Royal Decree 6/2022 promulgating the Personal Data Protection Law (PDPL) was issued in February 2022. The PDPL comes into force on 13 February 2023.
The new law follows the global trend of increased adoption of dedicated general data protection laws, including in the GCC, where fairly recent data protection laws in Qatar and Bahrain have been followed by new laws in Saudi Arabia and the UAE in the latter half of 2021. It replaces the more limited data protection regime that already exists in Chapter Seven of the Electronic Transactions Law (promulgated by Royal Decree 69/2008).
The Ministry of Transport, Communications and Information Technology (Ministry) is responsible for implementing the PDPL. The Minister of Transport, Communications and Information Technology will issue the executive regulations to the PDPL in due course.
"Personal data" is defined in the PDPL as "data that identifies a natural person or makes such person identifiable, directly or indirectly, by reference to identifiers such as name, civil number, electronic identifier data or address related data or factors such as genetic, physical, mental, physiological, social, cultural or economical identity”. The PDPL protects the personal data of a "data subject", defined as “a natural person who can be identified from their personal data”.
Both the "controller", who is responsible for specifying the purpose and method of processing personal data, and the "processor", who processes the personal data on behalf of the controller, have duties to, among other things:
There are specific exceptions to the application of the PDPL, including where the processing of personal data is for national security or public interest reasons, the detection or prevention of a crime based on a formal written request from the investigative authority, the performance of a contract to which the personal data subject is a party and where the data is already publically available.
The PDPL requires the written consent of a data subject to be obtained before their personal data is processed. Data subjects have the right to:
Processing of personal data related to genetic data, vital data, health data, ethnic origin, sexual life, political or religious opinions, beliefs, criminal convictions, or related to security measures is not allowed without obtaining a permit from the Ministry.
A data subject who believes that a right under the PDPL has been breached can report the breach to the Ministry.
The Ministry has wide powers. It can issue a warning to the controller or the processor, order that processed personal data is corrected or deleted, suspend the processing of personal data temporarily or permanently, suspend the transfer of personal data to another country or international organisation or take any other measure deemed necessary for the protection of personal data.
Violation of the PDPL can result in criminal fines ranging from RO500 and RO500,000, as well as administrative fines of up to RO2000.
Businesses in Oman should update their policies, contracts, notices and activities to align with the PDPL and ensure that staff are well trained by the time the PDPL comes into force.