Under Royal Decree 6/2022, Oman introduced its first Personal Data Protection Law (PDPL). Recently, the Minister of Transport, Communications and Information Technology issued the Executive Regulations to guide the implementation of this law, effective from February 5, 2024. Businesses have one year to comply from this date. 

These regulations aim to safeguard personal data and ensure organizations follow strict procedures to protect individuals’ privacy. 

Key Points of the Executive Regulations: 

1. Data Subject Consent: Written consent is needed from individuals before processing their personal data. This must be given freely, clearly, and by someone with full capacity. For children, a guardian’s consent is required. 

2. Permitting for Sensitive Data: Detailed permitting process for handling sensitive personal data. 

3. Data Subject Rights: Individuals can request data deletion, amendments, or copies of their data. Requests must be written, and controllers must respond within 45 days. Controllers can refuse requests if they are repetitive or overly burdensome. 

4. Obligations for Data Controllers and Processors: 

   – Must have a personal data protection policy. 

   – Need consent before sending marketing materials. 

   – May need to appoint an independent external auditor. 

   – Must keep updated records of data processing. 

   – Must report data breaches within 72 hours. 

   – Required to appoint a qualified data protection officer (DPO). 

5. Data Protection Officer: The company is to appoint a Data Protection Officer This officer is responsible for ensuring compliance with data protection laws and coordinating with the Ministry.  

6.Transferring Personal Data Abroad: Requires explicit consent from data subjects. Transfers must ensure national security and interests are not compromised. The receiving country must have adequate data protection measures. 

7. Complaints Handling: Complaints must be filed within 30 days of awareness. The Ministry has 60 days to address the complaint after receiving a response from the controller. 

8. Enforcement: Penalties for violations include notices, permit suspensions, fines up to OMR 2000, and permit cancellations. 

 Action for Businesses: 

Businesses should start aligning their practices with the PDPL and the new regulations to ensure compliance within the one-year grace period from February 5th, 2024. 

Bondoni’s Guidance and Support: 

Bondoni will conform and will be aligned by or before February 5th, 2025. 

If you would like to be introduced to legal experts to develop your Personal Data protection Policies, please let me know and it will be a pleasure to refer you to our legal partners.