Oman Personal Data Protection Law

On 9 February 2022, Oman issued its first comprehensive personal data protection law to regulate the processing of personal data. It is a highly significant legislative development and grants significant rights to individuals in Oman and their protection. In this article, we highlight some of the most noteworthy provisions prescribed in the personal data protection law.

Oman Sultani Decree No. 6/2022 Promulgating the Personal Data Protection Law will come into force one year after its publication in the Official Gazette (i.e., on 13 February 2023). The Executive Regulations, to be issued by the Ministry of Transport, Communications and Information Technology (MOTCIT), will supplement the provisions of Oman Sultani Decree No. 6/2022 and is expected to be issued prior to Oman Sultani Decree No. 6/2022 coming into force. Oman Sultani Decree No. 6/2022 replaces and repeals Chapter 7 of Oman Sultani Decree No. 69/2008 on the Promulgation of the Electronic Transactions Law, as amended, which included limited and inadequate provisions relating to the processing of personal data.

Oman Sultani Decree No. 6/2022 is comprised of 32 articles divided into five chapters as follows:

  • Chapter 1: Definitions and general provisions (Articles 1-6 of Oman Sultani Decree No. 6/2022)
  • Chapter 2: Duties and powers of the MOTCIT (Articles 7-9 of Oman Sultani Decree No. 6/2022)
  • Chapter 3: Rights of the owner of personal data (Articles 10-12 of Oman Sultani Decree No. 6/2022).  A reference to the Owner shall be construed as referring to the owner of personal data.
  • Chapter 4: Obligations of the controller and the processor (Articles 13-23 of Oman Sultani Decree No. 6/2022)
  • Chapter 5: Penalties for the violation of the provisions of Oman Sultani Decree No. 6/2022 (Articles 24-32 of Oman Sultani Decree No. 6/2022)
Application of Oman Sultani Decree No. 6/2022

Oman Sultani Decree No. 6/2022 applies to the processing of personal data, which is defined in Article 1 of Oman Sultani Decree No. 6/2022 as “any data through which an individual is identified or may be identified whether directly or indirectly by referring to one or more identifiers…”. This includes identifiers such as an individual’s name, civil identification number, electronic identifying data or other data specific to an individual’s genetic, physical, mental, psychological, social, cultural or economic identity. Processing includes collection, recording, analysis, organization, storage, amendment, modification, retrieval, review, coordination, consolidation, withholding, removal, destruction or disclosure, by sending distributing, transporting, transferring or otherwise making available.

The provisions of Oman Sultani Decree No. 6/2022 do not apply to the processing of personal data in the following cases, according to Article 3 of Oman Sultani Decree No. 6/2022:

a) protection of national security or public interest;

b) execution by the units of the Administrative Apparatus of the State and other public legal persons of their competencies prescribed to them by law;

c) enforcement of a legal obligation imposed on the controller under any law, judgment, or court decision;

d) protection of the economic and financial interests of the State;

e) protection of a vital interest of the Owner;

f) detection or prevention of a crime on the basis of an official written request by the investigating authorities;

g) execution of a contract to which the Owner is a party;

h) if the processing of data is carried out in a personal or a family context;

i) for the purposes of historical, statistical, scientific, literary, or economic research, by those authorized to carry out such works, provided that no indication or reference related to the Owner is used in their published research and statistics, to ensure that the personal data is not attributed to a defined or identifiable natural person; and/or

j) if the data is publicly available in a manner that does not violate the provisions of Oman Sultani Decree No. 6/2022.

Rights of the Owner

Consent

Oman Sultani Decree No. 6/2022 requires personal data to be processed within the framework of transparency, honesty, and respect for human dignity. To this effect, personal data may not be processed without the express consent of the Owner, as per Article 10 of Oman Sultani Decree No. 6/2022. Any request for the processing of personal data must be in writing, in a clear, explicit and understandable manner. Similarly, processing a child’s personal data without the approval of their guardian is not permitted, except if such processing of personal data is considered to be in the child’s best interests, according to Article 6 of Oman Sultani Decree No. 6/2022.

Sensitive personal data

Under Article 5 of Oman Sultani Decree No. 6/2022, there is a general restriction on the processing of certain data without obtaining an authorization from the MOTCIT. These are the processing of genetic and biometric data, health data, or data relating to ethnic origin, sexual life, political or religious opinions or beliefs, criminal convictions, or those data relating to security measures.

