Personal Data Protection

The operations performed on personal data, including collecting, recording, analyzing, organizing, storing, modifying, altering, retrieving, reviewing, structuring, combining, blocking, erasing, deleting, or disclosing it by transmitting, distributing, transferring, or making it available by other means.

Every entity (company, institution, or any other entity) that processes personal data is subject to the Law and its Executive Regulations unless the processing is exempt under Article (3) of the Law.

The Law exempts state administrative units and other public legal entities from its scope of application. However, the Personal Data Protection Policy issued under Circular No. (6/2024), directed to state administrative units, applies to regulate their processing of personal data.

Personal data requiring a permit from the Ministry prior to processing includes genetic data, biometric data, health data, racial origin, sexual life, political or religious opinions or beliefs, criminal convictions, or data related to security measures. (The form can be accessed through the link to the guidance forms and templates).

• Obtain the data subject’s consent before processing their personal data.

• Obtain a permit from the Ministry before processing the types of personal data listed in Article (5) of the Law.

• Provide a platform for the data subject to exercise their rights.

• Establish a personal data protection policy.

• Obtain the data subject’s consent before sending them any advertising or commercial material, and stop sending such materials immediately if the data subject requests it.

• Maintain a personal data processing record.

• Notify the Ministry and the data subject in case of a data breach, when required by the Law and its Regulations.

• When transferring personal data outside Oman, conduct an assessment of the level of protection provided by the recipient country.

• Ensure processing is carried out transparently, honestly, and with respect for human dignity.

• Submit a written, clear, and explicit request to obtain the data subject’s explicit consent to process their data.

• Notify the data subject of the processing details, especially the purpose and procedures.

Yes. The controller may contract another entity (the processor) to process personal data. In its relationship with third parties, the processor acts as the agent of the controller regarding civil and administrative liability, without prejudice to the processor’s criminal liability for violations of the Law and Regulations.

Yes. Before processing begins, the controller must inform the data subject of all necessary information about the entity processing their data, the reason for collecting it, the purpose of processing, and the data subject’s rights, including access, correction, transfer, and updating, as well as any other information needed to fulfill processing requirements.

The Regulations define conditions for explicit consent: it must be given clearly by a fully competent person without coercion. Consent may be written, electronic, or by any other means determined by the controller. However, consent required before sending any advertising or marketing material for commercial purposes must be written and in a form that the data subject can document.

Yes. The data subject has the right to request termination of targeted marketing (e.g., SMS or email ads). The controller must provide a clear mechanism to opt out, and once the request is received, the controller must stop sending advertising or marketing material immediately and free of charge. 

A person appointed by the controller to facilitate compliance with the Law and its Regulations. Their main duties include advising the controller or processor on obligations under the Law, and acting as a contact point with the Ministry regarding all matters related to personal data protection. (The form is available through the guidance forms and templates link).

Yes. The controller must appoint a DPO in line with the Regulations. The DPO can be a newly hired employee specifically for this role, or an existing employee assigned the DPO duties.

Yes. The Law and its Regulations allow the data subject or any interested party to submit a complaint to the Ministry if they believe any violation of the Law, the Regulations, or issued decisions has occurred, or if their personal data is being processed unlawfully.

Complaints or reports are submitted to the Ministry using the designated form (accessible through the guidance forms and templates link). Complaints must be filed within (30) days of the date of certain knowledge of the violation, after which the right to submit expires. The Ministry notifies the controller of the complaint, who may respond within 14 days. The Ministry studies and decides on the complaint within 60 days. Lack of response is considered a rejection.

The controller must notify the Ministry within 72 hours of becoming aware of any breach that threatens the rights of affected data subjects. The Ministry then evaluates the controller’s response and may issue directives. Additionally, the controller must notify the data subject within 72 hours if the breach poses serious harm or high risk.

No. Approval is required only if sensitive personal data will be stored or processed outside Oman.

• If the data is non-sensitive: No other authority’s approval is required. The data subject’s consent is sufficient, provided the transfer complies with the safeguards in the Regulations.

• If the data is sensitive: The controller must obtain approval from the Cyber Defense Center before transferring sensitive personal data abroad.

Yes, as a rule, the controller must obtain the data subject’s consent before transferring their personal data abroad. Exceptions apply if:

• The transfer is required to fulfill an international obligation under a treaty to which Oman is a party, or
• The transfer is carried out in a way that ensures the data subject cannot be identified.