The Ministry of Transport, Communications and Information Technology (the MTCIT) has issued Ministerial Decision 34/2024 issuing the Executive Regulation of the PDPL (the Executive Regulation). The Executive Regulation came into force on 29 January 2024, after almost 2 years since Royal Decree 6/2022 Promulgating the PDPL (PDPL) was issued.
The long-awaited Executive Regulation has provided much needed clarity to organisations in Oman struggling to comply with the PDPL since the regulation had not been issued.
Permits for processing of sensitive data
Article 5 of the PDPL requires any entity wishing to process sensitive data, such as health data, biometric data, and other forms of sensitive data, to obtain a permit from the MTCIT before processing such data.
The Executive Regulation stipulates the required details needed to make an application and states that the MTCIT has 45 days to decide on the application. If, after 45 days, the MTCIT has not responded, the application will be deemed to have been automatically rejected. The applicant may appeal to the minister, but if the minister fails to respond within 60 days, the appeal is also deemed automatically rejected.
Article 6 of the Executive Regulation stipulates that when applying for a permit to process sensitive data, data controllers are required to include in their application the precautionary matters they adopt in the event of a personal data breach.
The short timelines and possibility of automatic rejection mean that applicants should check if the MTCIT is ready to receive applications before they submit them to avoid automatic rejection.
Data breaches
Article 28 of the Executive Regulation states that both data controllers and data processors are required to keep a record of all data breaches they experience in a specific register, including the facts surrounding the breach and its effects, and the remedial or corrective action taken.
Article 30 of the Executive Regulation sets a deadline of 72 hours for reporting a breach to the MTCIT from his knowledge of the breach. Notification to the MTCIT must include:
- Description and details of the nature of the breached data and the consequences of the breach.
- The details and contact information of the controller or any other focal point for obtaining more information.
- A description of the potential effects of the breach.
- Corrective measures or technical and organisational measures that the controller will take to address the breach, including, if necessary – the proposed measures to mitigate the potential negatives effects.
- Corrective measures and technical and organisational measures undertaken by the controller immediately after he became aware of the breach and before informing the competent administration.
Once the MTCIT has been notified, it has the right under Article 31 of the Executive Regulation, to evaluate the procedures undertaken by the controller, to order him to notify data subjects of the breach, and to provide guidance and support to the data controller.
Under Article 32 of the Executive Regulation, there is a separate obligation for the data controller to notify the data subject of a data breach within 72 hours from his knowledge of the breach, if such breach is capable of causing serious harm or high risk to the data subject.
These new provisions impose material obligations on data processors and companies must take them into account when developing their personal data policies.
Data subject rights
In Article 11 of the PDPL data subject rights were recognised, including the rights of a data subject to have their personal data erased, retrieved, or transferred to another entity. Article 16 of the Executive Regulation stipulates a duty for data controllers respond to such requests within 45 days. If they fail to respond to the request or the MTCIT denies the request, the data subject may complain to the MTCIT. However, if the MTCIT fails to respond within 60 days the complaint is deemed to have been rejected.
Article 17 of the Executive Regulation creates two grounds to allow data controllers to refuse to fulfil a request by a data subject. The grounds are:
- That the request is unjustifiability repetitive; or
- Its implementation requires extraordinary effort.
These exemptions will give companies some comfort that costs and impact of the PDPL can be controlled.
Personal data protection officer
Article 20 of the PDPL required data controllers to identify a data protection officer. The Executive Regulation does not impose any limitation on who is expected to comply with the regulation, meaning any organisation, of any size, must comply.
The wording of the PDPL and Executive Regulation does not state that a personal data protection need be appointed, but rather a personal data protection officer be designated. This would seem to mean that an employee of an organisation may carry out its original function in the organisation whilst simultaneously being designated as the personal data protection officer.
Cross-border transfer of personal data
Article 23 of the PDPL stipulated that a controller may transmit personal data and also permits its transfer outside of Oman. The Executive Regulation requires that the external processing entity to which the data is transferred to has an adequate level of personal data not less than the level of protection prescribed in Omani law. The Executive Regulation does not require prior approval from the MTCIT before transferring data outside of Oman and there are no whitelist or blacklist countries to which the data can be transferred.
The flexibility around foreign transfer of data is important and the position in the Executive Regulations should not cause companies too much concern.
Fines
The PDPL grants the courts power to impose fines up to 500,000 Omani Rial against those who fail to comply with the law.
If a data controller fails to comply with Article 19, which imposes an obligation them to report data breaches to both the data subject and the MTCIT, the punishment is a fine ranging between 15,000 and 20,000 Omani Rial.
The Executive Regulation provides a 1 year grace period to all parties involved to comply with the PDPL and Executive Regulation. The grace period gives organisations time to review their current practices and work towards compliance with the PDPL.
Conclusions
The issuance of the Executive Regulations will come as a relief to many across the Sultanate as the uncertainty created by the delay has caused great concern. The Executive Regulations add clarity to the law and it will be interesting to see how MTCIT addresses its new role in protecting people's personal data. The 1 year-grace period will provide comfort to organisations whilst they work towards compliance with the PDPL and for the government to implement the processes required by the PDPL.