Data Protection in Oman: An enhanced framework

Yasin Chowdhury Associate yasin.chowdhury@bsabh.com

Arsalan Tariq Partner arsalan.tariq@bsabh.com

In a landmark move, Oman has issued a new Personal Data Protection Law by Royal Decree No.6 of 2022. Arsalan Tariq and Yasin Chowdhury set out the key aspects of the law and its impact on organisations for The Oath Magazine.

Post pandemic where the world has become more digital, the need for personal data protection legislation is felt more urgently than ever before. In the wake of this urgency, Oman has very recently promulgated the Personal Data Protection Law (“PDPL”) by Royal Decree No. 6 of 2022. As per the law, the Ministry of Transport, Communications and Information Technology, Oman (“MOTCIT”) shall issue the implementing regulations in relation to PDPL, as well as the decisions necessary to enforce its provisions. Until the regulations are issued, the existing regulations and decisions shall continue to operate, without conflicting with its provisions. PDPL shall be in force from 13 February 2023 after 1 (one) year from the date of its publication in the official gazette.
PDPL has made significant improvement over and above the current legal regime on protection of personal data in Oman. Until recently, the data protection regime in Oman was mainly regulated in piecemeal by some penal provisions under the Penal Code and Chapter 7 (seven) of the Electronic Transactions Law. However, PDPL has repealed Chapter 7 (seven) of the Electronic Transactions Law, streamlined the personal data protection regime in Oman and set forth a detailed structure in this regard.

What are the benefits of PDPL
The highlights of PDPL are the provisions of privacy and data protection, data processing, data transfers and notification and record keeping requirements among others. The framework PDPL sets out for personal data protection is that of transparency, honesty, and respect for human dignity. PDPL offers a wide definition of personal data in that any data which makes a natural person identifiable, directly or indirectly, by reference to one or more identifiers, such as a name, civil number, electronic identifiers’ data, or spatial data, or by reference to one or more factors related to genetic or physical identity, mental, psychological, social, cultural or economic is treated as personal data under PDPL. Thus, PDPL guarantees protection to a wide range of personal data including genetic, biological and health data. Moreover, PDPL affords particular protection to processing a child’s data by prohibiting the processing of child’s data without the consent of the child’s guardian, unless such processing is in the best interest of the child and compliant with the controls and procedures specified by the implementing regulations of PDPL.

Personal Data
PDPL recognizes privacy as the corner stone of the legislation and puts a blanket prohibition on processing of personal data without the express consent of the owner in writing. Moreover, PDPL affords the following rights regarding one’s personal data
     a. to revoke one’s consent to the processing of one’s personal data, without prejudice to the processing that took place before the cancellation.
     b. to request to amend, update or withhold one’s personal data.
     c. to obtain a copy of one’s processed personal data.
     d. to transfer one’s personal data to another controller.
     e. to request the erasure of one’s personal data unless such processing is necessary for national preservation and documentation purposes.
     f. to be notified of any breach or violation of one’s personal data, and of the measures taken in this regard.

It is pertinent to mention that the protection afforded by PDPL regarding processing personal data is subject to the following exceptions     
     a. protecting national security or the public interest.    
     b. execution of the functions prescribed by law for the units of the state’s administrative apparatus and other public legal persons.    
     c. executing a legal obligation imposed on the controller under any law, judgment or court decision.
     d. protecting the economic and financial interests of the state.
     e. protecting a vital interest of the owner of personal data.
     f. exposing or preventing any criminal offense based on an official written request from the investigation authorities.
     g. executing a contract to which the owner of personal data is a party.
     h. if the treatment is in a personal or family context.
     i. the purposes of historical, statistical, scientific, literary or economic research, by the authorities authorized to carry out these works, provided that no indication or reference related to the owner of personal data is                used in the research and statistics published, to ensure that personal data is not attributed to an identified natural person, or identifiable.
     j. if the data is available to the public and in a manner that does not violate the provisions of PDPL.

Thus, in the situations mentioned above the protection under PDPL is not available to the owner of personal data.

