The New Executive Regulations of the Personal Data Protection Law of Oman
Technology, Media & Telecoms Focus
Earlier this year, the Minister of Transport, Communications and Information Technology issued new executive regulations to the personal data protection law of Oman (Ministerial Resolution No. 34 of 2024) (“Executive Regulations”).
Law Update: Issue 368 - Technology, Media & Telecoms Focus
Arif MawanyHead of Corporate Commercial,Oman
Michael VadelkaAssociate,Corporate Commercial
The Executive Regulations introduce, among other things, the procedures to be followed to obtain a permit to process sensitive personal data, the restrictions for processing personal data of minors, cross border transfers and the procedure to follow for data breaches. Companies are also now required to appoint a personal data protection officer under the Executive Regulations. An overview of the new requirements and procedures introduced by the new Executive Regulations are set out below.
Processing of sensitive personal data is prohibited without a permit issued by the Ministry of Transport, Communications and Information Technology (“Ministry”). The process which data controllers must follow to obtain the permit to process sensitive personal data has been introduced into the law by the Executive Regulations.
To apply to the Ministry for a permit to process sensitive personal data, the data controller must complete and submit a prescribed form along with the personal data protection policy of the company and the precautionary measures which the company adopts in the event of a personal data breach.
An application to the Ministry must be reviewed by the Ministry within 45 days of the submission of the required documents and information. If the Ministry does not respond within 45 days, the application is deemed to be rejected. Permits are issued for periods of up to 5 years and can be renewed by following the application procedure set out in the Executive Regulations.
Under the Executive Regulations, controllers and processors must now obtain prior written consent of the parent or guardian of a minor before the processing the minor’s personal data.
When processing the personal data of a minor data controllers and processors must:
ensure that the purpose of the processing is not misleading, clear, direct, safe and free of fraud;
limit their processing to the minimum amount of personal data to achieve the specific purpose;
allow parents or guardians to access the personal data of their children to update or modify it; and
not share personal data of minors with any third party without the express written consent of the parent or guardian.
Controllers or processors can request from a minor the minimum data of his or her parent or guardian for the purpose of confirming the identity of the parent or guardian and obtaining his/her consent. The provisions which relate to the processing of personal data of minors are also applicable to the processing of incapacitated, restricted or legally incompetent persons.
Transferring personal data of data subjects outside the borders of Oman requires the express written consent of the data subject. This is not required if it is in the implementation of an international agreement to which Oman is a party or if the transfer is done in such a manner that ensures the anonymity of the data subject.
Before personal data is transferred outside the borders of Oman, the controller must assess whether or not the receiving party outside Oman has the adequate level of personal data protection. This level of protection must not be less than the protection required by the personal data protection laws of Oman. The assessment must comply with the requirements of the Executive Regulations and a report must be prepared by the controller and made available to the Ministry upon request.
An important addition of the Executive Regulations is that personal data controllers must appoint a personal data protection officer. The Executive Regulations clarify the requirements and the duties and responsibilities of data protection officers.
A personal data protection officer must be suitably qualified to undertake their duties and responsibilities, be familiar with the personal data protection law of Oman and the practices of the controller or processor and must be competent to deal with any issues relating to personal data protection.
The duties and responsibilities of data protection officer include liaising with the Ministry on personal data protection issues and making submissions to the Ministry under the personal data protection law of Oman, ensuring the implementation of personal data protection policies and ensuring compliance with the personal data protection law of Oman.
The details of personal data protection officers must be accessible to data subjects so that they can be contacted in relation to any processing of personal data.
The Executive Regulations set out the procedure which must be followed by controllers in the event of a personal data breach. This entails notification within 72 hours from when the controller becomes aware of a breach which could be detrimental to the rights of data subjects and the preparation of a report which contains the details of the data breach, the details of the controller and corrective actions taken by the controller before and after notifying the Ministry. A further 72 hour notice must be given to the Ministry if the personal data breach will cause serious harm or poses a high risk to data subjects.
Controllers must keep a record of all personal data breaches along with the causes of the breaches, their consequences, along with any corrective actions and technical and/or organisational measures taken by the controller.
The Minister of Transport, Communications and Information Technology has issued new executive regulations to the personal data protection law of Oman (Ministerial Resolution No. 34 of 2024) (“Executive Regulations”).
The Executive Regulations have set out how a personal data subject can exercise his/her right to revoke consent, request an amendment, update or deletion of personal data, obtain copies, transfer or notify a breach of their personal data under the personal data protection law of Oman.
The Ministry can require the controller or a processor to appoint an external auditor to ensure that the processing of personal data has been conducted in accordance with the personal data protection law of Oman. The auditor’s report must be provided to the Ministry.
The Executive regulations introduce a complaints procedure under which personal data subjects and any other interested persons can submit a complaint or a report to the Ministry regarding a violation of the personal data protection law of Oman and the Executive Regulations. Administrative penalties have also been introduced for violations of the provisions of the Executive Regulations.
Companies in the technology, media and telecommunications sector typically process personal data as part of their businesses. Those companies that process personal information should appoint a personal data protection officer and update their terms and conditions and privacy policies to align with the Executive Regulations and remain compliant with the personal data protection law of Oman.
Technology, media and telecommunications companies that process sensitive personal data must apply to the Ministry to obtain a permit to process such data in accordance with the procedure set out in the Executive Regulations.
Companies that transfer personal data out of Oman and are controllers under the personal data protection law of Oman must conduct an assessment of the level of personal data protection offered by the transferee and prepare and keep a report of the assessment.
Companies that process personal data of data subjects in Oman, particularly those that process personal data of minors and transfer personal data outside the borders of Oman must be aware of the new requirements and procedures introduced by the new Executive Regulations and align their personal data protection policies and terms and conditions to ensure compliance with the Executive Regulations. Companies that process sensitive personal data must obtain a permit by following the procedure set out in the Executive Regulations.
The Executive Regulations are a welcome addition to the personal data protection law of Oman. They clarify the obligations of data controllers and processors and bring the personal data protection law of Oman further in line with international standards. Data subjects will also benefit from the additional protection provided to them by the Executive Regulations.
For further information,please contact Michael Vadelka and Arif Mawany.
Published in May 2024
