Thursday, March 31, 2022

Omani Personal Data Protection Law

Oman has recently issued a national privacy legislation with the publication of a new Personal Data Protection Law, promulgated by Sultani Decree 6/2022 (the “Law”). The Law was issued on 9 February 2022, and will come into effect on 13 February 2023. The Law will repeal Chapter Seven of the Electronic Transactions Law that limited obligations related to the protection of private data in the field of electronic transactions. The issuance of this Law in Oman follows the recurring trend of data protection regulations in the Middle East. 

Who It Applies To 

The Law applies to the processing of personal data, which is defined as “data that identifies a natural person or makes him identifiable, directly or indirectly, by reference to one or more identifiers.” This consists of the name of the person, ID number, location data or data relating to their genetic, physical, mental, psychological, social, cultural or economic identity. 

Who It Does Not Apply To 
  • The Law includes a substantial list of excluded categories to which the provisions of the Law will not be applicable: 
  • Protection of national security or public interest. 
  • Implementation of the units of the administrative apparatus of the state and other public legal persons of the competences prescribed to them by law. 
  • Implementation of a legal obligation imposed on the controller by virtue of any law, judgment, or decision by the court. 
  • Protection of the economic and financial interests of the state. • Protection of a vital interest of the individual to whom personal data relates (data subject). 
  • Detection or prevention of a crime on the basis of a formal written request by the investigation entities. 
  • Execution of a contract to which the data subject is a party. • If the processing is within the personal or family sphere. 
  • For the purposes of historical, statistical, scientific, literary, or economic research, by entities authorised to carry out such works, provided that no indication or reference relating to the data subject is used in the published research and statistics, to guarantee that the personal data is not attributed to an identified or identifiable natural person.
  • If the data is available to the public in a manner that does not impose any violations against the provisions of the Law.
Main Features

Organisations are under the obligation to process personal data within the framework of transparency,
honesty, and respect for human dignity and to grant individuals the right to revoke consent to processing of their personal data, the right to request for their personal data to be amended or erased, the right to have a copy of their personal data and the right to have personal data transferred to another party.

Controllers are required to identify a personal data protection officer.  In addition, there will be controls
on transfers of personal data outside of Oman.  Controllers and all third parties that are appointed to process  the  personal  data  may  be  required  by  the  Ministry  of  Transport,  Communications  and Information Technology to appoint an external auditor in order to verify their compliance. 

A general restriction is placed on the processing of sensitive personal data (genetic and biometric data,
health data, ethnic origin, sex life, political/religious opinions or beliefs, criminal convictions, security measures) without initially obtaining an approval from the Ministry of Transport, Communications and Information  Technology.    Furthermore,  the  processing  of  a  child’s  personal  data  will  not  permitted without the express consent from the guardian unless the processing of such data is in the best interest of the child. 

The executive regulations that will be published in due course will provide further clarifications to the
extent of the requirements and restrictions. 

Consequences of Breach

Data subjects hold the right to file an official complaint to the Ministry of Transport, Communications
and Information Technology if they believe that the processing of their personal data is in breach of the Law.  Furthermore, the Ministry of Transport, Communications and Information Technology has the discretion, in the case that it suspects a violation of the Law, to order rectification and erasure of personal data.

The penalties in relation to the disclosure of secrets or any other applicable privacy offence under the
Oman Penal Law and other laws will continue to be in effect.