In line with global trends, Oman has taken a significant step in safeguarding the rights of its citizens by enacting the Omani Personal Data Protection Law (PDPL). This new legislation goes beyond protecting personal data; it provides an extensive framework for organizations on the responsible processing, storage, and utilization of Omani citizens’ personal information.
Like most modern Middle Eastern data laws, the PDPL aims to create an environment where individuals have control over their personal information and organizations use data in a transparent, ethical, and legal manner. It is a significant step towards fostering a culture of data privacy and promoting responsible use of personal data in Oman.
This article will review PDPL and its features and show how the global company with operations in Oman can comply with these fairly new regulations using InCountry’s Data Residency as a Service.
Who needs to comply with personal data protection laws in Oman?
The Omani Personal Data Protection Law applies to all organizations that collect, process, or store private information of Omani residents, irrespective of whether the organization is based in Oman or not. More specifically, the following types of organizations are mandated to comply with the provisions of the Oman Data Privacy Laws:
-
eCommerce businesses that sell to Omani residents
Businesses that operate in the eCommerce industry frequently gather, handle, and retain personal data of clients or customers in order to provide quality services and for marketing purposes. If you run such a business in Oman, it is crucial to pay close attention to the Personal Data Protection Law (PDPL) to ensure that you are in compliance.
-
Website and apps that collect personal data
It’s common for websites and applications to collect and store the personal data of their users. Such data may include email addresses, passwords, residential addresses, bank details, phone numbers, etc. If you own a website or application that provides services to residents in Oman, it is compulsory that you comply with the provisions of the Omani PDPL.
-
Social media platforms
Social media has become a crucial tool for gathering information and collecting personal data. Therefore, it is essential to have strict regulations and ensure compliance with privacy laws. The PDPL has explicitly stated that social media companies operating in Oman or having coverage of Omani citizens must comply with its rules.
This is similar to what is obtainable in neighboring countries, like the UAE data protection and the Qatar data protection laws.
-
Banks and financial institutions
The financial industry requires a lot of personal information from customers to function effectively. They collect data such as addresses, phone numbers, next of kin details, etc. Since this information is sensitive, these institutions need to be guided on how to handle these data in the interest of their clients and the bank.
-
Healthcare providers
Without a doubt, the data collected by health institutions are very sensitive and must be handled with caution. This explains why health institutions have been drafted among the organizations that must comply with the provisions of the PDPL.
-
Educational institutions
All educational institutions in Oman must comply with this policy. This is to ensure that the immense amount of private data collected by educational systems is properly managed.
-
Government agencies
All government agencies that collect, process, and store the private data of Omani residents are expected to comply with the provisions of the PDPL. A few examples of government agencies that fall into this category include the Ministry of Interior, Royal Oman Police, Ministry of Manpower, Ministry of Social Development, Oman Telecommunications Regulatory Authority, etc.
Note: If you’re wondering if the PDPL applies to foreign companies operating in Oman, the answer is yes. The law is extra-territorial, meaning it can apply to companies outside Oman if they process personal data belonging to Omani residents.
What Oman data privacy laws do you need to know?
Omani Personal Data Protection Law, which came into effect in February 2023, was the first comprehensive data privacy law enforced in Oman. It shares several similarities with the GDPR, which precedes it by about five years, and the Saudi Arabia data localization requirements.
The policy provides definitions of key terminologies in the policy to guide users on what is expected. For instance, it defines personal data as any information that can be used to identify a natural person, directly or indirectly. That is, any information that is unique to an individual and can be used in identifying them can be described as personal data.
Examples of personal data under the Omani PDPL include name, date of birth, address, biometric data, national ID number, health data, and other financial data.
Below are some provisions of the Omani PDPL that you should be aware of as a business leader with business operations in Oman:
Information sharing
The policy sets a minimum level of information that must be shared with data subjects before collecting, processing, or storing their personal information. The following are the minimum requirements:
- Information regarding the data controller.
- How to contact the data protection officer (DPO).
- Purpose of processing the data.
- A comprehensive breakdown of how your data is put to use and who it’s shared with, including external parties involved.
- The rights of data subjects and how they can exercise it.
- Any additional information that could be beneficial to a data subject.
Giving consent
The PDPL recommends explicit permission to be granted by data subjects before an organization can process that personal data. For consent to be valid, it must fulfill these conditions:
- It must be freely given.
- It must be specific for each processing purpose.
- The user must be informed about the processing beforehand.
- The consent should be given directly.
- Individuals must be able to withdraw consent as easily as it was given.
However, there are a few exceptions where an organization can proceed to process the personal data of a client without receiving permission to do so. The following are the conditions that can lead to such exception:
- If it’s in the execution of a contract with the data subject.
- If the data subject’s vital interest is covered.
- If it’s in the public interest.
- If it protects the economic or financial interests of the country.
- If it’s a legal requirement.
- If it’s being processed for family or household purposes.
- If the processing is for historical, statistical, or economic research.
Processing sensitive data
Besides obtaining direct permission from the data subject, when the data to be processed is sensitive, the data processor must seek outright consent from the Ministry. Failing to obtain appropriate permission before proceeding will lead to penalties that range from $50,000 to $260,000.
Data subject rights
Data subjects refer to individuals whose data is collected, processed, or stored. The Omani PDPL stipulates the rights of data subjects, and they are as follows:
- Right to access your data at any time.
- Right to know how your data is to be processed.
- Right to request correction of your data.
- Right to request deletion of your data.
- Right to revoke consent for data processing.
- Right to data portability.
An organization is obligated to comply with the decision of the data subject regarding their personal information; so far, it falls within their rights.
