Strong legislation: Serious violations can attract penalties of up to RO 500,000
Officials and experts have welcomed last week’s promulgation of the new Personal Data Protection Law as key to, on the one hand, strengthening the underpinnings of a future digital economy in the Sultanate of Oman, and on the other, safeguarding the personal information of individuals from misuse for commercial gains or potential abuse.
The issuance of the new law, promulgated by Royal Decree 6/2022 on February 9, 2022, caps a series a series of far-reaching efforts by the Omani government collectively aimed at fueling the digital transformation of the Sultanate of Oman.
In a post, the Ministry of Transport, Communications and Information Technology, which has been mandated to enforce the provisions of the new law, said: “The issuance of the Personal Data Protection Law contributes to creating a legislative environment that protects personal data and enables a thriving digital economy.”
Dr Ali al Shidhani, Communications & Information Technology Under-Secretary at the Ministry, added: “Issuance of the Personal Data Protection decree is an important step to complete the system of personal laws for the digital economy and give the user greater powers to control personal data.”
Significantly, the decree is set to come into force one year after its issuance, which corresponds to the second week of February 2023. The Ministry of Transport, Communications and Information Technology has been tasked with drafting and rolling out the underlying executive regulations during the intervening period.
According to legal experts, the law enshrines a set of safeguards around personal data, which is defined as any information that “identifies a natural person that makes (them) identifiable, directly or indirectly, by reference to one or more identifiers”. Examples of personal data include the person’s name, civil number and address particulars, as well as their social, health and economic information.
In essence, users of personal data will have to obtain the prior written consent of the data subjects before processing that information. In any event, certain types of sensitive personal data cannot be processed without the express approval of the Ministry. They encompass information related to, among other types, genetic, biometric, ethnic, political, ideological, religious and criminal background of individuals. The personal data of children cannot be processed as well without the approval of the parents or guardians.
Additionally, the new law places a significant onus on the Controller (parties holding personal data) and Processor (parties processing the data on the Controller’s behalf) in ensuring that all prescribed safeguards and prohibitions are adhered to. The Controller, for example, is tasked with ensuring that personal data in its possession is suitably protected from breaches or hacks. Any transfers of personal data outside of the Sultanate of Oman must also comply with the provisions of the Executive Regulations.
Underscoring the importance that the Omani government accords to personal data protection, the law prescribes significant civil and criminal penalties for violations. Aggrieved data subjects, for example, can approach the Ministry if they feel their personal information has been misused. Severe violations can attract fines of up to RO 500,000.
Oman Observer is now on the WhatsApp channel. Click here
