Oman’s Personal Data Protection Law (PDPL)

Oman’s Personal Data Protection Law (PDPL), promulgated through Royal Decree No. 6/2022 and supplemented by Ministerial Decision No. 34/2024, establishes a robust regulatory framework for protecting personal data. Businesses must fully align with the PDPL and its regulations by 5 February 2025. This article outlines the key provisions, compliance requirements, and practical steps for businesses to align with Oman’s data protection standards.

Scope and applicability

The PDPL applies to the processing of personal data, directly or indirectly identifying individuals, and impacts entities operating within Oman or handling data of Omani residents.

Certain exclusions apply, such as:

• Processing for national security or public interest.
• Historical, statistical, or scientific research (with anonymised data).
• Personal or family use.

Key provisions

Data subject rights

The PDPL empowers individuals with the following rights:

1. Access: Request access to their personal data.
2. Correction/deletion: Amend, update, or delete their data.
3. Consent withdrawal: Revoke consent for data processing.
4. Data portability: Transfer data to another controller.
5. Erasure: Remove data entirely.
6. Response time: Data controllers must address such requests within 45 days, longer than the 30 days under comparable laws like the GDPR.

Processing sensitive personal data

Sensitive data categories, including genetic, biometric, health, and political or religious data, require a permit from the Ministry of Transport, Communications, and Information Technology.

Businesses must submit a formal application to the Ministry, providing:

• Details of the data processing
  • The classification of the sensitive data to be processed.
  • The purposes and justification for the data processing.
• Supporting documentation
  • A copy of the organisation’s data protection policy.
  • Evidence of precautionary measures adopted to mitigate risks of a personal data breach.
• Other required information
  • Any additional documents requested by the Ministry during the application process.

The Ministry is required to decide on the permit application within 45 days. Permits, once issued, are valid for a maximum of five years but can be revoked if the organisation violates the PDPL or its regulations.

• Personal Data Processing Permit Form according to Article (5) of the Personal Data Protection Law.
• Permit Amendment Form.
• Permit Renewal Request Form.
• Permit Cancellation Form at the Controller’s Request.
• Grievance Form (Permit Rejection/Administrative Penalties).

Data breach notification

Reporting obligations

• Notify the Ministry within 72 hours if breaches threaten data subject rights.
• Notify data subjects within the same timeframe if the breach causes serious harm.

Documentation

Controllers must maintain a breach record, available to the Ministry upon request.

Appointment of officers

• Data Protection Officer (DPO): Mandatory for all entities, unlike the GDPR’s selective approach.
• External auditor: Controllers and processors must appoint auditors to ensure compliance, an additional administrative layer unique to Oman.

Cross-border data transfers

Conditions:

• Data transfers require explicit consent unless anonymised or governed by international agreements.
• Controllers must ensure third-party processors provide adequate protection and document their assessments.

Children’s data

• Processing must be limited to the minimum necessary.
• Disclosure and marketing restrictions are in place to protect children.

Compliance timeline

Businesses must fully align with the PDPL and its regulations by 5 February 2025.

Immediate actions include:

1. Conducting data audits.
2. Implementing retention policies and security measures.
3. Appointing a DPO and external auditor.
4. Establishing mechanisms for managing data subject requests.
5. Ensuring readiness for cross-border data transfer compliance.

Enforcement and Penalties

Administrative penalties

Fines of up to 2,000 OMR (~$5,200) for regulatory violations.

Criminal penalties

Fines up to 500,000 OMR (~$1.3 million) for severe breaches. Both organisations and individuals can face liability for non-compliance.

How ITLawCo Can Help

At ITLawCo, we understand the complexities of Oman’s Personal Data Protection Law and the accompanying regulations. Our expert team offers tailored support to help businesses achieve compliance while minimising risk. Here’s how we can assist:

1. Data protection audits: Comprehensive reviews of your data processing activities to identify gaps and ensure compliance.
2. Policy development: Drafting and implementing privacy policies, retention policies, and security frameworks.
3. DPO services: Providing outsourced DPO support to oversee compliance and handle regulatory obligations.
4. Permit applications: Guiding businesses through the sensitive data permit application process, ensuring timely and accurate submissions.
5. Training and awareness: Educating employees on PDPL requirements and best practices.
6. Cross-border transfers: Assisting with assessments and documentation for international data sharing.
7. Breach response: Helping establish breach notification protocols and managing incidents effectively.

Contact ITLawCo today to navigate Oman’s data protection landscape with confidence. Together, we can ensure your business not only complies but thrives in the era of robust data protection standards.