All You Need to Know About the 2023 Oman Data Protection Law

The Oman Personal Data Protection Law (PDPL) came into effect in February 2023, introducing new legal requirements for businesses that process personal data. The law is based on the opt-in principle, meaning that businesses can only process personal data if the user consents or if there is another legal basis. This aligns the PDPL requirements with those prescribed by the General Data Protection Regulation (GDPR) in the European Union. However, there are nuances that make this law different, which is precisely what this article will explore.

What is personal data under the Oman PDPL?

Personal data under the Oman PDPL is any information that could identify a person. This includes personal name, email address, government-issued numbers, phone numbers, and home address, as well as browsing behavior, IP address, health data, or anything else that could directly or indirectly point to a specific person. Health data, financial data, sex life, political or religious beliefs, and similar data are defined as sensitive personal information and are subject to a special regime.

Does the Oman PDPL apply to your business?

The Oman PDPL applies to your business if it is registered in Oman or if you offer products or services to Omani residents. It follows the same territorial principle as other data protection laws.

What are data controllers and data processors under the Oman PDPL?

The data controller is the person who decides to process personal data. For example, an e-commerce store that chooses to use Google Analytics and Facebook Pixel on the website is the data controller because they decide why to process data, how to process it, and with whom to share it. Google and Facebook, in this case, are data processors. They are service providers for the processing of data and only process the data on behalf of the e-commerce store.

What is an Oman PDPL privacy policy?

The PDPL prescribes the minimum information that businesses need to provide to data subjects. The privacy policy must include at least the following:

• Details of the data controller
• Contact details of the Data Protection Officer (DPO)
• Purposes for data processing
• Description of the processing activities, including the third parties with whom data is shared
• Details on data subject rights and how to exercise them
• Any other information that may be of importance to the data subject

However, this is just the minimum requirement. Businesses are encouraged to share more information with their customers and be transparent about how they handle their data. The privacy policy should be easy to understand for the average internet user and written in plain language.

Do I need to obtain explicit consent for data processing?

You must obtain explicit consent from users for data processing. The Oman PDPL does not allow the processing of personal information unless the user consents. There are some exceptions where you can collect and process personal data without consent, such as in the following situations:

• Execution of a contract with the data subject
• Data subject’s vital interests
• Public interest
• Protection of the economic or financial interests of the country
• Legal requirement
• Processing for family or household purposes
• Processing for historical, statistical, or economic research

The consent must be:

• Freely given
• Specific for each processing purpose
• Informed, which means that the user must be informed about the processing beforehand
• Unambiguous, which means that the user must take affirmative action to grant consent.

In addition, you must allow users to withdraw consent as easily as they have given it.

What is the Oman PDPL permit for sensitive data processing?

Sensitive personal data is subject to a special PDPL regime. It is not enough to meet the general data processing requirements.

Businesses that process health data, genetic data, financial data, information about the personal life of the data subject, and other sensitive personal information must obtain a permit from the Ministry before processing the data.

Simply collecting the data without a permit is a violation and may result in penalties ranging from OMR 20,000 to OMR 100,000 (around $50,000 to $260,000).

What are the data subject rights under the Oman PDPL?

The Omani PDPL grants data subjects the following rights:

• Right of access to their personal data
• Right to know how their personal data is being processed
• Right to request correction of their personal data
• Right to request deletion of their personal data
• Right to revoke consent for data processing
• Right to data portability

Once you receive a data subject request to exercise any of these rights, you must honor it. More details on the methods for receiving and responding to requests are expected in the future.

How to comply with international data transfer rules under the Oman PDPL?

International data transfer occurs when data is transferred across the borders of Oman. The rules around this are not yet clear. The PDPL forbids cross-border data transfers where the data subject could suffer any kind of harm due to processing abroad. However, it remains to be seen how this provision will be interpreted by competent bodies.

What to do in the case of a data breach under the Oman PDPL?

If a data breach occurs, you must report it to both the data protection authority and the affected individuals. You must provide information about the nature of the breach, possible consequences, and mitigation measures. Additionally, you must inform the data protection authority with more detail, including who has been affected, a description of the breach, and the contact details of the DPO.

Do I need a DPO?

Yes, the Oman PDPL requires businesses to appoint a DPO. It is not clear yet whether all businesses shall appoint one.

DPO duties include monitoring data processing activities within the organization and advising on compliance with the PDPL. They must be independent in their work, well-trained, and provided with enough resources to do the job.

Your DPO can be an employee or an outsourced DPO.

What happens if we do not comply with the Oman PDPL? What are the penalties?

Oman PDPL penalties are severe and can result in a monetary fine of up to OMR 500.000 ($1.3 Million). For some violations, there is a criminal penalty of up to one year in prison.

The severity of the penalty depends on the actual violation.