At the outset, article 11 of the Personal Data Protection Law stipulates that data subjects enjoy the right to be notified of any breach or infringement of their personal data, and also of the actions taken in regard to such breaches. Article 19 of the law imposes a corresponding obligation on the data controller to report data breaches to both the data subject and the Ministry of Transport, Communications, and Information Technology (MTCIT). Failure to comply with this obligation is punishable by a fine ranging between 15,000 Rial Omani and 20,000 Rial Omani.

The newly issued Executive Regulation of the Personal Data Protection Law has introduced several new provisions that outline in detail the obligations of data controllers as well as the rights of data subjects in regard to data breaches. First of all, data controllers wishing to apply for a permit to process sensitive data are required to include in their application the precautionary measures they adopt in the event of a data breach. Both data controllers and data processors are also required to keep a record of all data breaches they experience in a special register along with the facts surrounding the breach, its effects, and the actions taken in regard to them.

Secondly, the executive regulation sets the deadline for reporting a breach to the MTCIT at 72 hours from the time of knowledge of the breach if the breach is capable of leading to a risk that threatens the rights of data subjects. We understand this to mean that data breaches that do not have an impact on personal data do not have to be notified to the MTCIT. Article 30 of the regulation provides in detail the information that needs to be included in the data breach notification to be sent to the MTCIT.

Once notified, the MTCIT has the right under article 31 of the executive regulation to evaluate the procedures undertaken by the controller, to order him to notify data subjects of the breach, and to provide guidance and support to the data controller.

In all cases, the data controller also has a separate obligation to notify the data subject of a data breach within 72 hours of his knowledge of it, if such breach is capable of causing serious harm or high risk to the data subject. We understand this to mean that breaches that are not expected to cause serious harm to a data subject do not need to be notified to the data subject.

The new provisions found in the Executive Regulation of the Personal Data Protection Law are a welcome addition for clarifying many of the provisions found in the law, and they would hopefully contribute to increasing the level of protection afforded to users in Oman.

You can read the Personal Data Protection Law as well as its newly issued executive regulations in full in English on the links below:

Written by:

Rayan Al-Habsi

Rayan is a legal intern at Decree and a recent LLB law graduate from the University of Nottingham. Prior to joining Decree, Rayan trained in corporate and commercial sectors. She has an interest in corporate, renewables, and CSR, as well as technological incorporations into the legal field.

The new decision requires law firms to receive any payments equal to or exceeding the value of 500 Rial Omani through bank transfers only. For amounts less than 500 Rial Omani, it is permitted for law firms to receive cash payments provided that a receipt is issued in regard to the payment confirming the amount received and the purpose of the payment. Violations of this new decision will be considered violations of the Law of Combating Money Laundering and Terrorism Financing.

This new decision enters into force tomorrow. You can read it in full in English on the link below:

When Does the Savings System Come into Effect?

According to article VI(5) of Royal Decree 52/2023 Promulgating the Social Protection Law, a decision must be issued by the Board of Directors of the Social Protection Fund to fix the date on which the savings system comes into force. This date will not exceed July 2026.

How Does the Savings System Apply to Expatriate Employees?

According to article 136 of the Social Protection Law, the savings system applies compulsorily to expatriate employees. Article 97 of the executive regulation clarifies the different ways in which expatriate employees will be registered in the savings system, which must not exceed 30 days from their employment. The executive regulation also allows the fund to register expatriate employees with retroactive effect, but not before the date of entry into force of the savings system, if it finds that they are not registered in the savings system.

What is the Main Function of the Savings System for Expatriate Employees?

The practice under the now-repealed Labour Law of 2003 was when an expatriate employee worked for the same employer for 1 year or more, the employee was entitled to an end-of-service gratuity for his period of service amounting to: The wage of 15 days for each year of service for the first 3 years plus the wage of 1 month for each of the following years.

Article 137 of the Social Protection Law states that the savings system will replace this end-of-service gratuity when it comes into effect. Until that time, the employer must pay the end-of-service gratuity in accordance with article 61 of the Labour Law of 2023. This article contains a mechanism to settle the contributions of expatriate employees whose service spans both the old gratuity system and the savings system.

How Does the Savings System Operate?

Article 139(1) of the Social Protection Law shows that the main way in which the savings system will be financed is through 9% of the monthly basic wage of expatriate employees paid by employers. The executive regulation clarifies that every expatriate employee subject to the savings system must have a personal account in the system, and that the savings amount paid in his favour must be in Rial Omani and not less than 100 Rial Omani at each time.

Article 101 of the executive regulation provides that the savings amount must be paid by employers within 15 days of the next month. Failure to comply with this will lead to an additional charge of 8% (eight percent) annually of the total savings amount due to the fund on employers.

What is the ROI on the Savings?

Article 141 of the Social Protection Law sets out that a saver in the savings system is entitled to the savings amount and the returns on its investment (ROI), and that the regulation will specify a minimum ROI. Article 104 of the executive regulation specifies that the minimum ROI for savings is 2% (two percent) per year. Article 106 outlines that the Social Protection Fund shall announce the ROI for each year not later than the first quarter of the following year.

How and When Are the Savings Paid Out?

The savings are paid out in the cases provided for in article 143 of the Social Protection Law. This includes the end of the employment relationship of the expatriate employee, unless he enters into another employment contract within the period specified by the regulation. Article 109 of the executive regulation clarified that this period is 3 months, and that the saver is entitled to his savings if he leaves Oman or if this 3-month period passes and he does not have a job.

Other cases for the disbursement of the savings include the death of the saver, in which case the savings are paid to the legal heirs and permanent disability.

Article 142 of the law stipulates that the savings can be paid in 2 ways based on the request of the saver: A one-time payment or an annual or monthly instalment.

What Happens if Someone Exits the Savings System?

Article 144 of the Social Protection Law provides that the saver must notify the Social Protection Fund if he exits the savings system, in the manner specified by the regulation, and that the regulation will specify the fines if the saver does not do so. The regulation specifies that the saver must notify it within 1 month from the date he leaves the savings system, but does not provide for a fine. Instead, the minimum ROI applies to the savings when the savings system no longer applies to him for 1 year and without any ROI after this year.

Written by:

Rayan Al-Habsi

Rayan is a legal intern at Decree and a recent LLB law graduate from the University of Nottingham. Prior to joining Decree, Rayan trained in corporate and commercial sectors. She has an interest in corporate, renewables, and CSR, as well as technological incorporations into the legal field.