Oman Personal DataProtection Law

Key Definitions (Article 1)

• Personal Data: Any information that can directly or indirectly identify a person
• Genetic Data: Data about inherited or acquired genetic traits
• Biometric Data: Data from technical analysis of physical or behavioural traits
• Health Data: Data about physical, mental, or psychological health
• Controller: Person/organisation deciding why and how data is processed
• Processor: Person/body processing data on behalf of controller

Scope and Application (Articles 2, 3)

The law applies when personal data is being processed.

Exemptions include:

• National security or public interest purposes
• State government departments performing official duties
• Processing to follow legal obligations
• Protection of state's economic/financial interests
• Scientific, literary, or economic research (if anonymised)
• Publicly available data (if lawful use)

Protection of Personal Data (Article 4)

Personal data shall be deemed protected by virtue of the Law.

Processing of Sensitive Personal Data (Article 5)

Processing prohibited unless obtaining a permit from the Ministry for:

• Genetic data, biometric data, health data
• Ethnic origins, sexual life
• Political or religious opinions/beliefs
• Criminal convictions or security measures

Processing of Children's Data (Article 6)

Processing a child's data is prohibited except based on their guardian's consent, unless the processing is in the child's best interest.

Ministry's Responsibilities (Articles 7, 8)

Key responsibilities:

• Making and approving data protection rules
• Issuing guidelines for data processing
• Handling complaints related to data misuse
• Working with international bodies
• Issuing/cancelling compliance licenses
• Maintaining registry of controllers and processors

Enforcement powers:

• Send warnings for non-compliance
• Order correction or deletion of wrongfully handled data
• Stop data processing or transfer if needed

Personal Data Subject's Rights (Articles 10, 11, 12)

Processing requires transparency, honesty, and clear consent.

Data subjects have the right to:

• Withdraw consent at any time
• Request changes, updates, or stop data use
• Get a copy of their personal data
• Move data to another controller (data portability)
• Request deletion of data (unless needed for national archiving)
• Be informed of data breaches or leaks
• File complaints with the Ministry

Controller's Obligations (Articles 13-22)

• Data Protection Rules: Create and follow rules for data processing, identify risks, set up transfer procedures
• Transparency: Inform data subjects with clear details before processing
• Compliance: Follow all Ministry rules and controls
• Auditing: May need to appoint external auditors
• Record Keeping: Keep records of all processing activities
• Breach Notification: Inform Ministry and affected individuals of breaches
• DPO Appointment: Appoint Data Protection Officer if required
• Confidentiality: Protect data confidentiality
• Marketing: Get written consent before sending marketing material

Processor's Obligations (Articles 15-18)

Processors must comply with Ministry's prescribed controls and procedures. They may be required to appoint external auditors and must maintain processing records and cooperate with the Ministry.

Cross-Border Data Transfer (Article 23)

Controllers may transfer personal data outside Oman according to Regulation controls and procedures.

Transfer prohibited if: Data was processed in violation of the Law or if it is likely to harm the data subject.

Penalties (Articles 24-32)

• Fines: 500 to 500,000 Omani Riyals depending on violation
• Repeat Offenses: Fines doubled for repeat violations
• Additional Penalties: Courts may order confiscation of instruments used in the crime
• Administrative Penalties: Ministry may impose fines up to 2,000 Omani Riyals