In today’s world, every click, tap, and scroll leaves behind a piece of personal data. Protecting that data isn’t just a legal formality anymore; it’s about trust. With this vision, the Sultanate of Oman has taken a bold step by introducing the Personal Data Protection Law (PDPL), a modern framework that places people’s privacy at the center of the country’s digital future.
The law, established under Royal Decree 6/2022, came into force on February 13, 2023, and was further shaped by the Executive Regulation (Ministerial Decision 34/2024) issued by the Ministry of Transport, Communications, and Information Technology (MTCIT) in January 2024.
Before this, Oman’s Electronic Transactions Law offered only limited privacy safeguards. The PDPL bridges that gap by setting clear, transparent rules on how personal data should be collected, used, and shared, aligning the country with leading global standards such as the EU’s GDPR.
More importantly, the PDPL supports Oman Vision 2040, which emphasizes economic diversification, innovation, and digital growth. By building trust in how data is handled, the law enables businesses to innovate responsibly and citizens to engage confidently in the digital economy, ensuring that as Oman moves forward technologically, privacy remains a core national value.
Scope of Oman PDPL
The PDPL applies broadly to the processing of personal data that can directly or indirectly identify an individual. This includes almost every data-related activity, collecting, storing, using, sharing, transferring, or deleting personal information.
However, the law also recognizes that certain legitimate activities must continue without restriction. Therefore, it exempts specific cases such as:
- Matters related to national security or public interest
- Government administrative functions and court-mandated obligations
- Activities protecting the economic or financial interests of the state
- Crime detection and investigation based on official authorization
- Scientific research conducted with anonymized data
- Publicly available information collected lawfully
These exemptions ensure that while privacy is protected, essential public, legal, and economic functions can continue smoothly, maintaining a balanced approach between individual rights and national interests.
Consent: The Heart of Data Protection
Consent lies at the heart of Oman’s PDPL. Before collecting or processing any personal data, organizations must obtain explicit consent from the individual.
The Executive Regulation outlines clear conditions for valid consent:
- It must come from someone with full legal capacity.
- It must be given freely and without coercion.
- It can be provided in writing, electronically, or through any other approved method.
Data Subject Rights:
The Oman PDPL gives individuals strong rights to maintain control over their personal information. Under the law, every data subject has the right to:
- Withdraw consent for processing at any time.
- Access and obtain copies of their personal data.
- Request corrections or updates to ensure accuracy.
- Request deletion of their data, except where it must be retained for legal or archival reasons.
- Transfer data to another controller.
- Be notified if their personal data is breached or exposed.
The data controllers must respond to such requests within 45 days and clearly justify any refusal. If a person believes their data has been mishandled, they can file a complaint with the Ministry following the procedures in the Executive Regulation.
Special Protection for Sensitive Personal Data
Certain types of personal data deserve extra care. The PDPL classifies information such as genetic, biometric, health, ethnic, political, religious, and criminal data as sensitive personal data.
Data controllers must obtain prior approval from the Ministry before processing such sensitive data. This authorization is usually valid for five (5) years and can be renewed. Controllers must also clearly justify why the data is needed and explain the security measures in place to protect it.
Children’s Data under Oman PDPL
Under the Oman PDPL, no organization can process a child’s personal data without the explicit consent of their parent or guardian before processing their personal data.This protection ensures that vulnerable individuals receive appropriate safeguards in the digital environment.
Data Breach Notification
A personal data breach under Oman’s PDPL refers to any unlawful access to personal data that leads to its unauthorized destruction, alteration, disclosure, access, or processing.
When a data breach occurs the data controller must notify the Ministry of Transport, Communications, and Information Technology (MTCIT) within 72 hours of becoming aware of the breach.
If the breach is likely to cause serious harm to data subjects, then the controller must also notify the affected individuals within a period not exceeding (72) seventy-two hours after becoming aware of the breach.
In addition, both controllers and processors must cooperate fully with the Ministry. When the Ministry requests any documents, data, or clarifications, the organization must respond within 30 days of receiving the request.
Data Retention and Responsible Handling
The PDPL emphasizes responsible data management. Organizations can only keep personal data for as long as necessary to achieve the specific purpose for which it was collected. Once the purpose is complete, data must be securely deleted. This ensures that personal information doesn’t remain in systems longer than it should, reducing risks of misuse or leaks.
Businesses are also required to maintain detailed records of how they process and store data, which must be provided to the Ministry if requested.
Appointing a qualified Data Protection Officer (DPO)
Every organization processing personal data in Oman must appoint a Data Protection Officer (DPO). The DPO’s job is to ensure compliance with the PDPL, guide staff on privacy matters, and act as the main contact point for the MTCIT. Having a qualified DPO demonstrates an organization’s commitment to protecting data and maintaining transparency.
Marketing and Communication Consent
Sending marketing emails, messages, or promotional materials now requires written consent from data subjects. This ensures people have control over the communications they receive and helps businesses build genuine, trust-based relationships with their audience.
Cross border Data Transfers
Organizations in Oman can transfer personal data outside the Sultanate, but only under strict conditions. Before any transfer takes place,the controller must obtain the explicit consent of the data subject and ensure that the receiving entity provides an adequate level of protection that is no less than what is guaranteed under the PDPL and its Regulation.
Before making any transfer, the controller must conduct a detailed evaluation of the external processor’s data protection standards. This evaluation covers:
- The nature, volume, and sensitivity of the personal data to be transferred.
- The purpose of processing and the extent to which the data will be shared.
- The duration of processing; whether it is a one-time, recurring, or regular activity.
- The countries and entities involved, including the final destination of the data.
- The potential risks and impact on the individual’s privacy.
The Ministry (MTCIT) may request a copy of this evaluation report to confirm that the transfer ensures adequate protection.
The Cyber Defense Centre also plays a supervisory role in safeguarding the security of cross-border transfers. Without affecting its competences, controllers may only proceed when all security and compliance controls are met.
Transfers are strictly prohibited if the data was processed unlawfully or if it could cause harm to the individual.
Penalties and Enforcement
Oman’s PDPL enforces strong accountability through a well-structured penalty and complaint mechanism. Depending on the nature and severity of the violation, fines can range from OMR 500 to OMR 500,000. Both individuals and organizations can be held responsible, and in serious cases, the court may even order the confiscation of tools used to commit violations.
The Regulation also empowers data subjects to raise complaints about privacy violations and ensures that such complaints are handled fairly by the authorities. Once a complaint is submitted, the competent department must review and issue its decision within 60 days, and if any grievance is filed against a decision of the Ministry, then the Ministry must respond within 30 days.
This reflects Oman’s balanced approach, one that focuses not only on penalties but also on accountability, fairness, and data subjects rights.
Conclusion
Oman’s Personal Data Protection Law sets a strong and forward-looking foundation for privacy in the digital era. It balances individual rights with the realities of a modern economy, promoting innovation, transparency, and trust. By defining clear responsibilities, empowering individuals, and enforcing meaningful penalties, the PDPL brings Oman in line with global standards of data protection.
As enforcement gains momentum, organizations should act now, review their data practices, update consent mechanisms, strengthen safeguards, and train their teams on compliance. These steps not only ensure legal readiness but also build long-term trust in Oman’s digital future.
At PrivacyPulse, we help organizations across the Middle East understand, implement, and sustain PDPL compliance. From data mapping and policy drafting to staff training, our experts ensure your business remains compliant, confident, and privacy-focused.
