Data protection is the legal framework that protects personal data from unauthorised access and uphold individual privacy. The two main instruments governing this area of law in Oman are the Personal Data Protection Law (and its executive regulation) and the Personal Data Protection Policy of the Units of the Administrative Apparatus of the State. While there are similarities between the two, this article will highlight four major differences most people don’t know.
Scope of Application
The biggest difference between the two instruments is their scope. The policy applies to personal data held by the government while the law applies to everyone else. This is peculiar because government entities are amongst the largest retrievers of personal data (the government collects data for public services such as healthcare and education) and they should be held accountable under the law, which as will be shown below has more obligations and restrictions.
Legal Effect
Although policies in Oman are expected to be followed, they are not legally binding, and merely serve as guidelines. Accordingly, while the Personal Data Protection Law is legally binding, the Personal Data Protection Policy is not. This means that the provisions of the policy serve as recommendations rather than being required to be followed.
Nature of Rights
The personal data protection legislation is usually comprehensive, as it covers the rights of the data subjects, obligations of data controllers, and the means by which data is received and transferred. These areas all covered in the Omani Personal Data Protection Law in great detail, but only vaguely outlined in the Personal Data Protection Policy, which serves to offer practical guidelines for the procedures of implementing the concepts of data protection.
Data Protection Officer
Under the Personal Data Protection Law, it is mandatory to appoint a data protection officer (DPO) as an expert who upholds the integrity of data processing and keeps their respective entity in check. Lacking a DPO is illegal, and could potentially invite heavy fines. No such mandate is found in the Personal Data Protection Policy, which is problematic since government entities are exempt from the law. This weakens accountability, proficiency, and leads to inconsistent data processing methods.
Conclusion
These were four important differences between the Personal Data Protection Law and the Personal Data Protection Policy. It must be noted that entities are expected to comply with both legal instruments by 2026.
It is highly recommended that you review these two important legal instruments down below. You can read these two documents in full in English at the link below: