Chapter One

Definitions and General Provisions

Article (1)

In the application of the provisions of this Law, the following words and expressions shall have the meaning assigned thereto unless the context otherwise requires:

Ministry

The Ministry of Transport, Communications and Information Technology.

Minister

The Minister of Transport, Communications and Information Technology.

Personal Data

Data that directly or indirectly makes a natural person identified or identifiable by referring to one or more identifiers such as the name, civil identity number, Electronic IDs data, spatial data, or by referring to one or more factors related to genetic, physical, mental, psychological, social, cultural or economic identity.

Genetic Data

Personal data relating to inherited or acquired genetic characteristics acquired through biological sample analysis.

Biometric Data

Personal data resulting from a specific technical treatment related to physical, psychological or behavioral characteristics such as face image, or genetic fingerprint.

Health Data

Personal data related to physical, mental and psychological health.

Processing

An operation or set of operations performed on personal data, including collecting, recording, analyzing, organizing, storing, modifying, altering, retrieving, reviewing, coordinating, combining, withholding, deleting, canceling, or disclosing it by sending, distributing, or transferring, or making it available by other means.

Personal Data Subject

A natural person who can be identified through his personal data.

Controller

A person who determines the purposes and means of personal data processing. The controller performs this processing by themselves or entrusts it to others.

Processor

A person who processes personal data on behalf of the Controller.

Regulation

The Executive Regulation of this Law.

Article (2)

The provisions of this Law shall apply to personal data that is processed.

Article (3)

The provisions of this Law shall not apply to the processing of personal data in the following cases:

a- Protecting national security or public interest.

b- Implementation of the units of the administrative apparatus of the state and other public legal persons of the competences prescribed to them by law..

c- Implementation of a legal obligation imposed on the Controller by virtue of any law, judgment or decision by the court.

d- Protecting the economic and financial interests of the state.

e- Protecting a vital interest of the personal data subject.

f- Detecting or preventing any criminal offense based on an official written request from the investigation entities.

g- Executing a contract to which the personal data subject is a party

h- If the processing is performed within a personal or family sphere.

i- For the purposes of historical, statistical, scientific, literary, or economic research conducted by entities authorised to perform such works, provided that any indication or reference relating to the personal data subject shall not be used in published research or statistics to ensure that personal data is not attributed to an identified or identifiable natural person.

j- If the data is available to the public in a manner that is not contrary to the provisions of this law.

Article (4)

Personal data shall be deemed protected by virtue of the provisions of this Law.

Article (5)

[Processing of Sensitive Personal Data | Special Category of Personal Data]

Processing of personal data related to genetic data, biometric data, health data, ethnic origins, sexual life, political or religious opinions or beliefs, criminal convictions, or that which is related to security measures shall be prohibited unless obtaining a permit from the Ministry, in accordance with the controls and procedures defined by the regulation.

Article (6)

Unless the processing shall be in the child’s best interest, processing a child’s data shall be prohibited except based on their guardian’s consent, in accordance with the controls and procedures defined by the regulation.

Chapter Two

Liabilities and Competencies of the Ministry

Article (7)

Without prejudice to the competencies determined for the Cyber Defense Center, the Ministry shall be responsible for the application of the provisions herein, and in particular the following:

1. a- Preparing and approving controls and procedures related to the protection of personal data, including identifying necessary safeguards, required measures and rules of conduct related to the protection of personal data.

2. b- Issuing controls and procedures required for processing personal data and verifying that the Controller and Processor are in compliance with them.

3. c- Receiving reports and complaints submitted by personal data subjects and taking action on them within the period determined by the Regulation.

4. d- Cooperating with the authorities concerned with the protection of personal data in other countries.

Providing consultation and support, and coordination with the units of administrative apparatus of the state, and other public legal persons regarding any matter related to the protection of personal data.

5. e- Issuing and revoking licenses of service providers who are entrusted with studying and assessing the compliance of the controller and processor with the provisions of this law in accordance with the controls and procedures defined by the Regulation.

6. f- Preparing guiding models for the purposes of applying the provisions of this law, whenever necessary.

7. g- Preparing periodic reports on its activities in the field of personal data protection and publishing them on its website.

8. h- Preparing a registry to enroll the controllers and processors who fulfill the determined conditions as specified by the Regulation.

Article (8)

For protecting personal data subject`s rights, the Ministry shall take any of the following procedures:

A. warning the controller or the processor of the violation committed by them in breach of the provisions of this law.

B. Order the correction and deletion of the personal data that has been processed in contrary to the provisions of this law

C. Suspend the processing of personal data temporarily or permanently.

D. Suspend the transfer ofpersonal data to another country or international organization.

E. Any other procedure that the Ministry deems necessary to protect personal data as determined by the Regulation.

Article (9)

In the application of the provisions of this Law, the Regulation and decisions issued in implementation thereof, the employees of the Ministry who are designated by a decision of the competent authority in agreement with the Minister shall have the capacity of judicial enforcement officers.

Chapter Three

Personal Data Subject’s Rights

Article (10)

Except within a context of transparency, honesty and respect for human dignity and after obtaining the explicit approval of the Data Subject, personal data may not be processed.

The request for processing personal date shall be written in a clear, explicit and understood manner. The Controller shall provide proof of the written approval of the Personal Data Subject for processing their data.

