Starting from February 5, 2026, a new reality has dawned for entities handling personal data in Oman: the transitional period for the implementation of the Personal Data Protection Law (PDPL) has officially concluded. This means that the requirements of the PDPL have become mandatory, and regulatory authorities have commenced active supervision and enforcement of sanctions. In this article, we examine the chronology of events, the key provisions of the law, and why modern information security systems have become indispensable for businesses operating in Oman.

The Personal Data Protection Law (PDPL) was adopted on February 9, 2022, by Royal Decree No. 6/2022 and officially published on February 13 of the same year. It replaced the more limited data protection regime outlined in Chapter 7 of the Electronic Transactions Law, establishing a modern legal framework for the processing of personal data. In February 2023, the law officially entered into force; however, businesses and government entities were granted a transitional period to adapt to its requirements and provisions. A year later, in January 2024, the Ministry of Transport, Communications and Information Technology (MTCIT) issued the Executive Regulation (Ministerial Decision No. 34/2024), which detailed the provisions of the law. Finally, on February 5, 2026, the adaptation period came to an end, and from that date, the law has been in full legal force, with the regulator commencing comprehensive supervision and enforcement of liability measures.

The primary supervisory authority responsible for the implementation and oversight of the PDPL is the Ministry of Transport, Communications and Information Technology of the Sultanate of Oman (MTCIT). The Ministry has the authority to issue permits for the processing of personal data, conduct inspections and investigations, and impose fines in cases of non-compliance.

The PDPL has enshrined the rights of Omani citizens to access their processed data, request rectification, erasure, data portability, and to withdraw previously given consent without hindrance. The controller company is obliged to respond to such requests within a period not exceeding 45 days.

The PDPL establishes a set of rules for all organizations processing personal data within the territory of Oman:

• Processing of data is permitted only with the explicit, informed, and documented consent of the data subject. Consent must be freely given, unambiguous, and verifiable.

• Organizations are required to provide data subjects with clear privacy notices in Arabic, specifying the purposes of collection, categories of data, recipients, and the rights of citizens.

• Organizations must appoint a responsible Data Protection Officer (DPO) and make their contact details public. This officer should be physically located in Oman.

• Transfer of data outside Oman requires enhanced control, as it must not harm national security. The controller must ensure that the recipient country guarantees a level of protection not lower than that of Oman.

• Any personal data breach that may pose a risk to citizens must be reported to MTCIT within 72 hours. If the breach carries a high risk, affected individuals must also be notified.

The law provides for financial sanctions for non-compliance. For each administrative violation, a fine of up to 2,000 Omani Rials (approximately 5,200 USD) may be imposed. For criminal violations, such as unlawful transfer of data outside Oman, the law provides for fines ranging from 100,000 to 500,000 Omani Rials (approximately 1.4 million USD).

What Does the Law's Entry into Full Force Mean for Omani Companies?

With the conclusion of the transitional period, the mere formal existence of data processing policies is no longer sufficient. MTCIT will assess the actual state of data security. Under these conditions, the implementation of specialized information security systems becomes critically important for all organizations processing personal data of Omani citizens.

One of the fundamental tools for ensuring comprehensive data protection and meeting the requirements of any data protection-related regulation are DLP (Data Loss Prevention) systems.

Firstly, DLP systems ensure protection of sensitive data and adoption of technical measures, helping to comply with regulations. The DLP system acts as an active barrier, preventing unauthorized transmission of confidential information through all common channels, including email, messengers, USB devices, and cloud services, thereby preventing leaks of sensitive personal data.

Secondly, DLP systems ensure compliance with strict requirements regarding data localization and cross-border transfer. Organizations must clearly control what data is sent where. A DLP system enables control over data transmission, including preventing the transfer of personal data abroad in the absence of the necessary permission or consent. This is critical in the context of stringent requirements for cross-border data transfer.

Finally, DLP systems help to ensure compliance with two key requirements of the Executive Regulation: rapid incident response and the formation of an evidence base. According to Article 30 of the Executive Regulation, the controller must notify MTCIT of an incident within 72 hours – and robust DLP solutions enable preparation of detailed reports, required for rapid regulatory reporting. Concurrently, the system also helps to fulfill the requirement of Article 28 concerning the maintenance of a register of processing operations and breaches, including gathering and keeping of details, related to consequences of incidents and the corrective measures taken, ensuring full transparency for audits and inspections.

Learn more about how SearchInform's security solutions can help you meet regulatory requirements in our Compliance section. If you are ready to conduct a free audit of your company's data security posture, request a free up to 30-day trial.