This checklist aims to include Omani laws touching on privacy and data security requirements. In Oman, privacy and security are at the moment treated together in the laws, hence our coverage for privacy of Data in COVID-19 times includes elements of security laws. The most commonly encountered areas are General Privacy, Medical Data, Data of Children, and Biometric Data. COVID-19 will also give rise to increased levels of home working and there would be threat to data transferred working under unsecured conditions. However, this checklist covers only what affects the organisations collecting or coming in contact of personal data such as, travel and quarantine during COVID-19 times and the impact on data protection practices.

Flow of the document

The information is in an “if/then” format. The first column of the checklist sets out a number of privacy-related activities in which the client may be engaged, preceded by the word “If.” For example, one of the entries is: “If you collect biometric information, such as a retina or iris scan, fingerprint, the subsequent" 'then' columns contain pointers to laws and regulations within the relevant jurisdiction that the user should consult.

General Considerations

If, personal data is processed:


Relevant Law

Summary of requirements




Then consider the applicability of the following to your organisation:

Oman Sultani Decree No. 60/2007 National Records Archiving Law

Oman Sultani Decree No. 69/2008 E- Transactions Law

Oman Sultani Decree No. 12/2011 Cyber Crime Law

Oman Sultani Decree No. 55/2019 Statistics and Information Law


Oman Sultani Decree No. 60/2007 and Oman Sultani Decree No. 12/2011 outline penalties for the unauthorised access, use and destruction of personal data. Additionally, Oman Sultani Decree No. 69/2008 Electronic Transactions Law (chapter seven) sets out specific requirements for personal data protection. Oman Sultani Decree No. 55/2019 deals with collection, processing and distribution of processed data (not raw data)








Personal data means








Open data policy of ITA

Personal data, that is, data which contain information about specific individual.

If data that you are processing contains information relating to an identified or identifiable natural person (it is important to note that this includes indirect identification, e.g., if the person could be identified in combination with other data you may hold about him or her) such as,

  • Name
  • Address
  • ID number
  • Location data/geolocation data
  • Online identifier/IP address
  • Other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person,

then it cannot be treated as open data.
























Do you have a legal basisfor processing personal data?
























Article 43-49 of Oman Sultani Decree No. 69/2008

If you are processing personal data, you must have a legal basis for so doing.

There are six possible legal bases for processing personal data. Most legal bases require that processing is necessary for the purposes.

1. Consent

The individual has given clear consent for you to process his personal data for a specific purpose.

Consent must be

  • Freely given
  • Specific and informed
  • Unambiguous and a clear affirmative action

N.B. If you are relying upon the consent basis, a higher standard is imposed than that which was imposed under prior law.


The processing is necessary for the performance of a contract   you have with the individual, or because the individual has asked you to take specific steps before entering into a contract.

3.Legal obligation

The processing is necessary for you to comply with the law (not including contractual obligations).

Article 45 of Oman Sultani Decree No. 69/2008 mandates any person who controls any personal data by virtue of his job in electronic transactions shall, before processing such data, notify the person from whom it is collected by a designated notice of the procedure he is following to protect those data. These procedures shall include

  • an identification of the person responsible for processing the data, the nature of the data, and
  • the purpose, methods and locations of processing and all informations necessary to ensure
  • secured data processing.

Oman is a signatory to the OECD guidelines on the Protection of Privacy and Transborder Flows of Personal Data which sets out basic rules governing transborder data flows and the protection of personal information and privacy in order to facilitate the harmonisation of data protection law between countries.

According to Article 49 of Oman Sultani Decree No. 69/2008, "when the personal data are supposed to be transferred outside Oman, regard shall be had to

the security of such information, in particular:

  • (a) Nature of personal data.
  • (b) Source of information and data.
  • (c)Purpose for which the data are to be processed and duration of process.
  • (d)The country of destination where the data were transferred, its international
  • obligation, and the law applicable.
  • (e) Any related rules applied in that country.
  • (f)The security measures taken to secure that data in that country."









