Oman has recently enacted a new personal data protection law, royal decree no 6/2022 (DP Law), to regulate the processing of personal data in the sultanate of Oman
The DP Law was issued on 9 February 2022 and will come into effect on 13 February 2023. The executive regulations (Regulations), which will clarify various elements of the DP Law, are yet to be released by the Ministry of Transport, Communications and Information Technology (Ministry). The Regulations are expected to be issued within this period (i.e. before February 2023).
The DP Law follows a trend of new data protection laws in the Middle East. It repeals and replaces Chapter Seven of the Electronic Transactions Law (Royal Decree No 69/2008) which had included limited provisions on the protection of personal data in electronic transactions and any other provisions in law that conflict with the DP Law.
WHO DOES THE LAW APPLY TO?
The DP Law applies to the processing of personal data which is defined as "Data that makes a natural person identified or identifiable directly or indirectly, by reference to one or more identifier(s)". Such identifiers include a person's name, ID number, location data or data relating to their genetic, physical, mental, physiological, social, cultural or economic identity.
There are a number of excluded categories when the DP Law will not apply:
- Protection of national security or the public interest;
- Implementation by the units of the administrative apparatus of the State and other public legal persons of the competencies prescribed for them by law;
- Performance of a legal obligation imposed on the controller under any law, judgment or decision of a court;
- Protection of the economic and financial interests of the State;
- Protection of a vital interest of the data subject;
- Detection or prevention of a crime based on an official written request from the investigation authorities;
- Executing a contract to which the data subject is a party;
- If the processing is in a personal or family context;
- For the purposes of historical, statistical, scientific, literary or economic research by the authorities authorized to carry out such works, provided that no indication or reference related to the data subject is used in the research or statistics they publish, to ensure that the personal data is not attributed to an identified or identifiable natural person; and
- If the data is available to the public in a manner that does not violate the provisions of the DP Law.
WHAT IS ACTUALLY INCLUDED?
Many elements of the DP Law are consistent with other modern data protection regulations (with some notable differences). Some key provisions include:
Notification – Prior to processing personal data, the data controller (a person who determines the purpose and means of processing personal data) is required to issue a notice to the data subject setting out certain mandatory information including the purpose of processing their data, details of the controller and processor (a person who processes personal data on the controller's behalf), the rights of the data subject as well as the degree of disclosure of that data.
Consent – One of the key principles of the DP Law is that personal data can only be processed "within a framework of transparency, honesty and respect for human dignity" and (except where one of the excluded categories mentioned above applies) after obtaining the express written consent of the data subject. The DP Law also states that written consent of the data subject is required for sending advertising and marketing material to such data subjects. Consistent with the new data protection legislation that was recently introduced in the United Arab Emirates and Kingdom of Saudi Arabia, the DP Law does not allow for processing on the basis of a data controller's "legitimate interests" as found in other international legislation such as the European GDPR.
Rights of Data Subjects – Data subjects are granted various rights under the DP Law. These include the rights to transfer their personal data to another controller; erasure of personal data; obtain a copy of their processed personal data; the right to revoke their consent and amend, update or block their personal data; and rights to be notified of any breach or infringement of their personal data.
Sensitive Personal Data – There is a general restriction on processing of "sensitive" personal data (such as genetic and biometric data, health data, or data relating to ethnic origin, sex life, political or religious opinions or beliefs, criminal convictions, or security measures) without first obtaining approval from the Ministry (this is not found in the European GDPR). Processing of children's personal data is not permitted without express consent from their guardian unless the processing is required for the child's best interests.
Data Controller and Processor Obligations – The DP Law requires controllers (and not processors) to appoint a data protection officer, maintain records, implement controls and procedures to protect personal data. Both controllers and processors must cooperate with the Ministry and may be required to appoint external auditors to verify their compliance with the DP Law.
International Transfers – The DP Law allows for the transfer of personal data outside of Oman only in accordance with "controls and measures specified in the Regulations", however, no transfer may take place if it would cause harm to the data subject.
Notification of Breach – If a personal data breach occurs which leads to "destruction, alteration, disclosure, access or illegal processing" then the controller is required to inform the Ministry and data subjects in accordance with the controls and measures to be specified in the Regulations.
WHAT ARE THE CONSEQUENCES FOR BREACHING THE DP LAW?
Data subjects have the right to file a complaint to the Ministry if they believe or consider that the processing of their personal data is not in compliance with the DP Law. Additionally, the Ministry may, if it suspects a violation of the DP Law, order correction and erasure of personal data, suspend processing, prevent transfers of personal data and take any other action it deems necessary to protect personal data (further details on this is expected in the Regulations).
There are various fines set out in the DP Law for different offences. The most significant fine is up to OMR 500,000 (approx. USD 1,300,000) for the unlawful transfer of personal data outside of Oman. Liability is not restricted to solely corporate liability. Natural persons may also be subject to criminal liability for breach of the DP Law (including breaches caused by negligence).
WHAT CAN YOU DO TO PREPARE?
All businesses that are covered by the DP Law (i.e. operating in Oman and/or processing personal data of data subjects in Oman) are recommended to audit their existing data use in order to update processes, contracts, notices, policies and employee awareness to ensure compliance with the DP Law.
For any business with a global privacy program it should be expanded to include Oman and we would strongly recommend taking appropriate steps now to ensure compliance as soon as possible:
Audit: Undertake an audit of your processing activities to ensure that any personal data that is being processed is relevant, accurate and being processed pursuant to a legal basis set out in the DP Law. Audits are crucial to start populating registers of processing activities that record personal data use and demonstrate compliance and accountability.
Supply Chain Management: If you outsource any of your processing activities (e.g. payroll, HR, recruitment, direct marketing, employee benefits) then you may need to enter into data processing agreements with suppliers to ensure compliance with the DP Law. Audits of supply chain are essential.
Training: Undertake staff training to ensure that changes are understood and to explain what is expected of staff when handling personal data.