Other rights

Owners also enjoy a range of rights in relation to the processing of their personal data under Article 11 of Oman Sultani Decree No. 6/2022.  This includes the right:

• to obtain a copy of their processed personal data;

• to amend, update or withhold personal data;

• to revoke their consent given in respect of the processing of their personal data;

• to request the transfer of their personal data to another controller;

• to request the deletion of their personal data; and

• to being notified of any breach or infringement of their personal data and the measures taken in this regard.

Importantly, the Owner has the right, under Article 12 of Oman Sultani Decree No. 6/2022, to submit a complaint to the MOTCIT if the Owner considers that their personal data has not been processed in accordance with the provisions of Oman Sultani Decree No. 6/2022.

We expect that the Executive Regulations will provide further guidance on the exercise of these rights by the Owners.

Obligations of Controllers and Processors  

Oman Sultani Decree No. 6/2022 sets certain obligations applicable on Controllers and Processors. Article 1 of Oman Sultani Decree No. 6/2022 defines a Controller as “the person who determines the purpose and means of the processing of personal data, and carries out the processing himself or entrusts it to someone else” and a Processor as “the person who processes personal data on behalf of the controller”.

For example, prior to processing any personal data, Controllers must inform the owner of personal data in writing of the following information, according to Article 14 of Oman Sultani Decree No. 6/2022:

a) the controller and processor details;

b) the contact details of the personal data protection officer;

c) the purpose of processing personal data and the source from which the data was collected;

d) a comprehensive and accurate description of the processing of personal data and its procedures, and the degrees of disclosure of the personal data;

e) the rights of the Owner, including the right to access, amend, transfer, and update the data; and

f) any other information that might be necessary to fulfil the processing requirements.

Controllers are also required, under Article 19 of Oman Sultani Decree No. 6/2022, to notify the MOTCIT and the Owner of any breach which may result in the destruction, alteration or unlawful disclosure, access, and processing of personal data. Furthermore, Article 20 of Oman Sultani Decree No. 6/2022 requires a controller to appoint a Personal Data Protection Officer. The appointment must be made in accordance with the conditions of the Executive Regulations.

Other obligations imposed on both controllers and processors include:

  • maintaining records, as per Article 17 of Oman Sultani Decree No. 6/2022;
  • ensuring confidentiality of personal data, as per Article 21 of Oman Sultani Decree No. 6/2022;
  • cooperating with MOTCIT and providing any information and documents required by MOTCIT to exercise its authority under Oman Sultani Decree No. 6/2022, as per Article 18 of Oman Sultani Decree No. 6/2022; and
  • appointing an external auditor at the request of MOTCIT to ensure that processing of personal data is made in accordance with Oman Sultani Decree No. 6/2022, as per Article 16 of Oman Sultani Decree No. 6/2022.
Transfer of data

Personal data may only be transferred outside Oman in accordance with the controls and measures specified in the Executive Regulations, according to Article 23 of Oman Sultani Decree No. 6/2022. That being said, Article 23 of Oman Sultani Decree No. 6/2022 prohibits the transfer of personal data where data is being processed contrary to the provisions of Oman Sultani Decree No. 6/2022 or where it would result in harm to the Owner.

Penalties

To protect the rights of the Owner, the MOTCIT may issue warnings to controllers and processors who violate the provisions of Oman Sultani Decree No. 6/2022, order correction or removal of personal data, suspend the processing of personal data either temporarily or permanently, and suspend the transfer of data to another country or an international organization, as per Article 8 of Oman Sultani Decree No. 6/2022.

Chapter Five of Oman Sultani Decree No. 6/2022 contains a wide range of fines in the event of non-compliance, the most substantial being in the range between OMR 100,000-OMR 500,000 for the violation of Article 23 of Oman Sultani Decree No. 6/2022 which relates to data transfers.

It is worth noting that the penalties provided in Oman Sultani Decree No. 6/2022, according to Article 24 of Oman Sultani Decree No. 6/2022,  are without prejudice to any more severe penalty prescribed under Oman Sultani Decree No. 7/2018 on the Issuance of the Penal Code or any other law. Penalties for breach of Oman Sultani Decree No. 7/2018 extend to both fines and imprisonment.

