Data Breach Obligations Under the Personal Data Protection Law and Its Executive Regulation

Data breach provisions fall squarely between cybersecurity and data protection. Under article 3 of the Cybercrime Law, the unauthorised access to an electronic system is deemed a criminal offense, but this law did not impose any obligations on any party to notify the victim or to take any measure to minimise the impact of the breach. The Personal Data Protection Law and its newly issued executive regulation attempt to fill this gap in the hope of protecting the rights of victims of data breach incidents.

At the outset, article 11 of the Personal Data Protection Law stipulates that data subjects enjoy the right to be notified of any breach or infringement of their personal data, and also of the actions taken in regard to such breaches. Article 19 of the law imposes a corresponding obligation on the data controller to report data breaches to both the data subject and the Ministry of Transport, Communications, and Information Technology (MTCIT). Failure to comply with this obligation is punishable by a fine ranging between 15,000 Rial Omani and 20,000 Rial Omani.

The newly issued Executive Regulation of the Personal Data Protection Law has introduced several new provisions that outline in detail the obligations of data controllers as well as the rights of data subjects in regard to data breaches. First of all, data controllers wishing to apply for a permit to process sensitive data are required to include in their application the precautionary measures they adopt in the event of a data breach. Both data controllers and data processors are also required to keep a record of all data breaches they experience in a special register along with the facts surrounding the breach, its effects, and the actions taken in regard to them.

Secondly, the executive regulation sets the deadline for reporting a breach to the MTCIT at 72 hours from the time of knowledge of the breach if the breach is capable of leading to a risk that threatens the rights of data subjects. We understand this to mean that data breaches that do not have an impact on personal data do not have to be notified to the MTCIT. Article 30 of the regulation provides in detail the information that needs to be included in the data breach notification to be sent to the MTCIT.

Once notified, the MTCIT has the right under article 31 of the executive regulation to evaluate the procedures undertaken by the controller, to order him to notify data subjects of the breach, and to provide guidance and support to the data controller.

In all cases, the data controller also has a separate obligation to notify the data subject of a data breach within 72 hours of his knowledge of it, if such breach is capable of causing serious harm or high risk to the data subject. We understand this to mean that breaches that are not expected to cause serious harm to a data subject do not need to be notified to the data subject.

The new provisions found in the Executive Regulation of the Personal Data Protection Law are a welcome addition for clarifying many of the provisions found in the law, and they would hopefully contribute to increasing the level of protection afforded to users in Oman.

You can read the Personal Data Protection Law as well as its newly issued executive regulations in full in English on the links below: