Oman issues Executive Regulations to the Personal Data Protection Law

On 28 January 2024, Oman’s Ministry of Transport, Communications & Information Technology issued the Executive Regulations to the Oman Personal Data Protection Law (PDPL). The Executive Regulations clarify a number of the requirements under the PDPL, including in relation to personal data breaches, consent, data transfers and authorisation for processing. Companies that are subject to the PDPL have one year from 5 February 2024 to adjust their data processing activities in accordance with the Executive Regulations.

The Executive Regulations expand on the principles and obligations set out in the PDPL, which was issued in February 2022 (see our briefing here). In this article, we provide an overview of the main features of the Executive Regulations and the PDPL and considerations for organisations doing business in Oman. 

What are the key requirements of the PDPL and the Executive Regulations?

• Consent: Unlike international data protection laws that provide several lawful bases for processing personal data, the PDPL requires the express consent of data subjects prior to processing their data unless the processing relates to any of the excluded circumstances (which include the execution of legal obligations, protection of vital interest or execution of a contract to which the data subject is a party). Where consent is required, the Executive Regulations clarify that such consent must be provided by a person having full capacity, the consent should be clearly given and not forced, and it should be provided by way of a written statement or by any electronic means or other means as determined by the controller. Companies therefore will need to ensure they have implemented appropriate consent management procedures to collect consent from data subjects in accordance with the PDPL and the Executive Regulations. 
• Authorisation for sensitive data: The PDPL requires companies to obtain an authorisation from the Ministry to process genetic data, biometric data, health data, data relating to racial origin, political or religious opinions and criminal convictions. The Executive Regulations set out the procedure for obtaining such authorisation. A controller must submit specific information as part of the application, including in relation to the purposes of processing, the recipients of the data (and any processor engaged to process the data) and any other details requested by the Ministry. A privacy policy and the precautionary measures adopted by the controller in case of personal data breaches must also be submitted as part of the application. The relevant department within the Ministry will review and determine the outcome of the application within 45 days from the submission of all documents. If no response is received within this time period, this should be construed as a rejection. Applicants may appeal to the Minister within 60 days of being informed of the decision. An authorisation will last for five years, after which companies will need to renew it for a similar period. Any changes in the details contained in an authorisation application should be notified to the department within 15 days. 
• Data subject rights: Data subjects are provided with several rights under the PDPL, including the right to withdraw consent, to have personal data corrected, updated or blocked, to obtain a copy of their personal data, to transfer the data to another controller and to request erasure of their personal data. The Executive Regulations confirm that controllers must respond to a data subject’s request to exercise their rights within 45 days of receipt of the request. During this time, the data subject may request the controller to cease processing his/her personal data until the request is dealt with. The Executive Regulations further specify certain limitations for complying with data subject requests and cases where a controller may reject a request (e.g. if compliance with the request would require extraordinary effort).  
• Privacy policy: Organisations must provide data subjects with specific information prior to processing any personal data. This includes the details of the controller and personal data protection officer, the purposes of processing, a description of the processing and disclosures of the data, the rights of data subjects available under the PDPL and any other information that may be necessary to fulfil the conditions for processing. The privacy policy must be made available to the data subject in a conspicuous place before processing their data. 
• Marketing and advertising: The Executive Regulations provide that the written consent of data subjects is required to send advertising, marketing or commercial materials. Organisations must also provide specified information to data subjects in relation to such marketing and implement a mechanism for data subjects to unsubscribe from such materials. 
• Records of processing activities (ROPA): Controllers and processors must create a special record of personal data processing activities, which includes minimum information as set out in the Executive Regulations, such as a description of the personal data and persons authorised to access the data, the period during which the personal data is processed, the purposes of processing and the recipients of the data. 
• Notifying personal data breaches: If a personal data breach is likely to endanger the rights of the data subject, it must be notified to the relevant department in the Ministry within 72 hours after the controller has become aware of the breach. The controller must also notify affected data subjects within 72 hours after becoming aware of the breach if is likely to cause “severe damage or high risks” to the data subject.
• Processing children’s data: The Executive Regulations clarify the requirements for processing personal data of children, including obtaining the express consent of the child’s parent before processing and ensuring that the processing is for a clear, straightforward and safe purpose using the minimum amount of personal data necessary to achieve such purpose. 
• Personal data protection officer (DPO): Controllers must appoint a DPO who is subject to specific controls specified in the Executive Regulations, including being qualified to carry out the tasks as specified in the Executive Regulations and being aware of the PDPL, the Executive Regulations and the personal data protection practices adopted by the controller or processor. The requirement for appointing a DPO appears to be mandatory for all controllers. 
• External auditors: Unlike other data protection laws, the PDPL requires controllers and processors to appoint an “external auditor” to ensure that the procedures for processing personal data have been carried out in accordance with the PDPL. The Executive Regulations state that such auditor should be an independent person that is chartered and licensed by the Ministry. Controllers and processors must make their records and systems and data available to the auditor as required for any audit. The Executive Regulations do not specify when such auditors need to be appointed and this appears to be a mandatory requirement for all organisations. Controllers and processors must provide the Ministry with a copy of the auditor’s report within 60 days from the date on which the auditor is appointed. 
• Data transfers: The Executive Regulations introduce restrictive requirements for data transfers that differ to other international data protection laws. Prior to transferring personal data outside Oman, controllers must obtain the “explicit consent” of the data subject, provided that the data transfer will not compromise the national security or supreme interests of Oman. Consent is not required where the transfer is necessary to comply with an international obligation under an agreement to which Oman is a party or the personal data is anonymised to conceal the identity of the data subjects. Controllers must also, prior to transferring personal data outside Oman, guarantee a level of protection not less than the protection provided by the PDPL and the Executive Regulations. Unlike other laws, where data protection authorities typically determine the level of protection provided by third countries, the onus is on controllers to conduct their own assessments of the level of protection provided by external processors and the risks of transfer of personal data to such processors. Such an assessment must include specific information as set out in the Executive Regulations. 

