Then consider the applicability of the following to your organisation:

Oman Sultani Decree No. 69/2008 E- Transactions Law

Oman Sultani Decree No. 12/2011 Cyber Crime Law

Oman Sultani Decree No. 55/2019 Statistics and Information Law

Oman Sultani Decree No. 60/2007 and Oman Sultani Decree No. 12/2011 outline penalties for the unauthorised access, use and destruction of personal data. Additionally, Oman Sultani Decree No. 69/2008 Electronic Transactions Law (chapter seven) sets out specific requirements for personal data protection. Oman Sultani Decree No. 55/2019 deals with collection, processing and distribution of processed data (not raw data)

Personal data means

Open data policy of ITA

If data that you are processing contains information relating to an identified or identifiable natural person (it is important to note that this includes indirect identification, e.g., if the person could be identified in combination with other data you may hold about him or her) such as,

• Name
• Address
• ID number
• Location data/geolocation data
• Online identifier/IP address
• Other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person,

then it cannot be treated as open data.

Do you have a legal basisfor processing personal data?

Article 43-49 of Oman Sultani Decree No. 69/2008

There are six possible legal bases for processing personal data. Most legal bases require that processing is necessary for the purposes.

1. Consent

The individual has given clear consent for you to process his personal data for a specific purpose.

Consent must be

• Freely given
• Specific and informed
• Unambiguous and a clear affirmative action

N.B. If you are relying upon the consent basis, a higher standard is imposed than that which was imposed under prior law.

2.Contract

The processing is necessary for the performance of a contract   you have with the individual, or because the individual has asked you to take specific steps before entering into a contract.

3.Legal obligation

The processing is necessary for you to comply with the law (not including contractual obligations).

Article 45 of Oman Sultani Decree No. 69/2008 mandates any person who controls any personal data by virtue of his job in electronic transactions shall, before processing such data, notify the person from whom it is collected by a designated notice of the procedure he is following to protect those data. These procedures shall include

• an identification of the person responsible for processing the data, the nature of the data, and
• the purpose, methods and locations of processing and all informations necessary to ensure
• secured data processing.

Oman is a signatory to the OECD guidelines on the Protection of Privacy and Transborder Flows of Personal Data which sets out basic rules governing transborder data flows and the protection of personal information and privacy in order to facilitate the harmonisation of data protection law between countries.

According to Article 49 of Oman Sultani Decree No. 69/2008, “when the personal data are supposed to be transferred outside Oman, regard shall be had to

the security of such information, in particular:

• (a) Nature of personal data.
• (b) Source of information and data.
• (c)Purpose for which the data are to be processed and duration of process.
• (d)The country of destination where the data were transferred, its international
• obligation, and the law applicable.
• (e) Any related rules applied in that country.
• (f)The security measures taken to secure that data in that country.”

Data subjects’ rights: the right to be informed.

Article 45, 49 of Oman Sultani Decree No. 69/2008

The Organisation must give information in  a  concise, transparent, intelligible and easily accessible form, using clear  and plain language. The following information must be provided:

• identity and contact details of the controller
• purposes of processing and legal basis
• where based on legitimate interests, what these are
• recipients/categories of recipients
• right to withdraw consent
• right to lodge complaint with Supervisory Authority
• where providing data is a legal/contractual obligation, the consequences of not doing so
• any automated decision making/profiling

Data subjects’ rights: the right to erasure (also known as the “right to be forgotten”).

However, the right is clearly not applicable if the processing is necessary for:

• exercising right of freedom of expression and information
• compliance with legal obligation or for performance of tasks carried out in public interest or in exercise of official authority vested in Organisation
• reasons of public interest in the area of public health
• archiving purposes in public interest or scientific and historical research purposes or statistical purposes
• establishment, exercise or defence of legal claims.

Security

If you are processing personal data, you must ensure that you have appropriate technical and organisational measures in place

Ministry of Technology and Communication – Data and Information Systems Security Classification Mapping[1

p.7] based on Oman Sultani Decree No.

118/2011.

You must have appropriate security systems in place to ensure that personal data you hold is not compromised.

Appropriate measures may include the following:

• pseudonymisation and encryption of personal data
• ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
• ability to restore availability and access to data in a timely manner in the event of a physical or technical incident
• a process for regular testing, assessment and evaluation of the effectiveness of measures.

Data Protection Impact Assessments

If you are controller and you are carrying out processing which is likely to result in a high risk to the rights and freedoms of individuals

then you must be aware of the consequences under Oman Sultani Decree No. 118/2011 for non-compliance

• fair and transparent processing;
• legitimate interests pursued by controllers; collection of personal data;
• the pseudonymisation of data;
• information provided to the public and data subjects; exercise of the rights of data subjects;
• information provided to and the protection of children;
• technical and organisational measures, including data protection by design and by default and security measures;
• notifications of breaches to the supervisory authorities and individuals;

You can sign on to a code of conduct which is relevant to the processing activities which your organisation carries out.

If you are processing the data of children and you are relying upon the “consent” basis for processing, there are specific conditions that must be complied with.

If you are processing health data, i.e. data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about that person’s health status.

It is treated as special category data.

If you are processing special category data, there is a specific ground dealing with employment relationships (“processing is necessary for the purposes of carrying out the obligations and exercising specific rights of your organisation or of the individual in the field of employment, social security, social protection law, or a collective agreement”).