Oman data protection regulation now in force

Martin Hayward and Alexandra Bertz of Pinsent Masons said that Ministerial Decision No. (34) of 2024 Issuing the Implementing Regulation of the Personal Data Protection Law (the regulations), which came into force on 5 February 2024, supplements Oman’s personal data protection law, the Oman Sultani Decree No. 6/2022 Promulgating the Personal Data Protection Law (Oman PDPL). The regulations provide important detail on a number of aspects of Oman’s data protection regime, which generally reflects international best practice on data protection, save for some important differences. Companies that are subject to the Oman PDPL have until 5 February 2025 to align their data processing practices with the provisions of the regulations.

Hayward said: “International businesses in Oman will now find it easier to comply with Oman’s data protection regulatory framework, particularly due to its general compliance with international best practice.”

One area where the regulations provide more detail is on the procedure for applying for permits to process sensitive categories of personal data.

The Oman PDPL prohibits the processing of certain categories of data – such as genetic data, biological data, and health data, and on ethnic origins, sexual life, political or religious opinions or beliefs, criminal convictions, and security measures – unless businesses have obtained a permit for such processing from Oman’s Ministry of Transport, Communications and Information Technology (the Ministry).

The regulations confirm the type of information that businesses must provide on this permit application form, such as classifications of the data to be processed and the reasons for the processing – as well as the information businesses must also share with the Ministry alongside the permit application form, including a copy of their data protection policy and a note of the precautionary measures they have adopted to address the risk of a personal data breach.

The Ministry is obliged to decide on the permit application within 45 days and cannot issue a permit in respect of processing that lasts for longer than five years. Companies may appeal to the Ministry in cases where their permit application is refused. Other provisions provide circumstances where existing permits may be revoked, including where a controller “commits a violation” of the Oman PDPL or the regulations.

Hayward said the permit regime is an area where Oman’s rules differ from international best practice, which does not typically require separate permits to be obtained for the processing of sensitive personal data.

Businesses have also been given more detailed requirements around handling requests from data subjects seeking to exercise their rights under the Oman PDPL, including the right to revoke consent to the processing of their personal data, to amend, update or block their data, to get a copy of their data, to have their personal data transferred to another controller, and to have their data erased.

A data subject’s written request to exercise their rights, once submitted to the data controller, must be responded to within 45 days from the date of receipt. This is slightly longer than the 30-day period that generally applies under internationally equivalent data protection standards. Similarly, data controllers wishing to respond to data subject complaints must do so within 14 days from the date of receipt.

The regulations also confirm that all Oman entities must appoint a data protection officer (DPO) – another point of difference between Oman and other international data protection regimes such as the GDPR, where the requirement to appoint a DPO is confined to public authorities and businesses that either process sensitive data on a large scale or whose core activities include large scale, regular and systemic monitoring of individuals.

In addition to this, the Oman PDPL requires controllers and processors to appoint an external auditor to oversee compliance with the Oman PDPL, while the regulations expand upon the requirements to appoint such an auditor. This appears to be mandatory for all Oman entities and will add a new administrative requirement that Oman entities will need to action.

There are similarities between global data protection laws and Oman’s rules around the reporting of personal data breaches.

The Oman PDPL states that controllers must inform the Ministry and data subjects alike of data breach incidents, in accordance with the controls and measures set out in the regulations. The regulations impose a 72-hour period, within which controllers must inform the Ministry once the breach has been made known, but only if the breach would threaten the rights of a data subject. Data subjects must also be informed within this time limit once the breach has been made known, provided that the breach would cause “serious harm or high risks” to the data subject.

The regulations further require controllers to create and maintain a record of processing activities, also in line with international practice, and provide a copy of this record to the Ministry upon request. The regulations also go into detail on what to include in this record of processing activities. Additionally, there is a requirement to put security systems and measures in place to protect the confidentiality of personal data, and to regularly test these systems and measures. Likewise, where certain documents are required to be retained, controllers are obliged to implement retention policies which specify retention purposes and time limits, along with any necessary technical measures to guarantee secure document retention.

Bertz added: “Oman entities need to move quickly to put their record of processing activities, retention policies, privacy policies, and security systems and measures in place to ensure compliance with the Oman PDPL.”

The Oman PDPL also provides for the cross-border transfer of personal data, with certain conditions in line with data protection best practice. The regulations require controllers wishing to transfer such data outside Oman to obtain the express consent to do so from data subjects, except where the controller is complying with an international obligation within an agreement that Oman is a signatory of, or where the data subject’s identity has been concealed, so that their data cannot identify or be linked to them in any way – for example, where the data has been anonymised.

Notably, the regulations neither rely on the international practice of adequacy decisions to facilitate cross-border personal data transfers to certain jurisdictions, nor do they make reference to commonly used safeguards for such data transfers, such as standard contractual clauses favoured by policymakers like the European Commission or the DIFC. Instead, controllers must ensure that third-party processors meet an adequate degree of protection in respect of the data being transferred to them, by conducting their own assessment of said processors. This assessment must be shared with the Ministry upon request. The regulations also provide further details on the format of the assessment.

The regulations further set out controls that businesses must have in place when processing children’s data, including stipulations on the processing being “limited to the minimum amount of personal data needed to achieve the intended purpose”, and on further restrictions regarding the disclosure of said data.

The regulations also expand upon controller obligations towards data subjects, such as the need to obtain consent before processing or transferring data, and before sending any advertising or marketing material to the data subject. In addition, the regulations clarify that when asked to cooperate with the Ministry, controllers and processors must submit any documents or information requested of them, in accordance with prescribed timelines – for instance, requests from the Ministry to submit documents must be complied with within 30 days from the date of the request.

Businesses that breach the provisions of the regulations can be subject to a range of administrative penalties. The regulations provide for the issuing of warnings, suspension or cancellation of permits, and fines of up to 2,000 Omani rials ($5,200) for breaching the regulations. In comparison, the Oman PDPL contains additional, and much more substantial, penalties for breaching the Oman PDPL, with fines reaching up to 500,000 Omani rials ($1.3m).