The Oman Personal Data Protection Law (PDPL) came into effect in February 2023, introducing new legal requirements for businesses that process personal data. The law is based on the opt-in principle, meaning that businesses can only process personal data if the user consents or if there is another legal basis. This aligns the PDPL requirements with those prescribed by the General Data Protection Regulation (GDPR) in the European Union. However, there are nuances that make this law different, which is precisely what this article will explore.
Explore more privacy compliance insights and best practices
The Oman Personal Data Protection Law (PDPL) came into effect in February 2023, introducing new legal requirements for businesses that process personal data. The law is based on the opt-in principle, meaning that businesses can only process personal data if the user consents or if there is another legal basis. This aligns the PDPL requirements with those prescribed by the General Data Protection Regulation (GDPR) in the European Union. However, there are nuances that make this law different, which is precisely what this article will explore.
Personal data under the Oman PDPL is any information that could identify a person. This includes personal name, email address, government-issued numbers, phone numbers, and home address, as well as browsing behavior, IP address, health data, or anything else that could directly or indirectly point to a specific person. Health data, financial data, sex life, political or religious beliefs, and similar data are defined as sensitive personal information and are subject to a special regime.
The Oman PDPL applies to your business if it is registered in Oman or if you offer products or services to Omani residents. It follows the same territorial principle as other data protection laws.
The data controller is the person who decides to process personal data. For example, an e-commerce store that chooses to use Google Analytics and Facebook Pixel on the website is the data controller because they decide why to process data, how to process it, and with whom to share it. Google and Facebook, in this case, are data processors. They are service providers for the processing of data and only process the data on behalf of the e-commerce store.
The PDPL prescribes the minimum information that businesses need to provide to data subjects. The privacy policy must include at least the following:
However, this is just the minimum requirement. Businesses are encouraged to share more information with their customers and be transparent about how they handle their data. The privacy policy should be easy to understand for the average internet user and written in plain language.
You must obtain explicit consent from users for data processing. The Oman PDPL does not allow the processing of personal information unless the user consents. There are some exceptions where you can collect and process personal data without consent, such as in the following situations:
The consent must be:
In addition, you must allow users to withdraw consent as easily as they have given it.
Sensitive personal data is subject to a special PDPL regime. It is not enough to meet the general data processing requirements.
Businesses that process health data, genetic data, financial data, information about the personal life of the data subject, and other sensitive personal information must obtain a permit from the Ministry before processing the data.
Simply collecting the data without a permit is a violation and may result in penalties ranging from OMR 20,000 to OMR 100,000 (around $50,000 to $260,000).
The Omani PDPL grants data subjects the following rights:
Once you receive a data subject request to exercise any of these rights, you must honor it. More details on the methods for receiving and responding to requests are expected in the future.
International data transfer occurs when data is transferred across the borders of Oman. The rules around this are not yet clear. The PDPL forbids cross-border data transfers where the data subject could suffer any kind of harm due to processing abroad. However, it remains to be seen how this provision will be interpreted by competent bodies.
If a data breach occurs, you must report it to both the data protection authority and the affected individuals. You must provide information about the nature of the breach, possible consequences, and mitigation measures. Additionally, you must inform the data protection authority with more detail, including who has been affected, a description of the breach, and the contact details of the DPO.
Yes, the Oman PDPL requires businesses to appoint a DPO. It is not clear yet whether all businesses shall appoint one.
DPO duties include monitoring data processing activities within the organization and advising on compliance with the PDPL. They must be independent in their work, well-trained, and provided with enough resources to do the job.
Your DPO can be an employee or an outsourced DPO.
Oman PDPL penalties are severe and can result in a monetary fine of up to OMR 500.000 ($1.3 Million). For some violations, there is a criminal penalty of up to one year in prison.
The severity of the penalty depends on the actual violation.