Article (11)

The Personal Data Subject shall have the right to:

a- Revoke consent to processing of their personal data, without prejudice to the processing that took place prior to the revocation.

b- Request to amendment, updating or withholding of their personal data.

c- Obtain a copy of their processed personal data.

d- Transfer their personal data to another controller.

e- Request the deletion of their personal data unless this processing is necessary for national archiving and documentation.

f- Be notified of any breach or violation of their personal data and the actions that have been taken in this regard.

The regulation shall determine the controls and procedures to practice these rights.

Article (12)

If the Personal Data Subject sees or considers that processing their personal data does not comply with the provisions this Law, they may complain to the Ministry in accordance with the controls and procedures determined by the Regulation.

Chapter Four

Obligations of the Controller and Processor

Article (13)

The controller shall set the controls and procedures that shall be adhered to when processing personal data, and they shall include, in particular, the following:

a- Identifying risks that the personal data subject may be exposed to as a result of the processing.

b- Procedures and controls for transferring personal data.

c- Technical and procedural measures to ensure the implementation of the processing in accordance with the provisions of this Law.

d- Any other controls or procedures determined by the Regulation.

Article (14)

The controller shall, prior to processing any personal data, notify the personal data subject in writing of the following:

a- Data of the controller and the Processor.

b- Contact information of the Personal Data Protection Officer.

c- The purpose of personal data processing and the source from which it was collected.

d- Comprehensive and accurate description of the processing and its procedures, and levels of personal data disclosure.

e- The rights of Personal Data Subject, including the right to access, correct, transfer and update the data.

f- Any other information that may be necessary for fulfilling the conditions of processing.

Article (15)

The controller and Processor shall comply with the controls and procedures prescribed by the Ministry to ensure that the processing of personal data is conducted in accordance with the provisions of this Law.

Article (16)

The controller and processor shall, at the request of the Ministry, appoint an external auditor to ensure that the processing of personal data is conducted in accordance with the provisions of this law and as per the procedures and controls of the Controller stipulated in Article (13) herein. The Regulation shall determine the controls and procedures for appointing the external auditor.

The controller and processor shall also provide the Ministry with a copy of the external auditor's report.

Article (17)

The Controller and Processor shall maintain the documents of the processing operations according to the periods and procedures defined by the Regulation.

Article (18)

Within the period specified by the Regulation, the Controller and Processor shall cooperate with the Ministry and provide it with any information and documents it considers necessary for practicing its competences in accordance with the provisions of this Law.

Article (19)

The controller shall notify the Ministry and the personal data subject in case of any breach that leads to destroying, altering, disclosing, accessing, or illegally processing of personal data, according to the controls and procedures specified in the Regulation.

Article (20)

The Controller shall appoint personal data protection officer, and the Regulation shall designate the controls of selecting this officer and their duties. Official Gazette Issue No. (1429)

Article (21)

Except by prior consent from the Personal Data Subject as determined by the Regulation, the Controller shall ensure the confidentiality of personal data and shall not disclose it.

Article (22)

The controller shall obtain written consent from the personal data subject before sending any advertising or marketing material with commercial purposes to them, in accordance with the provisions set forth in the Regulation.

Article (23)

Without prejudice to the competences prescribed to the Cyber Defense Centre, the Controller may transfer personal data and permit transferring it outside the borders of the Sultanate of Oman in accordance with the controls and procedures provided for by the Regulation.

The controller is prohibited from transferring personal data if it has been processed in violation of the provisions hereof, or if it is likely to cause harm to the personal data subject.

Chapter Five

Penalties

Article (24)

Without prejudice to any more severe penalty stipulated in the Penal law or any other law, crimes stated in this Law shall be punished with the penalties stipulated therein.

Article (25)

Whoever violates the provisions of Article (14) of this Law shall be punished with a fine of no less than (500) five hundred Omani Riyals and not exceeding (2000) two thousand Omani Riyals.

Article (26)

Whoever violates the provisions of Articles (15), (16), (17), (18), (20), and (22) of this Law shall be punished with a fine of no less than (1000) one thousand Omani Riyals and not exceeding (5000) five thousand Omani Riyals.

Article (27)

Whoever violates the provisions of Article (13) of this Law shall be punished with a fine of no less than (5000) five thousand Omani Riyals and not exceeding (10000) ten thousand Omani Riyals.

Article (28)

Whoever violates the provisions of Articles (5), (6), (19) and (21) of this Law shall be punished with a fine of no less than (15000) fifteen thousand Omani Riyals and not exceeding (20000) twenty thousand Omani Riyals.

Article (29)

Whoever violates the provisions of Article (23) of this Law shall be punished with a fine of no less than (100000) one hundred thousand Omani Riyals and not exceeding (500000) five hundred thousand Omani Riyals.

Article (30)

Without prejudice to the penal liability of natural persons, the legal person shall be punished with a fine of no less than (5000) five thousand Omani Riyals and not exceeding (100000) one hundred thousand Omani Riyals if the crime is committed under its name or for its account by the chairman, a member of its board of directors, its manager, or any other official, by its approval, or through connivance or gross negligence on its part.

Article (31)

Within the scope of implementing the provisions of this Law, the competent court may rule, in addition to the fine, for confiscation of the instruments used to commit the crime.

Article (32)

Without prejudice to penalties stipulated in this Law, the Ministry may impose administrative penalties for breaches committed in violation of the provisions of this Law or the Regulation or decisions issued in the implementation thereof, provided that the administrative fine shall not exceed (2000) two thousand Omani Riyals.