Oman’s Leap Towards Data Protection: Unveiling the New Implementing Regulation

In an era where data breaches are increasingly common, Oman has taken a step forward with the introduction of the Implementing Regulation of the Personal Data Protection Law, enacted by Ministerial Decision No 34/2024 (Regulation). The Regulation, in conjunction with the Personal Data Protection Law issued in 2022 under Sultani Decree No 6/2022 (Personal Data Protection Law), forms a holistic framework designed to protect personal data and maintain privacy standards, marking a milestone in the Sultanate’s commitment to data protection.

The obligations established by the Personal Data Protection Law and Regulation shall apply to the ‘processing’ of any personal data, save for certain exceptions. For these purposes, personal data is any data which makes a natural person (Personal Data Subject or Personal Data Owner) directly or indirectly identifiable by reference to a particular identifier(s) (eg name) or element(s) (eg genetic features) (Personal Data). As for processing, this ultimately includes any action performed on the Personal Data, including collecting, recording and reviewing the Personal Data (amongst others). Exceptions include processing Personal Data to protect national security, or if the processing is in a personal/family context.

The Personal Data Protection Law distinguishes between ‘controllers’ and ‘processors’ to reflect the different obligations of these entities which process Personal Data. Controllers are any entity that “determines the purposes and means” of processing Personal Data (Controller), while processors are any entity that processes Personal Data on behalf of the Controller (Processor).

Entities with obligations established by the Regulation, in other words Controllers or Processors of Personal Data, must align their operations for compliance by 4 February 2025, allowing a year for adjustments to the Regulation.

Key Features of the Regulation¹

Consent Requirement

Consent by Personal Data Subjects is mandatory before processing their Personal Data. This consent must be explicit, either given in writing, electronically or by any other means determined by the Controller, and can be obtained by guardians in cases involving minors.

However, as mentioned above, the provisions of the Regulation and the Personal Data Protection Law do not apply to certain instances of Personal Data processing, such as protection of national security, performance of a legal obligation imposed on the Controller or the executing of a contract for which the Personal Data Subject is a party to (amongst others).

Data Processing Authorization for Sensitive Data

For sensitive categories of Personal Data, such as genetic, health, or political opinion related information, Controllers must obtain permission from the Ministry of Transport, Communications and Information Technology (Ministry) by submitting an application to the Ministry. This form must include information such as the purpose of processing the Personal Data, the systems in place to manage the Personal Data and the details of the Controller’s Personal Data Protection Officer (see below for further details). When making the application, a copy of the Controller’s personal data protection policy and precautionary measures must be attached.

The relevant department of the Ministry will decide on the application’s outcome within 45 days, with no response in this time limit being treated as a rejection. Should the applicant wish to appeal the decision, this must be filed within 60 days from the date of notification of the outcome, and any failure to respond to the appeal within 30 days shall be considered a rejection.

Rights of Personal Data Subjects

The Regulation empowers Personal Data Subjects to exercise several rights by written application to the relevant Controller, including the right to request deletion of Personal Data, access copies of their Personal Data, and transfer Personal Data to new Controllers. It also mandates that requests by Personal Data Subjects be decided by the Controller within 45 days.

Obligations of Controllers and Processors

Both Controllers and Processors which process Personal Data must have a data protection policy which is clearly visible to the Personal Data Subjects, and are obligated to appoint an independent external auditor certified by the Ministry and to allow them to review the systems in place to protect Personal Data. The Regulation is silent on when this auditor must be appointed by.

Controllers need to ensure confidentiality of any Personal Data by following the specified procedures in the Regulation, such as using systems to prevent illegal access to Personal Data and design systems to recover Personal Data when an accident occurs.

As for marketing, Controllers must obtain written consent from the Personal Data Subject before sending any advertising, marketing or commercial material, while offering a way to opt out of receiving these materials.

Data Breach Protocols

In the event of a data breach, which is any unlawful access to Personal Data which leads to the unlawful destruction or processing of such Personal Data, Controllers must notify the competent authority within 72 hours, outlining the breach’s nature, potential impacts, and remedial actions taken.

Personal Data Protection Officer

The Personal Data Protection Officer plays a crucial role, requiring a comprehensive understanding of the Personal Data Protection Law and the Regulation. They will consult on the implementation of policies and are responsible for overseeing data protection strategies and overall compliance. Controllers must appoint a Personal Data Protection Officer and publish their contact details so Personal Data Subjects can contact them.

International Data Transfers

Transferring or processing Personal Data internationally must not compromise national security or interests. Prior to the transfer, Controllers must obtain explicit consent from the Personal Data Subjects, while an adequate level of protection consistent with Omani legislations must be ensured. Importantly, responsibility falls onto the Controllers to determine whether the level of protection provided by the third party is no less than that established by the Regulation and the Personal Data Protection Law. The Controller must conduct an assessment to investigate this, which should consider a number of factors, including the transfer’s purpose, the nature of the Personal Data, etc.

Consent from the Personal Data Owner is not necessary where the transfer is carried out in compliance with an international obligation under an agreement to which Oman is a party, or is carried out in a way that that the Personal Data Owner’s identity is concealed.

Complaints and Penalties

The Regulation outlines a structured process where Personal Data Subjects or any other interested person may file complaints to the relevant department of the Ministry. The complaint must be filed within 30 days of becoming aware of any violation of the Regulation or Personal Data Protection Law.

The Regulation also establishes penalties for violations, including warnings, suspension and cancellation of permits, or a fine not exceeding OMR2,000 (circa USD5,000).

What’s Next

The Regulation underscores Oman’s proactive approach to data protection, further aligning its framework with global standards. Indeed, entities handling Personal Data will have more motivation to rigorously assess and adapt their data management practices to ensure compliance. Meanwhile, the emphasis on consent and transparency places the power back in the hands of the Personal Data Subject, fostering trust in digital transactions and services.

As Oman navigates this new regulatory landscape, the success of the Regulation will hinge on effective implementation and the collective effort of all stakeholders. By fostering a culture of data privacy and security, Oman sets a benchmark for the region, ensuring that Personal Data is treated with the utmost respect and integrity.

The introduction of the Regulation is more than a legal mandate, it is a commitment to protecting the digital identity of individuals, reflecting Oman’s vision for a secure and trustworthy digital future.

Our dedicated data protection team has in-depth experience in assisting regional and international businesses with their compliance requirements.

If you would like to discuss any element of the Regulation, or any other requirements pertaining to data protection in Oman, please contact the authors of this article.