Muscat – The Ministry of Transport, Communications and Information Technology has released the executive regulation of the Personal Data Protection Law, as outlined in Ministerial Decision No 34/2024.
The regulation aims to establish a comprehensive framework for the procedures, controls, conditions and legal timelines for personal data protection, in line with Royal Decree No 6/2022.
Key highlights of the regulation include the mandatory requirement of obtaining a permit prior to processing personal data, as stipulated in Article 5 of the law. Special emphasis is placed on safeguarding children’s personal data, alongside outlining clear procedures for data subjects to exercise their rights.
The regulation mandates obtaining a processing permit, detailing the application process – including submission of a personal data protection policy – and outlining measures to address data breaches. Permits are valid for up to five years, with specific guidelines for renewal, amendment and cancellation.
It necessitates obtaining explicit consent from a child’s guardian before processing their data, underscoring the protection of vulnerable data subjects.
Rights of personal data owners are clearly defined, encompassing the revocation of consent, modification, access to processed data, data portability and erasure, except where necessary for national preservation. Additionally, data subjects must be notified of any personal data breaches and the consequent actions taken.
Controllers and processors are bound by several obligations, including obtaining express consent from data subjects, adhering to child data processing controls, and maintaining transparency through a visible personal data protection policy.
They must also ensure confidentiality, retain processing documents, establish a personal data processing activities record, appoint a Personal Data Protection Officer, and comply with extraterritorial data transfer controls.
In the event of a data breach, controllers are required to notify the ministry within 72 hours, potentially followed by notifying affected data subjects if the breach poses serious harm or risks.
The regulation introduces the role of the Personal Data Protection Officer, tasked with advising on data protection matters and liaising with the ministry on personal data processing issues.
Chapter VIII governs the international transfer of personal data, setting conditions to safeguard national security and ensure external processors provide adequate protection levels. This includes obtaining data subject consent and assessing the external processor’s protection level.
Lastly, the regulation outlines complaint and sanction procedures, empowering the minister to impose administrative sanctions, including warnings, permit suspension, fines not exceeding RO2,000 and permit cancellation.
This comprehensive regulation marks a significant step in Oman’s commitment to enhancing personal data protection, aligning with global standards and safeguarding the privacy rights of individuals in the sultanate.