Sectoral laws

While Oman Sultani Decree No. 6/2022 repeals Chapter 7 of Oman Sultani Decree No. 69/2008, certain sectoral laws and regulations will continue to apply to the relevant sectors to the extent not inconsistent with Oman Sultani Decree No. 6/2022.  Examples of laws that will still apply are provided below:

Oman Sultani Decree No. 30/2002 Promulgating the Telecommunications Regulatory Law

Subject to certain exceptions, under Article 5 of Oman Sultani Decree No. 30/2002, it is not permissible to monitor, inspect, or take advantage of, any type of “telecommunications”, or to reveal the confidentiality of such telecommunications, without a prior order from the concerned court. According to Article 1 of Oman Sultani Decree No. 30/2002, telecommunications covers:

“every conveyance, emission, transmission or reception of signals or symbols or signs or texts or visual and non-visual images or sounds or data or information of any nature by wire, radio, optical system, or other electro-magnetic or electronic systems.”

In addition, internet service providers must maintain confidentiality in respect of the services provided to customers and customer data.  Internet service providers are prohibited from compromising or disclosing customer data unless ordered to do so by a court, according to Article 1 of Oman Sultani Decree No. 30/2002.

Subject to certain exceptions, it is an offence under Article 61(2)(B) of Oman Sultani Decree No. 30/2002 for a person who uses telecommunications equipment or media (inter alia) to disclose the confidentiality of any data related to the message content or its sender or the addressee, that might have come to their knowledge by reason of using such equipment or media.

Oman Decision No. 113/2009 Issuing Regulations on Protection of Confidentiality and Privacy of Beneficiary Data

Under Article 1 of Oman Decision No. 113/2009, telecommunications licence holders in Oman may only request private data from customers if the data is necessary to provide the service requested by that customer. The licence holder must inform the customer of the purpose of the request and of the possibility of the licence holder processing or retaining the data.

Licence holders must obtain the customer’s written consent to exchange or publish the customer’s data with a subsidiary company or a third party, as per Article 3 of Oman Decision No. 113/2009. The licence holder must also ensure the exchanged or published data is only used for the specified purpose and within the permitted limits; the licence holder may also not lease or sell customer data to any person or sell customer data to any person or entity that is not involved in providing the relevant service to the customer, according to Article 5(b) of Oman Decision No. 113/2009, or request information that is not related to the provision of the relevant services, according to Article 5(c) of Oman Decision No. 113/2009. In addition, under Article 2 of Oman Decision No. 113/2009, telecommunications companies must:

a) use customer data only for the purposes specified in, and in compliance with, Oman Decision No. 113/2009;

b) limit access to authorized employees;

c) take all necessary technical and professional measures to protect the licence holder’s systems and networks and prevent access or disclosure by unauthorized employees;

d) issue procedures/regulations, which must be pre-approved by the TRA, to be followed by the licence holder to protect confidentiality and privacy (which procedures/regulations are to be published on the licence holder’s website and provided to customers requesting service);

e) update customer data when needed;

f) inform the customer of any person or entity from which the licence holder obtains the customer’s data and the period the licence holder will retain the data;

g) inform the customer of any breaches or safety hazards affecting or likely to adversely affect the safety of their data or which may lead to disclosure of the data to third parties;

h) permit the TRA to access the customer’s data or disclose the data upon the TRA’s request in accordance with Oman Decision No. 113/2009; and

i) delete or block any data that is inconsistent with Oman Decision No. 113/2009.

Article 5(c) of Oman Decision No. 113/2009 prohibit telecommunications companies retaining customer data for more than three months after the customer’s contract has expired unless authorized to do so by the TRA.

Under Article 6 of Oman Decision No. 113/2009, a licence holder is responsible for the actions of and breaches by third parties with whom it exchanges the customer’s data under Oman Decision No. 113/2009.

Other sectoral laws

There are also other sectoral laws that contain limited data and privacy protection provisions, such as Oman Sultani Decree No. 114/2000 promulgating the Banking Law, as amended, and Oman Sultani Decree No. 75/2019 on the Issuance of the Law on the Regulation of the Medical Profession and Medical Assistant Professions, as amended.

Originally published as a Legislative Insight on LexisNexis Middle East Online.