Responding to data breaches
According to the PDPL, an organization is obligated to promptly report to the authorities and the affected individuals in the case of a data breach. They are expected to provide details on the nature of the breach, possible causes, and measures they are actively taking to fix the breach.
Appointing a Data Protection Officer
Oman’s PDPL requires organizations to appoint a data protection officer to manage their data. However, it is not specified if companies of all sizes must do so. The duties of a data protection officer include monitoring data processing activities within the company and advising on compliance issues.
Penalties
The penalties for violating this policy can be monetary and could lead to jail terms as well. Monetary fines can be as high as $1 million, whereas jail term could be as much as one year in prison.
Oman data protection law vs GDPR
What are the similarities and differences between the Omani PDPL and EU GDPR? They will be presented in the table below:
Aspects | Omani PDPL | EU GDPR |
Consent | Individual consent is explicitly required. However, there are a few exceptions to this with regard to national safety or interest. | Individual consent is required, and there are a few exceptions to this on special occasions. |
Data subject rights | Grants data subjects the right to access, correct, delete, and transfer their personal data. They also retain the right to revoke consent. | Offers several data subjects rights, as well as the right to data portability. |
Sensitive Personal Data |
It defines sensitive personal data as health data, genetic data, racial or ethnic origin, religious beliefs, political opinions, and trade union membership. There are very strict restrictions for processing any data in this category under the PDPL. |
It defines it in a similar way to the Omani PDPL. However, it also includes biometric data and data relating to criminal convictions and offenses. |
Cross border transfers | It permits organizations to transfer personal data to third-party countries that do not have adequate data protection laws in place only if certain requirements are met. | Has stricter requirements for cross-border data transfers. Companies must obtain permission from designated authorities before data transfers can happen to a country without adequate data protection policies. |
Data Protection Officers | Oman PDPL requires data controllers to appoint a DPO. There are no express exceptions to this rule, so it is advised that every business operating in Oman should comply. | Mandate the appointment of DPOs for certain types of data processing activities. |
Age of consent for children | Oman PDPL prohibits the processing of a child’s personal data except with the express consent of the child’s guardian. | Sets the age of consent for data processing at 16, but member states may lower this to a minimum of 13. |
Audit requirements | All entities collecting personal data in Oman must engage an external auditor duly authorized by the Ministry of Transport, Communications, and Information Technology (MTCIT) to assess the effectiveness of their data security measures. | External audits are not explicitly mandated under the GDPR, but they are advised to ensure compliance. |
Regulatory body | It is regulated by the Ministry of Transport, Communications, and Information Technology. | It is regulated by the European Data Protection Board (EDPB). |
Penalties | Monetary penalties could be as high as $2.6 million. | Monetary penalties could be as high as $24 million. |
Data residency requirements in Oman
Although Oman PDPL does not explicitly mandate the storage of personal data of residents within Oman, certain elements in the PDPL could be construed as potentially establishing a data residency obligation. So, to be on the safe side of the law, it’s best to assume a data residency obligation.
Here are a few things you should consider while trying to stay compliant:
- Ensure the storage of personal data belonging to Omani residents within Oman.
- Select cloud computing providers that maintain data centers in Oman.
- Apply encryption to personal data before transferring it beyond Oman’s borders.
- Implement a data loss prevention (DLP) solution to deter unauthorized transfers of personal data outside Oman.
- Establish a data breach response plan that incorporates protocols for reporting data breaches to the Oman Data Authority and the individuals concerned within a 72-hour timeframe.
Oman’s cross-border data transfer requirements
Organizations can transfer the personal data of Omani residents outside Oman if the requirements are met. The requirements are as follows:
- The explicit consent of the data subject must be sought before any transfer can be initiated.
- The country where the data will be transferred must have a strong data privacy policy. If the country does not have privacy laws, the organization transferring the data must place additional measures to ensure the data is adequately protected.
- The organization must receive the permission of MTCIT unless such transfer is exempted from notification. The following conditions determine if a country is exempted from notification or not:
- Data transfers to a nation certified by the Ministry of Transport, Communications and Information Technology (MTCIT) as having sufficient data protection regulations in effect.
- Data transfers are required for the execution of an agreement with the data subject.
- Data transfers are essential for safeguarding the critical interests of the data subject or another individual.
- Data transfers linked to legal proceedings.
Did you know that InCountry offers a safe and compliant solution with which you can export important work data abroad? You should check out this article to learn more about InCountry for Salesforce Cross-Border.
How to comply with data protection laws in Oman — InCountry’s approach
InCountry’s Data Residency-as-a-Service platform is a data residency and compliance solution designed to assist businesses in adhering to global data protection regulations, including those in Oman. InCountry offers a secure and compliant infrastructure for organizations to store and manage the personal data of Omani residents securely.
InCountry offers several additional features to aid businesses in their compliance with data protection regulations in Oman. These features include:
- Data subject rights compliance: InCountry assists businesses in upholding data subject rights as prescribed by the Oman PDPL.
- Security audits: InCountry routinely conducts security audits to ensure that its infrastructure and compliance controls align with the requirements of the Oman PDPL.
- Cross-border transfers: Transferring data in and out of Oman seamlessly with our solution. You don’t only enjoy ease, but you can also rest and know that we have every compliance issue under control.
- Scalability: As your organization’s data needs expand, our platform can easily scale to accommodate those changes, so you never have to worry about outgrowing your solution.
- Cost-Effective: InCountry’s Data Residency-as-a-Service offers a budget-friendly option for meeting data residency requirements, helping you achieve compliance without breaking the bank.
Utilizing InCountry enables businesses to confidently meet their obligations under data protection laws in Oman while safeguarding the personal data of Omani residents.
Contact us today; let’s discuss your needs and show you how we can help you stay compliant with Omani Privacy Laws.