Following the issuance of the PDPL (see our previous article reporting on this here), the Regulations introduce the following key provisions:

Contracting with Processors: When engaging a Processor, Controllers must enter into a written contract, setting out the terms of any processing the Processor is to carry out on the Controller's behalf. Unlike other modern data protection laws, such as the General Data Protection Regulation (GDPR) and the Saudi Data Protection Law, the Regulations do not include any express provisions which must be included in the agreement between Processor and Controller.

Consent: In our previous article on the PDPL, we explained that the only lawful basis for processing personal data under the PDPL is consent. The Regulations helpfully clarify that any consent procured must be "explicit" and, in order to be valid, must be given by a person that holds full capacity and without coercion. This explicit consent may be procured in writing, by electronic means, or by another means decided by the Controller.

Scope: The Regulations do not clarify the scope of the PDPL and in particular whether it does not apply at all to the processing activities set out in Article 3 of the PDPL.

Permits: Article 5 of the PDPL specifies that processing of sensitive personal data (such as health data and data related to criminal convictions) is prohibited unless a permit is obtained from the Ministry. The Regulations set out the information that must be submitted to the Ministry to obtain such a permit.

Application permits will be reviewed within forty-five (45) days and where there is no response from the Ministry will be deemed to be rejected. Organisations can appeal a rejection decision within sixty (60) days of the rejection decision, which will be decided upon within thirty (30) days. Helpfully, permits, once obtained, are valid for, and can be renewed for a period of,  five (5) years.

Controllers must notify the Ministry of any changes to the approved processing of sensitive personal data within fifteen (15) days of such change. The permit may be revoked where the Controller fails to notify the Ministry of any change.

Children's Data: Chapter Three of the Regulations relates specifically to the processing of children's personal data. Article 11 requires that the express consent of a child's guardian is obtained prior to processing their personal data, and that any processing of that data is carried out in a manner that is clear, direct, safe and not misleading.

Data Subject Rights: The Regulations grant data subjects the right to request:

a)    that their personal data is deleted where either the purpose for which the data was collected no longer applies, the data subject withdraws their consent and/or the processing does not comply with the PDPL;

b)    a copy of their personal data; and

c)    that their personal data is transferred to a new Controller.

Controllers may not charge data subjects to respond to their data subject access requests (DSAR(s)) and are required to respond to such DSARs within forty-five (45) days of the date of receipt of such DSARs.

External Auditors: The Regulations include a unique obligation for Controllers and Processers to, if required by the Ministry, appoint independent, Ministry accredited, "External Auditors" that will audit the organisation's compliance with the PDPL. External Auditors are required to produce a report within sixty (60) days of their appointment for submission to the Ministry.

Records of Processing Activities (ROPA): Articles 27 and 28 include requirements for organisations to maintain ROPAs in respect their processing activities. These requirements broadly reflect the requirements set out in other modern data protection laws, such as the GDPR, which is helpful.

Data Breaches: Controllers are required to notify the Ministry of data breaches within seventy-two (72) hours of becoming aware of the breach where the breach threatens the rights of a data subject. By contrast, Controllers are required to notify data subjects of breaches within seventy two (72) hours of becoming aware of the breach where such breach would cause serious harm or are of high risk to that data subject. The higher threshold for notifying data subjects represents a more proportionate obligation, thereby ensuring that there is no requirement to notify data subjects of low risk, technical breaches.

Data Protection Officer (DPO): Article 20 of the PDPL requires Controllers to appoint a DPO in accordance with the Regulations. The Regulations appear to require that a DPO is appointed in all instances that processing of personal data occurs. This position contrasts with other modern data protection laws, which only require a DPO to be appointed where the core activity of the organization consists of large-scale processing of (1) personal data which requires regular and systematic monitoring of data subjects; or (2) sensitive personal data. Neither the PDPL nor the Regulations specify whether the DPO must be resident in Oman and/or whether, in the case of multinational companies, group DPOs can be appointed.

Cross-border Data Transfers: Article 37 of the Regulations stipulates that any transfer of personal data outside of Oman requires the express consent of the data subject, unless the transfer is performed in a way which anonymises the personal data. Additionally, personal data may only be transferred outside of Oman where the importer (described as the "External Processing Party") has in place an adequate level of protection that is not less than the level of data protection provided by the PDPL.

This is a marked difference from other modern data protection laws, which tend to include a concept of "adequate jurisdictions" that are recognised by the data protection regulator as having in place laws and an enforcement regime that adequately protect personal data and the rights of data subjects. Under the Regulations, it appears that it is the Controller that is able to determine whether the data importer (and not necessarily the jurisdiction in which that importer is established) has systems in place that are adequate to safeguard the exported data.  The Regulations therefore place greater onus on Controllers to take their obligation to carry out the transfer impact assessments, stipulated in Article 39 of the Regulations, seriously.

Without prejudice to the other penalties set out in the PDPL (of which there are many, including potential criminal sanctions), failure to comply with the Regulations may result in the Ministry applying any of the following penalties:

a)    issuance of a notice of non-compliance;

b)    suspension of any permit to process sensitive personal data until such failure is remedied;

c)    an administrative fine not exceeding OMR 2,000 for each breach; and/or

d)    cancellation of any permit granted.

The Regulations impose a significant number of new requirements on organisations that must be operationalised, including (amongst other things):

1. preparation of ROPAs and data protection policies and notices;
2. appointment of a DPO;
3. implementation of technical and organisational measures to safeguard the personal data being processed;
4. completion of data transfer impact assessments;
5. implementation of data processing agreements with Processors; and
6. implementation of processes to respond to data breaches and DSARs.

It will be vital for businesses to commence their compliance journeys early to ensure that they are able to meet the enforcement deadline of 5 February 2025.