Personal data protection law

Personal data protection law



After perusal of the basic law of the state, the electronic transactions law issued by Royal Decree no. 69/2008, and Royal Decree no. 64/2020 establishing the electronic defense center and issuing its system, and after submission to the council of Oman, this law was issued to discuss the protection of personal data.


What is personal data?

It’s the data that makes a natural person identifiable, directly, or indirectly by one or more identifiers such as:

  • Name
  • Civil ID number
  • Electronic identifier data
  • Spatial data

Or by reference to one or more factors related to:

  • Genetic identity
  • Physical identity
  • Mental identity
  • psychological identity
  • Social identity
  • Cultural identity
  • Economic identity

What is genetic data?

It’s the personal data that are genetically inherited or acquired characteristics that result from the analysis of a biological sample.

What is vital data?

It’s the Personal data that results from specific technical processing related to physical, psychological or behavioral characteristics such as facial image or genetic fingerprint data.

What is health data?  

It’s the personal data relating to physical, mental, and psychological health.

Processing: an operation or a set of operations performed on personal data that includes its collection, recording, analysis, organization, storage, modification, retrieval, review, coordination, merging, blocking, erasing, cancellation or disclosing it by sending, distributing, transmitting transferring, or made available by other means.

Who is the owner of the personal data?

A natural person who can be identified through his personal data.

The controller: is the person who determines the goals and means of processing personal data and performs this processing himself or entrusts it to others.

The processor: is the person who processes personal data on behalf of the controller.

The provisions of this law do not apply to the processing of personal data in the following cases:

  1. Protecting national security or the public interest.
  2. Execution by units of the state’s administrative apparatus or other public legal persons of the powers prescribed for them by law.
  3. Execution of a legal obligation placed on the controller under any law, judgment or decisions of the court.
  4. Protecting the economic and financial interests of the state.
  5. Protecting of vital interest of the personal data owner.
  6. Detection or prevention of any criminal offence based on an official written request from the investigation authorities.
  7. Execution of a contract to which the owner of personal data is a party.
  8. If the treatment is in a personal or family context.
  9. The purposes of historical, statistical, scientific literary or economic research by the authorities authorized to carry out these works, provided that no indication or reference related to the owner of personal data is used in the research and statistical publication it publishes to ensure that the personal data in not attributed to an identified or identifiable natural person.
  10. If the data is available to the public and in a manner that does not violate the provisions of this law.

What precautions the ministry can take to protect the personal data owners’ rights? 

  1. Warn the controller or the processor of the violation of the provisions of this law.
  2. The order to correct and erase personal data that has been processed in violations of the provisions of this law.
  3. Temporarily or permanently stop processing personal data.
  4. Stop transferring personal data to another country or international organization.
  5. Any other measures that the ministry deems necessary to protect personal data, in the manner specified by the regulation.

the ministry’s employees who are designated by a decision issued by the competent authority in agreement with the ministry shall have the capacity of a judicial officer in implementing the provisions of this law and the regulations and decisions issued in implementation thereof.

What are the rights of the owner of the personal data?

  • The data shall be processed within the framework of transparency, honesty, and respect for human dignity, and above all the explicit consent of the data owner in writing.
  • Can revoke the consent to data processing, without prejudice to the processing that took place before the cancellation.
  • Request to amend, update, and block the data.
  • Obtain a copy of the processed data.
  • Transfer data to another microcontroller.
  • Request to erase the personal data, except in the case of national preservation and documentation.
  • Be notified of any violation or breach of the data and the actions are taken in this regard.
  • The data subject may file a complaint with the Ministry in case the processing does not agree with the law.

What are the obligations of the controller and processor?

  • The controller determines what must be adhered to when processing, as follows:
  • Determine potential risks.
  • Data transfer procedures and controls.
  • Technical and procedural measures and any other related controls.
  • Before starting processing, the controller will provide the following information:
  • The data of the controller and processor.
  • Purpose of processing and sources of data collection.
  • Description and procedure of treatment.
  • Data owner rights.
  • The processor and controller shall abide by the Ministry’s controls and procedures.
  • The processor and controller are obligated to appoint an external auditor to ensure that the processing process meets the requirements of the regulation, with a copy of the report sent to the Ministry.
  • The processor and controller keep the processing process documents according to the specified legal period.
  • When a data breach occurs, the controller is obligated to inform the Ministry and the owner of personal data.
  • The controller is obligated to designate the data protection official in accordance with the regulations’ controls.
  • The controller is obligated to ensure the confidentiality of the data and not to publish it without the consent of the owner.
  • The controller is obligated to obtain the written consent of the owner of personal data before sending any material for commercial purposes to the owner.
  • The controller may transfer personal data outside the borders of the Sultanate of Oman without prejudice to the controls and laws. On the other hand, the controller is prohibited from transferring it if it was handled in violation of the prescribed provisions, or in a situation that would harm its owner.

What are the penalties?

  • The penalties vary between (500 – 500,000 OR) depending on the type of violation. In addition to, confiscation of the tools used to commit the crime in some cases.




written by :

angel zadjali
Hoda Al Farsi

Leave a Reply

Your email address will not be published.

You may use these <abbr title="HyperText Markup Language">html</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>