject;
- exposing or preventing any criminal offence based on an official written request from investigating authorities;
- executing a contract to which the data subject is a party;
- if the processing is undertaken in a personal or family setting;
- the purposes of historical, statistical, scientific, literary, or economic research by authorities authorised to carry out such works, provided that no indications are made to data subjects in its publications to ensure data cannot be attributed to an identifiable person; and
- if the data has been made publicly available in the absence of violations of the Law.
Notably, 'personal data' is defined in Article 1 of the Law as data that makes a natural person identifiable, or capable of being identified directly or indirectly, by reference to one or more identifiers, such as name, ID number, electronic identification data, location data, or by reference to one or more factors related to genetic, physical, mental, psychological, social, cultural, or economic identity.
Restrictions on processing
The Law provides that processing of personal data relating to genetic, biometric, heath data or data relating to ethnic origin, sexual life, political or religious opinions, beliefs, criminal convictions or related security measures is prohibited unless a permit is obtained from the MTCIT in accordance with the controls and procedures specified by the Regulations (Article 5 of the Law).
Moreover, the Law further prohibits the processing of children's personal data without the permission of their legal guardian, unless the processing is in the child's best interests, and in accordance with the controls and procedures specified by the Regulations (Article 6 of the Law).
With regards to the roles and responsibilities of the MTCIT, Article 7 of the Law provides that without prejudice to the established competencies of the MTCIT, it shall assume the responsibility of enforcing the provisions of the Law and particularly the following:
- preparation and approval of controls and procedures related to the protection of personal data, including determining the necessary guarantees, measures, and codes of conduct related to the same;
- issuance of the necessary guarantees and measures for the processing of personal data and verifying controllers' and processors' compliance with the same;
- cooperation with the data protection authorities of other countries;
- provision of advice, support, and coordination to the state's administrative apparatus units and other public bodies in matters related to the protection of personal data;
- issuance and revocation of licences of service providers entrusted with the assessment and evaluation of controllers' and processors' compliance with the provisions of the Law, according to the controls and measures specified by the Regulations;
- preparation of guiding templates for the purposes of implementing the provisions of the Law whenever required;
- preparation of periodic reports on its activities in the field of data protection to be published on its website; and
- setting up a register in which controllers and processors that fulfil the prescribed conditions are registered as specified by the terms of the Regulations.
Moreover, for the purpose of safeguarding the rights of data subjects, Article 8 of the Law provides that the MTCIT shall also undertake any of the following measures:
- warn the controller or processor of the violation(s) of provisions of the Law;
- order the correction and erasure of personal data that has been processed in violation of the provisions of the Law;
- order the processing of personal data to cease temporarily or permanently;
- order to stop data from being transferred to another country or organisation; and
- any other measure that the MTCIT deems necessary to protection personal data, in accordance with what is specified in the Regulations.
Notably, the Law also provides that employees of the MTCIT appointed by a decision issued by the competent authority in agreement with the Minister, shall have judicial capacity in implementing the provisions of the Law, the Regulations, and decisions issued in its implementation (Article 9 of the Law).
Data subject rights
The Law provides for several data subject rights, including (Article 10 of the Law):
- right not to be subject to processing without consent;
- right to withdraw consent;
- right to rectification, update, or blocking of personal data;
- right to access personal data;
- right to data portability;
- right to erasure of personal data unless processing is necessary for the purpose of preservation or national documentation; and
- right to be informed of any breach to their personal data and mitigating measures taken in this regard.
In this regard, Article 11 of the Law notes that the Regulations shall outline the controls and procedures for exercising the abovementioned rights.
Moreover, Article 12 of the Law provides that the data subject may submit a complaint to the MTCIT if they believe that processing of their personal data does not comply with the provisions of the Law, in accordance with the controls and procedures outlined in the Regulations.
The Law provides that personal data may only be processed in accordance with the principles of transparency, honesty, and respect for human dignity, and after the express consent of the data subject to the processing of their personal data has been granted (Article 10 of the Law). Article 10 of the Law further specifies that requests for consent to processing must be written in a clear, honest, and understandable manner and that controllers must be able to prove that written consent of data subjects to the processing of their data has been obtained.
Data subjects also have the right to withdraw their consent to the processing of their personal data without prejudice to the processing that took place before its withdrawal (Article 11 of the Law).
Controller and processor obligations
The Law provides that the controller is required to set the controls and procedures to be adhered to when processing personal data, which should include the following (Article 13 of the Law):
- determination of the risks to data subjects that could arise in the processing of their personal data;
- procedures and controls for transferring personal data;
- technical and organisational measures to guarantee the execution of processing activities in line with the provisions of the Law; and
- any other controls and procedures set forth by the Regulations.
Furthermore, Article 15 of the Law provides that controllers and processors are required to comply with the controls and procedures decided by the MTCIT to guarantee that processing activities take place in accordance with the provisions of the Law. Further, Article 18 of the Law states that controllers and processors must cooperate with the MTCIT and submit the information and documents it requests and which it deems necessary to exercise its jurisdiction in accordance with the provisions of the Law within the timeframe specified by the Regulations.
