Oman

New guidance on personal data protection

22 April 2024 4 min read

By Dharma Carlin, Mehdi Al Lawati and Hamood Al Rawahi

At a glance

  • On 28 January 2024, Ministerial Decision No. (34) of 2024 Issuing the Implementing Regulation (Regulation) of the Personal Data Protection Law (PDPL) came into force in Oman.
  • The Regulation supplements the obligations set out in the PDPL.
  • The PDPL seeks to improve data privacy protections and introduces legal requirements for businesses that are involved in processing personal data.
  • Companies subject to the PDPL have until 5 February 2025 to amend their data processing activities so that they are compliant with it and the accompanying Regulation.

On 4 February 2024, Oman’s Ministry of Transport, Communication and Information Technology (MTCIT) published the Regulation of the PDPL in the Official Gazette. The PDPL, which was issued in February 2022, largely reflects international best practice on data protection and replaces the previous data protection framework under the Omani Electronic Transactions Law. The Regulation, which consists of nine chapters and 45 articles, provides further guidance on the requirements set out in the PDPL and stipulates how organisations should comply with it.

Key provisions of the Regulation

The PDPL prohibits the processing of certain categories of data, including genetic data, biological data, health data, data concerning a person’s ethnic origins, sexual life, political or religious opinions or beliefs, criminal convictions and security measures, unless organisations have obtained a permit to process these types of data from the MTCIT.

The Regulation explains the process for obtaining such a permit and notes that those applying for a permit must submit a form which includes, but is not limited to, the following information: the contact details of the data protection officer; the purpose of processing the personal data; the type of personal data to be processed; where the data will be stored and the measures in place to protect the data.

The MTCIT has a maximum period of 45 days to consider the permit application upon its receipt and, if applicable, must justify its reason for rejection of the application. Once issued, permits are valid for up to five years but are capable of being amended, renewed or revoked.

The Regulation  provides guidance on the processing of children’s personal data and requires express consent to be sought from the child’s guardian prior to the processing of their data.

The rights of a personal data subject are also set out in the Regulation. The Regulation states that the data subject has the right to make a free-of-charge written application to the data controller to exercise any of their rights under Article 11 of the PDPL. The Regulation also sets out the circumstances in which the data subject’s request may be rejected.

The Regulation requires that data controllers or processors implement a personal data protection policy which is made available in a visible place which allows the personal data subject to view the policy, prior to the processing of their data. The notice must contain, as a minimum, the mechanism and procedures for the personal data subject to exercise their rights as stipulated in the PDPL and the Regulation.

Data controllers are obliged, under the Regulation, to appoint a data protection officer who is responsible for ensuring compliance with the PDPL, the Regulation and the data protection practices followed by the data controller or processor. The data controller should publish the contact details of the data protection officer so that they can be contacted by the personal data subject regarding the processing of their data.

The Regulation also explains the process for transferring and transmitting personal data outside of Oman and requires that the express consent of the personal data subject be obtained prior to doing so. However the Regulation does state that consent is not required if the data must be sent in order to meet an international obligation under an agreement to which Oman is a party, or if the data is transferred or transmitted in a way that conceals the identity of the personal data subject.

The consequences for violating the PDPL and/or the  Regulation are set out in the Regulation:

  • A personal data subject is able to file a complaint to the authorities regarding any violation within a maximum period of 30 days from the date at which they obtained knowledge of the violation.
  • The authorities are required to provide the controller with a copy of the complaint within seven days from the date of its submission. The authorities will decide upon the complaint within 60 days from the day following the submission of the complaint.
  • If a violation is deemed to have occurred, one of the following administrative penalties may occur:
    • issuance of a warning;
    • suspension of the permit until the violation is corrected;
    • issuance of an administrative fine up to OMR2,000 per violation; or
    • revocation of the permit.
  • Upon receipt of an administrative penalty, those subjected to it may appeal to the relevant minister within 60 days from the date of being notified of the violation decision and the minister will make a further decision within 30 days from the date of its filing.  If no decision is received then the appeal is considered to be rejected.

Takeaways for employers

Employers must ensure that their data collection and processing activities are conducted in accordance with the Regulation and the PDPL by the implementation deadline of 5 February 2025. Organisations should consider whether any changes must be made to the way in which they currently process and transmit personal data in order to avoid being subjected to an administrative penalty. It may be necessary to consider whether existing company data protection policies are sufficient to comply with the PDPL and Regulation or whether new company policies should be introduced.

Should you have questions about compliance with the Omani Personal Data Protection Law or the accompanying Regulation, please contact the authors or your DLA Piper contact.

More to explore

Personal Data Protection Decree

Vietnam

Personal Data Protection Decree

The government’s Decree 13/2023/ND-CP dated 17 April 2023 on personal data protection, came into effect on 1 July 2023.

26 March 2024 1 min read
Data Protection Authority issues recruitment Code of Conduct

Italy

Data Protection Authority issues recruitment Code of Conduct

The Data Protection Authority has published a Code of Conduct that Workforce Supply Agencies must comply with during their recruitment processes.

4 March 2024 1 min read
The Italian Data Protection Authority limits the retention of employee email metadata

Italy

The Italian Data Protection Authority limits the retention of employee email metadata

The Privacy Commissioner has imposed a significant change in employee email metadata retention policies.

20 February 2024 2 min read
CPPA releases draft rules for automated decision-making technology

United States

CPPA releases draft rules for automated decision-making technology

On 27 November 2023, the California Privacy Protection Agency released its initial rulemaking draft for automated decision-making technology (ADMT). The release of these draft...

7 December 2023 4 min read
Enforcement against the use of biometrics in the workplace

United Kingdom

Enforcement against the use of biometrics in the workplace

The ICO has issued an enforcement notice which provides valuable insights into its approach to the use of biometrics in the workplace, and the lawfulness of employeemonitoring. 

29 February 2024 7 min read
Dismissal of a company data protection officer: Requirements under current case law

Germany

Dismissal of a company data protection officer: Requirements under current case law

According to recent case law, the dismissal of a company data protection officer requires good cause for termination within the meaning of Section 626 para. 1 German Civil Code....

30 January 2024 2 min read