Oman Unveils Executive Regulation for Personal Data Protection Law
Content updates
Key Features
- Article 5 of the Personal Data Protection Law (PDPL) mandates that any entity intending to process sensitive data, to obtain a permit from the MTCIT before processing such data. The Executive Regulation outlines the necessary application requirements and specifies a 45-day timeframe for the MTCIT to reach a decision. Failure to receive a response within this period will result in automatic rejection. Applicants may appeal to the Minister; however, if there is no response within 60 days, the appeal is considered automatically rejected. Article 6 of the Executive Regulation stipulates that data controllers must include precautionary measures for addressing personal data breaches, when submitting a permit application for processing sensitive data.
- According to Article 28 of the Executive Regulation, data controllers and data processors must maintain a detailed record of any data breaches encountered in a specific register. This record should include the breach particulars, its consequences, and the subsequent remedial measures undertaken. Under Article 30 of the Executive Regulation, there is a 72-hour timeframe stipulated for data controllers to report any breaches to the MTCIT from the moment they become aware of the breach. Also, Article 31 stipulates that, upon notification, the MTCIT is empowered to assess the procedures taken by the data controller, direct the controller to inform affected data holders about the breach, and extend guidance and assistance to the data controller in managing the situation. As per Article 32 of the Executive Regulation, there exists a separate obligation for the data controller to inform data holders of a data breach within 72 hours once he becomes aware of the breach. This requirement is essential when the breach has the potential to inflict significant harm or poses a high risk to the data holder.
- Article 11 of the (PDPL) acknowledges data holder rights, such as: the right to correct, delete, transfer, or withdraw consent to the processing of their personal data. According to Article 16 of the Executive Regulation, data controllers are obligated to address the written requests submitted by data holders, within a 45-day period. In the event of a non-response or denial by the MTCIT, the data holder retains the right to file a complaint with the MTCIT. However, should the MTCIT fail to provide a response within 60 days, the complaint is considered rejected. Article 17 of the Executive Regulation outlines two justifications that empower data controllers to reject such requests. These are if the request is deemed unreasonably repetitive or if fulfilling it requires an exceptional effort.
- In the seventh chapter of the Regulation, the duties of the data protection officer, designated by either the controller or processor, are set out to ensure compliance with the Personal Data Protection Law (PDPL) and the associated Regulation. The officer's responsibilities include offering guidance and counsel to the controller or processor concerning their obligations under the PDPL and the Regulation. Moreover, they are tasked with overseeing the enforcement of the controller or processor's policies pertaining to personal data protection. Additionally, the chapter mandates the controller to disclose the data regarding the data protection officer and enable the personal data holder to contact them in any issues related to the processing of their personal data.
- Article 23 of the (PDPL) allows data controllers to transfer personal data outside of Oman. The Executive Regulation requires that the receiving external processing entity upholds a level of personal data protection no less than what is mandated by Omani Law. The Executive Regulation does not require pre-approval from the MTCIT for such transfers, and there are no designated whitelist or blacklist countries for data transfer.
- Article 41 of the Regulation allows personal data holders to file complaints to the competent administration regarding any violation of the PDPL or the Regulation within a specified 30-day timeframe upon becoming aware of the violation. It mandates the administration to adjudicate on the complaint within 60 days subsequent to its submission. In line with this provision, the Minister of the MTCIT is granted the authority to impose administrative penalties for Regulation breaches, including measures such as warnings, permit suspensions, and administrative fines of up to OMR 2000 per violation. Article 45 further grants violators the opportunity to appeal administrative decisions to the Minister of the MTCIT within 60 days of notification, with the Minister required to decide within 30 days of receiving the appeal; otherwise, the appeal stands as rejected.