Article 14 of the Law provides that prior to the commencement of processing, the controller must notify data subjects of the following:
- information about the controller and the processor;
- contact information of the DPO;
- the purpose of processing the personal data, and source of its collection;
- a comprehensive and accurate description of the processing and its procedures, and the degree to which data is disclosed;
- the rights of data subjects including the right to access their personal data, rectify, transfer, and update it; and
- any other information that may be necessary to fulfil the conditions of processing.
The Law states that controllers and processors are required to, at the request of the MTCIT, appoint an external auditor to ensure that the procedures of processing of personal data are carried out in accordance with the provisions of the Law and the controllers' controls and procedures stipulated in Article 13 of the Law, noting that the Regulations shall determine the controls and procedures related to the appointment of an external auditor. In this regard, controllers and processors are also required to provide the MTCIT with a copy of the report of the external auditor (Article 16 of the Law).
Records of processing activities
Article 17 of the Law notes that controllers and processors are required to keep records of processing activities according to the periods and procedures specified by the Regulations.
Appointment of a DPO
Controllers are required to appoint a DPO, and requirements of the appointment as well as the responsibilities of the DPO shall be determined by the Regulations (Article 20 of the Law).
In the event of a personal data security breach that causes personal data to be destroyed, altered, disclosed, accessed, or otherwise processed unlawfully, the controller is required to notify the MTCIT and the data subject of the breach in accordance with the controls and procedures set forth by the Regulations (Article 19 of the Law).
Moreover, Article 21 of the Law provides that the controller is required to ensure the confidentiality of personal data, and to refrain from publishing such data without the prior approval of the data subject in accordance with the manner specified by the Regulations.
Controllers are required to obtain the written consent of the data subject before sending them any advertising or marketing materials for commercial purposes in accordance with the manner specified by the Regulations (Article 22 of the Law).
Without prejudice to the established competencies of the electronic defence centre, controllers may transfer personal data and allow it to be transferred outside the borders of the Sultanate of Oman in accordance with the controls and procedures set forth by the Regulations. In this regard, controllers are prohibited from making such transfers if personal data has been processed in violation of the provisions of the Law or would cause harm to data subjects (Article 23 of the Law).
The Law provides that without prejudice to any stricter penalty by other laws, the following penalties are applicable (Chapter 5, Article 24 of the Law):
- a fine no less than OMR 500 (approx. €1,140) and not exceeding OMR 2,000 (approx. €4,580) for breach of Article 14 of the Law on notification requirements (Article 25 of the Law);
- a fine no less than OMR 1,000 (approx. €2,290) and not exceeding OMR 5,000 (approx. €11,450) for breach of Articles 15, 16, 17, 18, 20, and 22 of the Law (Article 26 of the Law);
- a fine no less than OMR 5,000 and not exceeding OMR 10,000 (approx. €22,880) for breach of Article 13 of the Law on controller obligations (Article 27 of the Law);
- a fine no less than OMR 15,000 (approx. €34,330) and not exceeding OMR 20,000 (approx. €45,770) for breach of Articles 5, 6, 19, and 21 of the Law (Article 28 of the Law);
- a fine no less than OMR 100,000 (approx. €228,830) and not exceeding OMR 500,000 (approx. €1.14 million) for breach of Article 23 of the Law on data transfers (Article 29 of the Law); and
- without prejudice to the criminal liability of natural persons, the legal persons shall be punished with a fine of no less than OMR 5,000 and not exceeding OMR 100,000 if the crime is committed in its name or on its behalf, by a chairman, board member, director, or any other official, with their consent, acquiescence, or negligence (Article 30 of the Law).
Moreover, the Law adds that a competent court may, within the scope of application of the provisions of the Law, and in addition to fines imposed, order the confiscation of the instruments used to commit the crime (Article 31 of the Law).
Furthermore, without prejudice to the penalties stipulated in the Law, the MTCIT may impose administrative penalties not exceeding OMR 2,000 on violations committed in violation of the provisions of the Law, Regulations, or administrative decisions related thereto.
The Law repeals and replaces any conflicting legislation as per Article 3, and particularly refers to Chapter 7 of Royal Decree No. 69/2008 promulgating the Electronic Transactions Law2 ('the Electronic Transactions Law') as no longer applicable.
Notably, organisations will need to comply with the provisions of the Law by 9 February 2023, a year from its date of issuance, 9 February 2022.
Alice Muasher Privacy Analyst
1. See: https://www.mjla.gov.om/legislation/decrees/details.aspx?Id=1397&type=L (only available in Arabic)
2. See: https://omanportal.gov.om/wps/wcm/connect/3798ffd0-d1a0-4a41-970f-a5f211f50c3b/Electronic+Transactions+Law+English.pdf?MOD=AJPERES