According to PDPL, the controller and the processor are the responsible stakeholders towards the owner of personal data. As per PDPL, a controller is the person who determines the objectives and means of processing personal data, and performs this processing himself, or entrusts it to someone else. Whereas the processor is defined as the person who processes personal data on behalf of the controller.

Under PDPL, the controller is obliged to establish the controls and procedures that must be adhered to when processing personal data, and they must include in particular the following:

     a. determining the risks that may fall on the owner of personal data as a result of the processing.
     b. procedures and controls for transferring and transferring personal data.
     c. technical and procedural measures to ensure that the personal data is dealt with in accordance with PDPL,
     d. any other controls or procedures specified by the implementing regulations.

Article 14 of PDPL categorically requires the controller to notify the owner of the personal data in writing before commencing the processing of any personal data of the following particulars:

     a. data of the controller and the processor.
     b. contact information with the personal data protection officer.
     c. the purpose of personal data processing, and the source from which it was collected.
     d. comprehensive and accurate description of the processing and its procedures, and the degrees of disclosure of personal data.
     e. the rights of the owner of personal data, including the right to access, correct, transfer and update the data.
     f. any other information that may be necessary to fulfill the conditions for processing.

PDPL mandates MOTCIT for implementing its provisions, particularly with the following:
     a. preparing and approving controls and procedures related to the protection of personal data, including defining the necessary safeguards, necessary measures and rules of conduct related to the protection of personal data.
     b. issuing the controls and procedures necessary for processing personal data and verifying the compliance of the controller and processor with them.
     c. receiving communications and complaints filed by the owners of personal data, and deciding on them, within the period specified by the regulation.
     d. cooperating with the authorities concerned with the protection of personal data in other countries.
     e. providing advice, support and coordination with units of the state’s administrative apparatus and other public legal persons in any matter related to the protection of personal data.
     f. issuing and revoking licenses of service providers who are entrusted with studying and evaluating the controller and processor’s compliance with the provisions of this law, in accordance with the controls and procedures specified by the regulation.
     g. preparing indicative forms for the purposes of implementing the provisions of this law, whenever necessary.
     h. preparing periodic reports on its activities in the field of personal data protection, and publishing them on its website.
     i. preparing a register in which the controllers and processors who fulfill the prescribed conditions are recorded, in the manner specified by the regulation.

As per PDPL, MOTCIT has the following authority to exercise to protect the rights of personal data owners –
     a. to warn the controller or processor of the violation committed by him against the provisions of PDPL.
     b. to order the correction and deletion of personal data that has been processed in violation of the provisions of this law.
     c. to stop processing personal data temporarily or permanently.
     d. to stop transferring personal data to another country or an international organization.
     e. any other procedure that the MOTCIT deems necessary to protect personal data, in the manner specified by the implementing regulations.

PDPL specifically prohibits sending unsolicited marketing or advertising materials with commercial purposes, unless the prior consent of the owner is obtained. Moreover, PDPL prohibits the transfer of personal data outside Oman if the personal data is processed in violation of PDPL’s provisions or if such transfer would cause harm to the owner of the personal data.

What are the penalties
PDPL in addition to outlining the substantive provisions of personal data protection sets out the specific penalties for violation of its various provisions. These penalties are additional to any other severer punishments prescribed in the Penal Code or any other laws of Oman applicable to the owners aggrieved due to violation of personal data protection. The minimum fine under PDPL is OR 500 (Omani Riyals five hundred) and the maximum fine is OR 500,000 (Omani Riyals five hundred thousand) depending on which provision of PDPL has been violated. In addition, PDPL entrusts MOTCIT with the authority to impose administrative penalties for the violations of PDPL provisions or its implementing regulations up to OR 2000 (Omani riyals two thousand).

How will this impact businesses?
As stated, PDPL will become effective on 13 February 2023 and MOTCIT will issue the implementing regulations in this regard. In the meantime, businesses should reflect upon their internal policies and train their employees to adhere to the PDPL provisions once it comes into force. In the current data-intensive society, PDPL is a landmark legislation for the protection of personal data in Oman and will fill in several gaps that existed in the previous regime.   

This article was written for The Oath Magazine and can be downloaded here: Oman Personal Data Protection Law