The Ministry of Transport and Communications and Information Technology issues the executive regulation of the Personal Data Protection Law

The Ministry of Transport and Communications and Information Technology issues the executive regulation of the Personal Data Protection Law

February 07, 2024

The Ministry of Transport, Communications and Information Technology issued the executive regulation of the Personal Data Protection Law in accordance with Ministerial Decision No. 34/2024, which aims to frame and clarify the procedures, controls, conditions and legal periods in accordance with the Law on the Protection of Personal Data issued by Royal Decree No. 6/2022, the most prominent of which is obtaining a permit before processing personal data provided for in Article (5) of the aforementioned law, in addition to establishing special procedures for the protection of the child's personal data, and clarifying the procedures related to the exercise of the rights of the owner of personal data.

 

The most important items of the regulation

 

The executive regulation included many issues of protecting personal data, the most prominent of which is the requirement to obtain a permit when processing personal data in Chapter II of the regulation, where it clarified the procedures for obtaining a permit with the requirement to attach to the personal data protection policy, and the precautionary measures adopted when a breach of personal data occurs. The regulation also specified the period of the permit to not exceed five years with a statement of controls for renewal, amendment and cancellation of the permit.

 

The regulation included a chapter on the treatment of the child's personal data, which came with a number of legal texts that granted the legal protection of personal data of children and their like, from the potential risks to which the data of this category may be exposed and its impact on them by their nature. The obligation of the controller or processor to obtain the explicit consent of the child's guardian (the guardian and trustee of the incapacitated or incapacitated) before processing his personal data is one of the most important controls contained in this chapter.


The regulation also included a chapter on the rights of the owner of personal data, the most important of which are: the right to submit a written request to the controller regarding the exercise of the following rights: "revocation of consent to the processing of personal data, without prejudice to the processes that took place before the cancellation, modification, updating or blocking of the personal data, obtaining a copy of the processed personal data (controls were set for him in the executive regulation), transferring personal data to another controller, erasing personal data unless that processing is necessary for the purposes of national preservation and authentication." As for the second right is to notify the owner of personal data of any breach or violation of his personal data, and the measures taken in this regard.


In Chapter V of the regulation, the obligations of the controller and the processor include: obtaining the express consent of the owner of personal data before processing his personal data, obtaining permission from the Ministry before processing any of the personal data contained in Article (5) of the law, adhering to the controls for the processing of personal data of the child, setting a personal data protection policy in a visible place that allows the owner of personal data to view it before processing his personal data, adhering to the controls of sending any advertising, marketing or commercial material to the owner of personal data, setting controls to ensure the confidentiality of personal data, adhering to the controls of retaining documents for processing operations, establishing a record of personal data processing activities, and abiding by the controls related to the intrusion Personal data, the determination of the Personal Data Protection Officer, and adherence to the controls of the extraterritorial transfer of personal data.

 

Chapter VI of the regulation includes the breach of personal data, where the executive regulation obliges the "controller" when any breach of his personal data occurs to inform the Ministry within (72) hours from the date of his knowledge of the breach if that breach threatens the rights of the owners of personal data that have been compromised. The role of the Ministry comes after which to evaluate the measures carried out by the controller and has the controller's guidance to take appropriate measures, in addition to the controller's commitment to notify the owner of personal data within the same period if that breach causes serious harm or high risks to the owner of personal data.

 

The regulation also includes in Chapter VII the Personal Data Protection Officer, where the Personal Data Protection Officer is the person designated by the “controller” concerned with everything related to the protection of personal data in that institution. The executive regulations clarified its tasks such as providing consultations and proposals to the controller, and coordinating with the ministry in matters related to the processing of personal data.

 

Chapter VIII includes the transfer and transfer of personal data outside the borders, as the executive regulation regulates the transfer of personal data outside the Sultanate of Oman by providing for a number of controls and conditions that strike a balance between the potential risks as a result of transfer or transfer and the necessity imposed by reality to transfer data outside the borders of the Sultanate of Oman. These controls are as follows: obtaining the consent of the owner of personal data for the transfer or transfer, and that the transfer of data does not affect national security or the higher interests of the state, and that the external processor has an adequate amount of protection not less than the level of protection established in accordance with the Personal Data Protection Law and its executive regulations. In addition to conducting an assessment of the level of protection provided by the external processor.

 

As for the ninth chapter, it included complaints and sanctions, where the executive regulation stipulated the procedures that must be followed to submit complaints and reports, and gave the minister the entitle to sign administrative sanctions such as a warning, suspension of the permit, an administrative fine not exceeding (2000) Omani riyals, and the cancellation of the permit.