Toolkit: The Personal Data Protection Law (Royal Decree 6/2022)

Post author By admin
Post date February 9, 2022

Key Info

Title	The Personal Data Protection Law (Royal Decree 6/2022)
Date Issued	9 February 2022
Entry into Force	9 February 2023
Scope of Application	All organisations in Oman with the exception of government entities.
Note	This toolkit identifies the key obligations of data controllers. In addition to the punishments stipulated for each article, a legal person can be fined between 5,000 and 10,000 Rial Omani if the crime is committed in its name or for its account. The MTCIT can also issued administrative fines up to 2,000 Rial Omani. Even though the law has technically entered into force in 2023, it is not being implemented on the ground yet. At time of writing this toolkit, the executive regulation of the law is expected to enter into force in January 2026. Complying with this law requires complying with its executive regulation as well.

Checklist

The table below identifies the key obligations under the Personal Data Protection Law (Royal Decree 6/2022).

Article	Requirement	Notes
5	Must not process genetic data, biometric data, health data, racial origin, sex life, political or religious opinions, philosophical beliefs, criminal convictions, or those relating to security measures without obtaining a permit from the ministry and complying with the regulation.	Failure to comply results in a fine between 15,000 to 20,000 Rial Omani.
6	Must not process personal data of a child except with the approval of the guardian or if processing is in the best interest of the child, in accordance with the regulation.
10	Must obtain explicit written consent from the data subject in a clear, explicit, and understandable manner before processing personal data, and ensure that processing is conducted with transparency, honesty, and respect for human dignity. Must record proof of written consent.	Failure to comply results in a fine between 500 and 2,000 Rial Omani.
11	Must respond to data subject requests to stop processing; to amend, update, or block data; to obtain a copy of the data; to transfer data to another controller; and to erase the data. Must also notify data subject of any breach of data and actions taken in this regard.
13	Must put in place controls and procedures for processing personal data, including risk assessment, data transport and transfer procedures, technical and procedural measures to ensure lawful processing, and any other controls required by regulation.	Failure to comply results in fines ranging from 5,000 to 10,000 Rial Omani.
14	Must notify the data subject in writing of the controller and processor details, contact information of the data protection officer, purpose and source of data processing, description of processing and disclosure levels, data subject rights, and any other necessary information before processing personal data.	Failure to comply results in a fine between 500 and 2,000 Rial Omani.
15	Must abide by the controls and procedures prescribed by the ministry to ensure that the processing of personal data is done in accordance with the provisions of this law.	Failure to comply results in a fine between 1,000 and 5,000 Rial Omani; applies to both controllers and processors.
16	Must appoint an external auditor upon the ministry's request to verify compliance with the law and article 13 procedures, and provide the ministry with a copy of the auditor's report.	Failure to comply results in a fine between 1,000 and 5,000 Rial Omani.
17	Must retain the documents of the data processing operations in accordance with the periods and procedures determined by the regulation.	Failure to comply results in a fine between 1,000 and 5,000 Rial Omani.
18	Must cooperate with the ministry and provide the requested data and documents necessary for it to exercise its competences within the period determined by the regulation.	Failure to comply results in a fine between 1,000 and 5,000 Rial Omani.
19	Must notify the ministry and the data subject of any personal data breach involving destruction, alteration, disclosure, access, or illegal processing, in accordance with the prescribed controls and procedures.	Failure to comply results in a fine between 15,000 and 20,000 Rial Omani.
20	Must identify a personal data protection officer.	Failure to comply results in a fine between 1,000 and 5,000 Rial Omani.
21	Must guarantee the confidentiality of personal data and ensure its non-publication except with the prior consent of the data subject, in the manner determined by the regulation.	Failure to comply results in a fine between 15,000 and 20,000 Rial Omani.
22	Must obtain the written consent of the data subject prior to transmitting any advertising or marketing material of a commercial nature, in the manner determined by the regulation.	Failure to comply results in a fine between 1,000 and 5,000 Rial Omani.
23	Must transport personal data and permit its transfer outside Oman only in accordance with the controls and procedures determined by the regulation, and must not transport personal data processed in violation of the law or that would cause harm to the data subject.	Failure to comply results in a fine ranging from 100,000 to 500,000 Rial Omani.

Tags Toolkit