The Personal Data Protection Law has introduced a number of unique rights to data subjects that we have not seen in Oman before, the mechanism by which these rights can be enforced has now been clarified in the recently issued Executive Regulation of the Personal Data Protection Law. This blog post will provide an outline of some of the most important data subjects’ rights and the mechanism for enforcing them.
The rights of data subjects are stipulated in article 11 of the Personal Data Protection Law, which are (1) the right to revoke the consent to processing personal data; (2) the right to request to have one’s personal data amended, updated, or blocked; (3) the right to obtain a copy of one’s processed personal data; (4) the right to transfer one’s personal data to another controller; (5) the right to request the erasure of one’s personal data; and (6) the right to be notified of a breach involving one’s personal data.
The Executive Regulation of the Personal Data Protection Law has clarified that requests by a data subject to a data controller to enforce these rights must be fulfilled free of charge within a period of 45 days.
The executive regulation also provides restrictions on the right to request the erasure of one’s personal data, i.e. the right to be forgotten, by stipulating that this right can only be exercised in the cases provided in article 18 such as requesting the data to be erased when the purpose of the processing ends.
The right to obtain a copy of the processed personal data has also been detailed in article 19 of the executive regulation which states that the data subject has the right to request from the controller the data in a readable and clear electronic or paper format, provided that this data does not include any personal data of third parties.
The executive regulation allows the controller to refuse to fulfil requests by a data subject on a number of grounds. In regard to all data subject requests, article 17 permits the data controller to deny the request if the request is unjustifiably repetitive or if its implementation requires extraordinary effort. Furthermore, article 18 provides grounds for refusing erasure requests in particular, which are cases where a legal obligation is imposed on the controller by virtue of any law or court judgment, or if there is an ongoing dispute between the controller and the data subject.
The executive regulation gives data subjects the right to complain to the Ministry of Transport, Communications, and Information Technology (MTCIT) of any violation committed, including those by a data controller in regard to a data subject right. Under article 41, the complaint must be filed within 30 days from the date of learning of the violation. Under article 43, the MTCIT can take up to 60 days to respond to the complaint, and if the MTCIT does not respond within this time period, the complaint is deemed rejected.
The new details found in the Executive Regulation of the Personal Data Protection Law provide further clarifications on the nature and limitations of the data subject rights. However, individuals must be aware of the time limits associated with complaints to be able to enforce these rights against data controllers.
You can read the Personal Data Protection Law as well as its newly issued executive regulations in full in English on the links below: