Oman: Implementing Regulations to Data Protection Law Issued

Oman News developments

Oman: Implementing Regulations to Data Protection Law Issued

Oman Daily Observer, 7 February 2024: Oman’s Transport, Communications, and Information Technology Ministry or MoTCIT has issued the Implementing Regulations to the Sultanate’s Data Protection Law (Oman Sultani Decree No. 6/2022).

Oman Ministerial Decision No. 34/2024 has been issued to provide an improved framework for personal data protection.

They also provide clarity on various provisions contained in the Law. The provisions focus on improving data privacy and establishing proper controls and procedures. Among other things, they emphasise the importance of obtaining consent before processing personal data.

They also outline the rights of data subjects and address specific scenarios such as the processing of personal data relating to children. In order to process personal data relating to children, explicit consent must be obtained from their legal guardian or custodian before their data can be processed.
In terms of processing data, a permit has to be obtained. There are a number of requirements for obtaining these permits, including a personal data protection policy being submitted and measures to address potential breaches being specified.

Permits will be valid for up to five years but can be amended, renewed or cancelled. There are also provisions on the rights of data subjects. Among other things, data subjects can withdraw consent and request modifications or updates to their data. They can also obtain copies of processed data and request the deletion of their personal information, where applicable. Where there is a data breach, data subjects must be promptly notified and informed of the actions taken to address the breach.

Elsewhere in the regulations, specific obligations are imposed on controllers and processors. Among others, they must obtain explicit consent before processing personal data and comply with controls related to the processing of children’s personal data.

Where there is a personal data breach, controllers have to notify the Ministry within 72 hours. The Ministry will assess the actions taken by the controller and may direct them to take appropriate measures to mitigate the impact of the breach.

Organisations must also appoint a Data Protection Officer or DPO. They will be responsible for overseeing data protection matters within their organisation and will consult with the controller and submit proposals to them. They will also coordinate with the Ministry on data processing issues.

Controls and conditions for inter-state data processing are also introduced. These include obtaining a data subject’s consent and assessing the level of protection provided by the receiving party.

These controls and conditions have been introduced to balance the risks and necessity of these transfers.
There are provisions on how complaints can be filed too as well as provisions on penalties for violations.
Individuals can file complaints and reports and the Minister has the authority to impose administrative penalties like warnings, suspending permits and imposing fines of up to 2,000 Rials.

Permits may be cancelled in extreme circumstances.

For more news and content, try Lexis Middle East. Click on lexis.ae/demo to begin your free trial of Lexis® Middle East platform.

You can also explore the legal landscape by subscribing to our Weekly Newsletter.

Want to learn more about Lexis® Middle East? Visit, https://www.lexis.ae/lexis-middle-east-law/.

Tanya Jain