- Executive Regulations to the Oman’s Data Protection Law
-
The eagerly anticipated Executive Regulations to the Oman Data Protection Law Royal Decree 6/2022 (“PDPL”) were recently issued on 28 January 2024 through Ministerial Decision 34/2024 (“Executive Regulations”).
Some of the key provisions of the Executive Regulations are as follows:
-
Article 10 of the PDPL requires the express consent of data owners to be obtained before the processing of their personal data and stipulates that such data must be processed within a framework of transparency, honesty, and respect for human dignity, whereby “personal data” is defined as data that makes a natural person identifiable, or capable of being identified directly or indirectly, by reference to one or more identifiers, such as name, ID number, electronic identification data, location data, or by reference to one or more factors related to genetic, physical, mental, psychological, social, cultural, or economic identity.
Article 4 of the Executive Regulations further sheds light on the requirements for the consent to be a valid consent, such requirements being, the consent (i) is issued by a person with full capacity; (ii) is given in a clear manner and without coercion and (iii) issued in writing, electronically, or by any other means specified by the data controller.
-
Article 5 of PDPL provides that the processing of sensitive personal data relating to genetic, biometric, heath data or data relating to ethnic origin, sexual life, political or religious opinions, beliefs, criminal convictions, or related security measures is prohibited unless a permit is obtained from the Ministry of Transport, Communications and Information Technology (“MTCIT”).
The Executive Regulations now provide guidelines regarding information that is required to be submitted by data processors applying for such permits, provided for under Article 5 of the PDPL and states that the MTCIT has 45 days to decide on the application. If the MTCIT fails to respond within this time limit, the application will be deemed to be automatically rejected. The applicant has the right to appeal such rejection within 60 days from the date of being notified of such rejection before the Minister of MTCIT (“Minister”), but if the Minister fails to respond within 30 days, the appeal will be deemed to be rejected.
-
Article 11 of the PDPL provides for data owners right to have their personal data erased, retrieved, or transferred to another entity by the data controller. The Executive Regulations provide that data controllers have a duty to respond to requests from data owner within 45 days. If the data controller fails to respond to the request or denies it, the data owner has the right to complain to the MTCIT, and if the MTCIT fails to respond within 60 days, the complaint will be deemed to be rejected.
Article 17 of the Executive Regulations provides for two grounds based on which a data controller may refuse to fulfil a request of the above nature, these being i) if a request is unjustifiably repetitive, and (ii) if a request requires extraordinary effort to fulfil. This in our view, may be seen as unreasonable for data owners who have genuine reasons to request the data controller to erase or transfer their personal data.
- Article 23 of the PDPL provides that personal data may be transferred outside Oman subject to the standards and procedures to be set out in the Executive Regulations. The Executive Regulations provide clarity on such international transfers of personal data. Article 37 of the Executive Regulations provide that the data owner’s consent is sufficient to transfer its personal data outside borders of Oman provided such transfer of data shall not prejudice national security or the higher interests of the country and there are no requirements to obtain the approval of the MTCIT before doing so. Further, Article 38 also provides that it is the responsibility of the data controller to ensure that the external processing entity i.e outside of Oman to whom such data has been transferred to, has adequate protection in place for such personal data, which may not be less than the level of protection prescribed in PDPL and Executive Regulations. Personal data may be transferred internationally without the consent of the data owner if (i) it is in implementation of an international obligation under an agreement to which the Sultanate of Oman is a party, or (ii) if the transfer was carried out in such a way as to conceal the identity of the data owner, not linking the data to him/her, and is not identifiable in any way whatsoever.
- According to the PDPL, a number of obligations are imposed on data controllers and processors, which include the obligation to appoint a data protection officer, the selection controls and criteria for which were to be determined by the Executive Regulations. Whilst Article 35 of the Executive Regulations provide for a number of responsibilities which are required to be fulfilled by a data protection officer, it does not provide for the categories of data controllers who are required to appoint a data protection officer, which essentially means that any data controller who is holding personal data of any nature, is required to appoint a data protection officer.
- Article 44 of the Executive Regulations provides for the imposition of penalties in case of non-compliance with the Executive Regulations. When considering the imposition of any of the penalties, the Minister may in the exercise of his discretion (i) issue an official warning; (ii) suspend the permit until the violation is remediated; (iii) impose a fine not exceeding 2,000 (two thousand) Omani Rials for each violation, and (iv) cancel the permit.
As these Executive Regulations have only recently been issued, much will depend upon their interpretation and application by the MTCIT with reference to the PDPL.
Author details
Anjali KotakAssociate
Commercial and Capital Markets
Al Busaidy, Mansoor Jamal & Co
Tel: +968 24829200
Email: anjali.kotak@amjoman.com
-