The Law on the Protection of Personal Data, promulgated by Royal Decree No. 6 of 2022 dated 9 February 2022 was published in the Official Gazette on 13 February 2022 and marks the introduction of Oman's first comprehensive data protection law. The PDPL comes into force on 13 February 2023. The new law follows the global trend of increased adoption of dedicated general data protection laws, including in the GCC, where fairly recent data protection laws in Qatar and Bahrain have been followed by new laws in Saudi Arabia and the UAE in the latter half of 2021. It replaces the more limited data protection regime that already exists in Chapter Seven of the Electronic Transactions Law (promulgated by Royal Decree 69/2008). The Law boasts 32 articles, including data protection principles, a requirement to appoint a data protection officer ('DPO'), data subject rights, controller and processor obligations, and penalties for breach of the same, bringing the country's legislative regime into closer alignment with global data protection laws.
The Ministry of Transport, Communications and Information Technology (MICIT) is responsible for implementing the PDPL. The Minister of Transport, Communications and Information Technology will issue the executive regulations to the PDPL in due course.
There are specific exceptions to the application of the PDPL, including where the processing of personal data is for national security or public interest reasons, the detection or prevention of a crime based on a formal written request from the investigative authority, the performance of a contract to which the personal data subject is a party and where the data is already publicly available.
Some excerpts of it are added below:
The Law provides for definitions of:
- Personal data
- Genetic data
- Biometric data
- Health data
- Processing
- Data subject
- Controller
- Processor
Restrictions on processing
The Law provides that processing of personal data relating to genetic, biometric, heath data or data relating to ethnic origin, sexual life, political or religious opinions, beliefs, criminal convict, or related security measures is prohibited unless a permit is obtained from the MTCIT (Ministry of Transport, Communications and Information Technology) in accordance with the controls and procedures specified by the Regulations.
Moreover, the Law further prohibits the processing of children's personal data without the permission of their legal guardian, unless the processing is in the child's best interests, and in accordance with the controls and procedures specified by the Regulations.
Supervisory authority
- Preparation and approval of controls and procedures related to the protection of personal data, including determining the necessary guarantees, measures, and codes of conduct related to the same;
- Issuance of the necessary guarantees and measures for the processing of personal data and verifying controllers' and processors' compliance with the same;
- Cooperation with the data protection authorities of other countries;
- Provision of advice, support, and coordination to the state's administrative apparatus units and other public bodies in matters related to the protection of personal data;
- Issuance and revocation of licences of service providers entrusted with the assessment and evaluation of controllers' and processors' compliance with the provisions of the Law, according to the controls and measures specified by the Regulations;
- Preparation of guiding templates for the purposes of implementing the provisions of the Law whenever required;
- Preparation of periodic reports on its activities in the field of data protection to be published on its website; and
- Setting up a register in which controllers and processors that fulfil the prescribed conditions are registered as specified by the terms of the Regulations.
- Moreover, for the purpose of safeguarding the rights of data subjects, Article 8 of the Law provides that the MTCIT shall also undertake any of the following measures:
- Warn the controller or processor of the violation(s) of provisions of the Law;
- Order the correction and erasure of personal data that has been processed in violation of the provisions of the Law;
- Order the processing of personal data to cease temporarily or permanently;
- Order to stop data from being transferred to another country or organisation; and
- Any other measure that the MTCIT deems necessary to protection personal data, in accordance with what is specified in the Regulations.
Data subject rights
The Law provides for several data subject right:
- Right not to be subject to processing without consent;
- Right to withdraw consent;
- Right to rectification, update, or blocking of personal data;
- Right to access personal data;
- Right to data portability;
- Right to erasure of personal data unless processing is necessary for the purpose of preservation or national documentation; and
- Right to be informed of any breach to their personal data and mitigating measures taken in this regard.
The Law provides that personal data may only be processed in accordance with the principles of transparency, honesty, and respect for human dignity, and after the express consent of the data subject to the processing of their personal data. Requests for consent to processing must be written in a clear, honest, and understandable manner and that controllers must be able to prove that written consent of data subjects to the processing of their data has been obtained.