Consequences of non-compliance

The Ministry can impose administrative penalties in case of a breach of the provisions of the Executive Regulations, which include a warning; suspension of the sensitive data authorisation until the violation is rectified; an administrative penalty of not more than 2,000 Omani Riyals (approx. USD 5,000) for each violation; or the cancellation of any authorisation. 

The PDPL also contains a scale of fines for different offences rising to 500,000 Omani Riyals (approx. USD 1,300,000). Criminal penalties for disclosure of secrets or other privacy-related offences under the Oman Penal Law and other legislation will continue to apply. 

What should companies do next?

Organisations must align their activities in accordance with the Executive Regulations by 5 February 2025. 
Steps that organisations seeking to do business in or with Oman should take include: 

• Assessing the data processing activities relating to Oman to determine which activities are impacted by the PDPL and the Regulations and what operational changes may need to be taken to align with the law. 
• Obtaining senior management buy-in to implement the changes that may be required to adopt new or updated data protection frameworks. It is important that senior management understands the risks that may arise from non-compliance with the PDPL, including financial sanctions (such as potential fines and compensation claims), criminal penalties (under the Oman Penal Law and other laws) and reputational damage.
• Developing or reviewing policies, processes and contracts to take account of new rights and obligations, particularly the statutory deadlines for responding to data subject requests, the conditions for consent and information that should be provided to data subjects prior to processing.
• Appointing a DPO who is qualified to carry out the tasks specified in the Executive Regulations and engaging an external auditor as required by the PDPL.
• Identifying and documenting the personal data that they process in order to implement and maintain a ROPA.
• Implementing security breach policies and procedures to ensure compliance with the breach notification deadlines highlighted.

If you would like further information on how to create an effective privacy framework or advice on the PDPL and the Executive Regulations, please contact us.