Guidance on the Executive Regulation of the Personal Data Protection Law in Oman

‍1.             Introduction

The Executive Regulation of the PDPL defines key terms and concepts, specifies roles and responsibilities of  controllers, processors, and data protection officers. A data controller is defined as the person who determines the purpose and means of the processing of personal data and carries out this processing himself or entrusts it to someone else. Processor is defined as the person who processes personal data on behalf of the controller. A data protection officer is an officer appointed by the controller and who, amongst other things, follows implementation of the policies of the controller or processor relating to the protection of personal data.

The Executive Regulation also sets conditions for obtaining data subject consent, establishes procedures for notifying and reporting data breaches, and outlines the rights and obligations of data subjects, controllers, processors, and data protection officers.

2.             Key Updates

The Executive Regulation introduces several key updates and clarifications to the PDPL, such as:      

• The requirement to obtain explicit consent from the data subject before processing their personal data and the requirements for such consent to be considered valid.

• The requirements to obtain a permit from the Ministry before processing any sensitive personal data (such as, biometric and health data), and the procedures and conditions for obtaining, renewing, amending, and cancelling the permit.

• The requirement to obtain explicit consent from the child guardians before processing their data. The Executive Regulation further imposes specific control measures for child data, emphasizing limited collection and purpose-driven use. Furthermore, the disclosure to third parties requires their explicit consent, further safeguarding children's sensitive data.

• The procedures for data subjects to exercise their rights under the PDPL and the timeframe for controllers to respond to any requests related to exercising these rights. Additionally, the Executive Regulation specifically defines the grounds for data erasure requests and the exceptions where a controller may deny such a request.

• The obligations of the controller and the processor, such as:

1. having and making available a personal data protection policy, obtaining the consent of the data subject for sending any advertising, marketing, or commercial material, guaranteeing the confidentiality of personal data, and retaining the documents of the processing operations.
2. The requirement to establish a special register for personal data processing activities, which includes the details of the personal data protection officer, the categories of personal data processed, the entities and places to which the data are disclosed or transferred, the systems and measures for managing and protecting the data, and any data breaches that occurred and the actions taken to address them.

• The requirement to notify the relevant department at the Ministry and the data subject (if the breach causes serious harm and pose a high risk on the data subject) within 72 hours of becoming aware of a personal data breach, if the breach is capable of leading to a risk to the data subject, and the content and format of the notification.

• The requirement to conduct an evaluation of the level of protection provided by the external processor and the risks of transporting or transferring personal data outside the borders of Oman, and the conditions and exceptions for obtaining the consent of the data subject for such transportation or transfer of data.

• The requirement to appoint a personal data protection officer, who is qualified, competent, and independent, and who is responsible for providing advice, guidance, and support to the controller or processor in relation to their data protection obligations.

• The complaints and penalties for violating the provisions of the Executive Regulation, such as submitting a complaint or a report to the relevant department at the Ministry, filing a grievance to the Minister, and imposing administrative fines or cancelling the permit.

3.             Action Points for Clients

The Executive Regulation of the PDPL in Oman imposes new and stricter obligations and responsibilities on the  controllers and processors, and grants more rights and protections to the data subjects. Therefore, clients who control and process personal data need to  consider the following action points:

• Review and update their personal data protection policies and practices to ensure compliance with the Executive Regulation.

• Apply for a permit from the Ministry before processing any sensitive personal data, and renew, amend, or cancel the permit as required, and pay the prescribed fees.

• Obtain the explicit consent of the data subject before processing his personal data, and provide clear and accurate information about the purpose, scope, and duration of the processing, and the entities and places to which the data will be disclosed or transferred.

• Appoint a personal data protection officer, who is qualified, competent, and independent, and who is responsible for providing advice, guidance, and support to the controller or processor in relation to their data protection obligations.

• Establish a special register for personal data processing activities, and update and submit it to the relevant department at the Ministry whenever requested.

• Notify the relevant department at the Ministry and the data subject (if the breach causes serious harm and pose a high risk on the data subject) within 72 hours of becoming aware of a personal data breach, if the breach is capable of leading to a risk to the data subject and take appropriate measures to mitigate the effects of the breach.

• Conduct an evaluation of the level of protection provided by the external processor and the risks of transporting or transferring personal data outside the borders of Oman, and obtain the consent of the data subject for such transportation or transfer, unless exempted by the Executive Regulation.

• Respect and respond to the rights of the data subject, such as the right to access, rectify, erase, transport, and provide the data subject with a copy of his processed personal data in a readable and clear format.

• Comply with the obligations of the controller and the processor, such as making available a personal data protection policy, obtaining the consent of the data subject for sending any advertising, marketing, or commercial material and guaranteeing the confidentiality of personal data.

• Submit any reports to the relevant department at the Ministry, respond to any complaints, or file any grievances to the Minister, in case of any violation of the provisions of the Executive Regulation, and cooperate with the relevant department at the Ministry in resolving any disputes or issues related to the processing of personal data.

4. Conclusion

The recently promulgated Executive Regulation of the PDPL in Oman represents a significant development for the country's data protection regime. It introduces key updates and clarifications to the law, aiming to protect individuals' rights and freedoms regarding their personal data, ensure lawful and fair processing, and enhance data security and confidentiality.

This guidance  provides a high-level overview of the Executive Regulation's key updates and outlines what actions clients will need to take to comply.

We will publish a more in-depth analysis of the Executive Regulation in due course. In the meantime, please feel free to reach out to a member of our team with any questions regarding the Executive Regulation and its potential impact on you.

Disclaimer: The information contained in this guidance is intended for general informational purposes only and does not constitute legal advice. This guidance is based on the legislation in force as of the date of publication and may not reflect subsequent changes or developments. The authors and Said Al-Shahry & Partners Advocates and Legal Consultants are not responsible for any errors or omissions in the content or for the results obtained from the use of this information. Readers should consult a qualified legal professional before acting upon any information contained in this guidance. No attorney-client relationship is created by accessing or using this guidance.