Data subjects' rights: the right to be informed.








Article 45, 49 of Oman Sultani Decree No. 69/2008

Individuals have the right to be informed about the collection and use of their personal data.

The Organisation must give information in  a  concise, transparent, intelligible and easily accessible form, using clear  and plain language. The following information must be provided:

  • identity and contact details of the controller
  • purposes of processing and legal basis
  • where based on legitimate interests, what these are
  • recipients/categories of recipients
  • right to withdraw consent
  • right to lodge complaint with Supervisory Authority
  • where providing data is a legal/contractual obligation, the consequences of not doing so
  • any automated decision making/profiling







Data subjects' rights: the right to erasure (also known as the “right to be forgotten”).


Data subjects' right to ask for erasure of personal data is not clear under the law.

However, the right is clearly not applicable if the processing is necessary for:

  • exercising right of freedom of expression and information
  • compliance with legal obligation or for performance of tasks carried out in public interest or in exercise of official authority vested in Organisation
  • reasons of public interest in the area of public health
  • archiving purposes in public interest or scientific and historical research purposes or statistical purposes
  • establishment, exercise or defence of legal claims.








If you are processing personal data, you must ensure that you have appropriate technical and organisational measures in place






Ministry of Technology and Communication - Data and Information Systems Security Classification Mapping[1

p.7] based on Oman Sultani Decree No.


Personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

You must have appropriate security systems in place to ensure that personal data you hold is not compromised.

Appropriate measures may include the following:

  • pseudonymisation and encryption of personal data
  • ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • ability to restore availability and access to data in a timely manner in the event of a physical or technical incident
  • a process for regular testing, assessment and evaluation of the effectiveness of measures.

Data Controllers and Data Processors
If, you are a data controller or a data processor; then consider the applicability of the following to your organization:


    Relevant Law

    Summary of requirements


Data Protection Impact Assessments

If you are controller and you are carrying out processing which is likely to result in a high risk to the rights and freedoms of individuals



then you must be aware of the consequences under Oman Sultani Decree No. 118/2011 for non-compliance

Article 4 of Oman Sultani Decree No. 118/2011, the  Confidentiality Classification Law levies as high as penalty of imprisonment for a period of no less than three years and not exceeding 5 years, and a fine of no less than one thousand Omani riyals and no more than three thousand Omani riyals, or one of these two penalties, anyone who discloses or keeps a document classified as "top secret or secret" without being permitted to do so.




  • fair and transparent processing;
  • legitimate interests pursued by controllers; collection of personal data;
  • the pseudonymisation of data;
  • information provided to the public and data subjects; exercise of the rights of data subjects;
  • information provided to and the protection of children;
  • technical and organisational measures, including data protection by design and by default and security measures;
  • notifications of breaches to the supervisory authorities and individuals;

You can sign on to a code of conduct which is relevant to the processing activities which your organisation carries out.

Special Categories of Data
If, you are you processing special category data such as racial, political, or genetic data, data of children, financial data,
medical data, biometric data or criminal records; then consider:

    Consideration     Summary of requirements


If you are processing the data of children and you are relying upon the “consent” basis for processing, there are specific conditions that must be complied with.
The law is not clear at the moment but in Oman, ROP usually contacts and relies on the consent of the closest male member to the child.

Health data

If you are processing health data, i.e. data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about that person's health status.

It is treated as special category data.
Decisions and circulars issued by the Ministry of Health must be adhered to.
Employee Data

You must have a legal basis for processing employee data – you are likely to be relying upon the “necessary for performance of a contract” legal basis.

If you are processing special category data, there is a specific ground dealing with employment relationships (“processing is necessary for the purposes of carrying out the obligations and exercising specific rights of your organisation or of the individual in the field of employment, social security, social protection law, or a collective agreement”).