Open navigation
Search
Search
All Expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Oman
All Insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Oman personal data protection law: entering the enforcement phase

11 Feb 2026 Oman 6 min read

Oman’s Personal Data Protection Law is now fully enforceable as of 5 February 2026, marking the end of the transition period introduced under Royal Decree No. 6/2022 and its Executive Regulations. With the Ministry of Transport, Communications and Information Technology now actively overseeing compliance, organisations processing personal data in Oman must ensure their practices meet the law’s core requirements, including explicit consent, clear privacy notices, procedures for handling individuals’ rights, appointment of a DPO, controls on cross‑border transfers, and timely breach notification. Now that enforcement has commenced, organisations should confirm their frameworks are up to date to mitigate regulatory and operational risks. In this article, we outline the key obligations now in force and the steps organisations should take to ensure compliance and minimise exposure.

Overview

Issued under Royal Decree No. 6/2022, Oman’s Personal Data Protection Law (the PDPL), together with its Executive Regulations issued pursuant to Ministerial Decision No. 34/2024 (the Executive Regulations), establishes an extensive framework governing the processing and protection of personal data in the Sultanate of Oman.

The PDPL is primarily regulated and enforced by the Ministry of Transport, Communications and Information Technology (the Regulator), which is the official body responsible for overseeing data protection compliance, issuing guidance, and handling complaints.

The PDPL applies broadly to personal data processing activities carried out in Oman, subject to limited exceptions, including matters of national security, public interest, compliance with legal obligations, and the protection of vital interests.

Unlike the GDPR, the Omani PDPL does not expressly provide for extra-territorial application. Its scope is framed by reference to personal data processing activities carried out within Oman, and there is currently no guidance from the Regulator indicating that the law applies to controllers or processors solely by virtue of being established outside Oman or targeting individuals in Oman. That said, organisations not established in Oman may still be indirectly affected, particularly where they process personal data in Oman, receive personal data transferred from Oman, or are engaged as service providers to Omani entities.

PDPL Enforcement Status

Following the extension introduced by Ministerial Decision No. 6/2025, the transition period for compliance with the PDPL concluded on 5 February 2026, marking the point at which the PDPL became fully enforceable and the Regulator assumed its active supervisory and enforcement role.

Organisations processing personal data in the Sultanate of Oman should now ensure that their policies, systems, and practices are fully aligned with the requirements of the PDPL and its Executive Regulations. Non-compliance may now attract regulatory scrutiny and enforcement action.

Key Compliance Obligations

Given the end of the transition period, organisations should now ensure they meet the PDPL’s requirements. The principal obligations to be aware of are summarised below.:

Lawful Processing and Consent

Organisations must obtain explicit and informed consent from data subjects before processing personal data, unless a statutory exclusion to the PDPL applies. At present, it remains unclear whether these statutory exclusions operate as standalone lawful bases, and further guidance from the Regulator is expected. Any consent must be freely given, unambiguous, and capable of being verified.

Transparency and Privacy Notices

Organisations are required to provide data subjects with clear written information regarding the controller, the purpose and nature of processing, the source of personal data, and the rights available under the PDPL. Privacy notices should be accurate, accessible, and communicated prior to data collection.

Since Oman’s official language is Arabic, it is customary and practically necessary that privacy notices be provided in Arabic to comply with general standards and ensure clear communication with data subjects. Organisations may also provide dual or multi‑language versions (for example, Arabic and English), but the Arabic version should be treated as the primary reference for compliance and clarity.

Data Subject Rights

Data subjects have rights to withdraw consent, request correction or deletion of personal data, obtain copies, and request data portability.

Organisations must respond to written requests within 45 days and may need to suspend processing while the request is being addressed. Requests may be refused only in limited circumstances, provided that clear reasons are communicated. This means organisations need to maintain documented policies and procedures in advance, so that they are prepared to handle any requests promptly and in compliance with the PDPL.

Cross-Border Transfers

Transfers of personal data outside Oman require the explicit consent of the data subject and must not prejudice national security or higher national interests. Organisations must ensure that recipient jurisdictions provide protections equivalent to the PDPL. In addition, if any sensitive data is being transferred the Cyber Defence Centre’s approval may be required.

Appointment of a Data Protection Officer

Organisations must appoint a Personal Data Protection Officer (DPO) and make their contact details publicly available. The DPO serves as the primary point of contact for data subjects and the Regulator.

The Regulator has communicated a preference for the DPO to be physically located in Oman, to facilitate timely and effective communication if required.

Personal Data Breach Notification

Organisations must notify the Regulator within 72 hours of any personal data breach that may pose a risk to data subjects’ rights. Notifications should include the nature, impact, and mitigation measures of the breach. Where the breach is likely to result in serious harm or high risk to individuals,  affected data subjects should also be notified within the same 72-hour timeframe.

Penalties for Non-Compliance

Non-compliance may result in administrative penalties, including warnings, suspension or cancellation of processing permits, and fines of up to OMR 2,000 per violation.

As organisations enter the enforcement phase, it is important to assess whether existing policies, systems, and operational processes align with the PDPL’s requirements, not only on paper but in day‑to‑day practice. This includes reviewing how consent is collected, how privacy information is communicated, how rights requests are managed, and whether governance structures such as DPO oversight and breach response procedures are functioning effectively.

How We Can Help

Our team can support organisations at every stage of PDPL compliance, including:

  • conducting gap assessments and compliance audits;
  • developing and updating policies, privacy notices, consent mechanisms, and PDPL-compliance data processing, sharing and transfer agreements;
  • advising on the handling of data subject rights and providing incident response support, including guidance on breach notification obligations;
  • advising on cross-border transfers and DPO appointment; and
  • providing guidance on regulatory engagement and readiness.

Contact us to discuss how we can help ensure your organisation meets its PDPL obligations.

More insights
TMT - Technology, Media & Telecommunications

Explore more

Event Oman

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

Digital health apps and telemedicine in Oman

15 min read
Publication Oman

CMS toolkit series

02 Jul 2025 1 min read
Back to top Back to top
Warning: Fraudulent emails and messages
Find out more.
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. LawNow have moved to CMS.law. LEXplicite have moved to CMS.law. Blogtt have moved to CMS.law.
Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.