New Oman Personal Data Protection Law

Dentons
Contact

Dentons

Royal Decree 6/2022 promulgating the Personal Data Protection Law (PDPL) was issued in February 2022. The PDPL comes into force on 13 February 2023.

The new law follows the global trend of increased adoption of dedicated general data protection laws, including in the GCC, where fairly recent data protection laws in Qatar and Bahrain have been followed by new laws in Saudi Arabia and the UAE in the latter half of 2021. It replaces the more limited data protection regime that already exists in Chapter Seven of the Electronic Transactions Law (promulgated by Royal Decree 69/2008).

The Ministry of Transport, Communications and Information Technology (Ministry) is responsible for implementing the PDPL. The Minister of Transport, Communications and Information Technology will issue the executive regulations to the PDPL in due course.

What and who is protected?

"Personal data" is defined in the PDPL as "data that identifies a natural person or makes such person identifiable, directly or indirectly, by reference to identifiers such as name, civil number, electronic identifier data or address related data or factors such as genetic, physical, mental, physiological, social, cultural or economical identity”. The PDPL protects the personal data of a "data subject", defined as “a natural person who can be identified from their personal data”.  

Both the "controller", who is responsible for specifying the purpose and method of processing personal data, and the "processor", who processes the personal data on behalf of the controller, have duties to, among other things:

  • assess the impact and risk that the data subject may be exposed to as a result of the processing;
  • implement appropriate procedures and controls to protect personal data;
  • appoint an officer responsible for the protection of personal data (if required by the Ministry);
  • ensure that personal data is handled in confidence; and 
  • obtain the prior written consent of the data subject before sending any advertising, marketing or commercial material to the personal data subject. 

Exceptions 

There are specific exceptions to the application of the PDPL, including where the processing of personal data is for national security or public interest reasons, the detection or prevention of a crime based on a formal written request from the investigative authority, the performance of a contract to which the personal data subject is a party and where the data is already publically available. 

Rights of data subjects 

The PDPL requires the written consent of a data subject to be obtained before their personal data is processed. Data subjects have the right to: 

  • revoke consent to processing of their personal data;
  • request amendment or updating of their personal data
  • obtain a copy of their processed personal data;
  • transfer personal data to another controller;
  • request the deletion of personal data in accordance with the law; and
  • be notified of any breach or unlawful access to their personal data. 

Permit required for processing sensitive data

Processing of personal data related to genetic data, vital data, health data, ethnic origin, sexual life, political or religious opinions, beliefs, criminal convictions, or related to security measures is not allowed without obtaining a permit from the Ministry.

What happens if the PDPL is breached? 

A data subject who believes that a right under the PDPL has been breached can report the breach to the Ministry. 

The Ministry has wide powers. It can issue a warning to the controller or the processor, order that processed personal data is corrected or deleted, suspend the processing of personal data temporarily or permanently, suspend the transfer of personal data to another country or international organisation or take any other measure deemed necessary for the protection of personal data. 

Violation of the PDPL can result in criminal fines ranging from RO500 and RO500,000, as well as administrative fines of up to RO2000.

What should my business do to comply with the PDPL?

Businesses in Oman should update their policies, contracts, notices and activities to align with the PDPL and ensure that staff are well trained by the time the PDPL comes into force. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:

Dentons
Contact
more
less

Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.