Businesses operating in Oman will be subject to stiffer requirements over the way they process personal data from 9 February 2023.
The new Personal Data Protection Law (PDPL) in Oman reflects international data protection best practice and replaces existing data protection obligations in the Omani Electronic Transactions Law.
Much of the detail on what businesses will need to do to comply with the new legislation is expected to be set out in executive regulations that have not yet been published. However, there are things businesses can do now to prepare for the PDPL to take effect.
Businesses need to understand what data they hold. This is important under the PDPL as the type of personal data will determine the legal requirements for processing it.
For example, businesses will need a permit from the Ministry of Transport, Communications and Information Technology (the Ministry) to process certain personal data, namely genetic data, biological data, health data, or data about a person’s ethnic origins, sexual life, political or religious opinions or beliefs, criminal convictions, or security measures.
In addition, processing the personal data of a child will require the approval of the child’s guardian, unless such processing is in the best interests of the child.
The data mapping exercise should flow into a record of data processing activities to enable Omani companies to effectively document their data processing activities, as required under the PDPL. This exercise should also identify any personal data processing activities that are excluded under the PDPL.
Once businesses understand what data they hold, they need to make sure that they are meeting the legal requirements for processing it.
Under the PDPL, Omani companies cannot process personal data without the data subject’s explicit consent. The request for that consent must be in writing and be clear and understandable. Obtaining consent is also required before sending out any advertising or marketing materials or before publishing their personal data.
Omani data controllers will also need to be able to clearly demonstrate that the data subject has given their written consent.
The PDPL requires Omani data controllers to have effective controls and procedures in place to effectively determine processing risks, to manage personal data transfers and to implement the technical and procedural measures necessary to ensure compliance with the PDPL.
The PDPL mandates the processing of personal data within a framework of transparency. In practice this means telling people how you are processing their personal data in the form of clear and simple notices.
These notices need to include the information prescribed by the PDPL, which include details of the controller and any processors, the purpose(s) for processing personal data and an accurate description of that processing. These details need to be provided to the data subject prior to any processing taking place.
Under the PDPL, data subjects will enjoy various rights. These include rights to revoke consent to the processing of their personal data, without prejudice to processing taking place prior to the revocation; to get their personal data amended, updated or blocked; to get a copy of their personal data; and to get their personal data erased.
The PDPL requires businesses to notify data subjects of these rights within their data protection notices.
Whilst the executive regulations will provide more details on the scope of, and the mechanism for exercising, these requests, it is important to start getting processes and procedures in place to manage them.
A data subject can complain to the Ministry if they consider that the processing of their personal data does not comply with the PDPL. The executive regulations will set out the procedure for this. However, having established processes in place will be important for effectively managing any such complaints.
The PDPL places broad obligations on Omani companies to cooperate with the Ministry, to appoint external auditors, and to provide any information and documentation relating to its PDPL compliance, as requested by the Ministry. Omani companies need to be able to effectively respond to Ministry requests within the required time period, which will be defined in the executive regulations.
Under the PDPL, businesses will be obliged to notify both the Ministry and data subjects “when a hacking of personal data occurs leading to its destruction, alteration, disclosure, access or illegal
processing”.
The executive regulations will provide more details of how these notifications need to be managed but Omani companies should start planning now how they would deal with such data breaches.
The PDPL requires Omani data controllers to identify a personal data protection officer (DPO) and notify data subjects of the DPO’s details. The executive regulations will set out the requirements for the DPO. These can be expected to follow international data protection best practice.
The PDPL allows for international transfers of personal data out of Oman, except where any transfers would violate the PDPL or cause the data subject harm. The executive regulations will set out the specifics of how these data transfers can take place, but Omani companies should expect that there will be controls and procedures similar to other data protection laws globally.
Co-written by Alexandra Bertz of Pinsent Masons.