The Oman Personal Data Protection Law (PDPL), issued on February 9, 2022, came into effect on February 13, 2023. This law repeals Chapter 7 of the Electronic Transactions Law and introduces significantly stronger privacy protections. It incorporates fundamental privacy principles, aiming to align Oman’s data protection standards with global best practices, such as those established by the European Union's General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). 

Scope and Applicability in Oman

Territorial scope 

The Oman PDPL does not explicitly define its territorial scope within its provisions. Nonetheless, the law is anticipated to apply to data subjects, controllers, and processors located within the Sultanate of Oman. 

Material scope 

The Oman PDPL exempts personal data processing for national security, public interest, state functions, legal obligations, state economic interests, vital interests of data subjects, and existing contract fulfillment. Additional exemptions cover crime prevention, authorized research, personal or family use, and publicly available data. 

In employment, essential data (e.g., ID, bank details) is exempt for contract purposes, while health data for benefits requires consent and ministerial approval. Personal data on company devices may also fall under PDPL obligations. The practical application remains unclear pending the issuance of executive regulations. 

Legal bases 

1. consent 

2. Legal Obligation 

3. Public Interest. 

Principles 

Under the Oman PDPL, personal data may not be processed except within the framework of transparency, honesty, and respect for human dignity, and after the explicit consent of the data subject. However, the Oman PDPL falls short of incorporating commonly established data protection principles such as data minimization or purpose limitation. 

Controller and Processor Obligation. 

 Data processing notification 

Controllers and processors who meet specified conditions will be listed in a register maintained by the Ministry. Further details on this register are anticipated in the upcoming Executive Regulations. 

Data transfers 

Under the Oman PDPL, the data controller may transfer personal data outside Oman, provided it complies with regulatory controls and procedures and does not infringe the Cyber Defence Centre's authority. Before transferring data, the controller must confirm that the third-party processor offers protection at least equal to Oman’s standards, assessing factors such as data sensitivity, purpose and scope of processing, sharing parties, processing duration, data transfer stages, and the risks to data subjects. 

Data processing records 

The Regulations now mandate that data controllers and processors maintain a dedicated record of personal data processing activities.  

Data protection impact assessment 

Controllers are generally required to assess risks to data subjects from data processing. Article 39 of the Regulations specifies that, when transferring personal data, controllers must evaluate the protection level of third-party processors. 

Data Protection Officer appointment 

The Regulations mandate appointing a Data Protection Officer (DPO) who meets specific qualifications: they must be knowledgeable about the Oman PDPL, its Regulations, and the controller or processor’s data protection practices, and must be professionally capable of addressing data protection issues competently 

Data Breach notification. 

In the event of a personal data breach involving unauthorized destruction, alteration, disclosure, access, or processing of personal data, the data controller must promptly inform both the Ministry and the affected individuals, following the procedures set by the Regulations. 

Data Retention 

The data retention period for processing operations will be set by the data controller or processor, as per the Regulations 

Children's data 

Under the Oman PDPL, processing a child’s personal data is prohibited without guardian approval, unless it serves the child’s best interest 

Special categories of personal data

The Oman PDPL does not define or provide specific safeguards for the processing of 'sensitive personal data' or 'special categories of personal data.' It completely bans the processing of personal data related to genetic data, biometric data, health data, racial origin, sex life, political or religious opinions, philosophical beliefs, criminal convictions, or security measures, unless prior approval is obtained from the Ministry Data Subject Rights 

1. Right to be Information  

2. Right to Access 

3. Right to Rectification. 

4. Right to erasure 

5. Right to data portability 

Penalties

 In addition to the penalties mentioned earlier, data controllers and processors who fail to follow the Ministry's prescribed controls and procedures, or who do not cooperate by providing requested data or documents, will face fines ranging from OMR 1,000 (about $2,597) to OMR 5,000 (about $12,989).  Legal entities can be fined between OMR 5,000 (about $12,989) and OMR 100,000 (about $259,786) if a crime under the PDPL is committed by their chairman, board member, manager, or other officials with their approval, concealment, or gross negligence. In addition to fines, the court may order the confiscation of tools used to commit crimes under the PDPL. The Ministry may also impose administrative penalties for violations of the PDPL, Executive Regulations, or related decisions, with fines not exceeding OMR 2,000 (about $5,195).