Introduction:

This policy has been developed in compliance with Royal Decree No. 6/2022 issuing the Personal Data Protection Law and its executive regulations issued by Ministerial Resolution No. 34/2024. This policy aims to determine the mechanism and procedures for the personal data owner to exercise his rights stipulated in the law and its executive regulations and the company’s obligations to ensure the implementation of the necessary procedures to protect personal data.

Definitions:

  • Law : Social Protection Law.
  • Regulation : Executive Regulations of the Personal Data Protection Law.
  • Personal data : data that makes a natural person known, or identifiable, directly or indirectly, by reference to one or more identifiers, such as name, civil number, electronic identifier data, or spatial data, or by reference to one or more factors specific to genetic, physical, mental, psychological, social, cultural, or economic identity.
  • Processing : an operation or set of operations performed on personal data, including collecting, recording, analyzing, organizing, storing, modifying, altering, retrieving, reviewing, coordinating, combining, blocking, erasing, canceling, or disclosing them, by sending, distributing, transferring, transforming, or making them available by other means.
  • Personal data owner : a natural person who can be identified through his or her personal data.
  • Controller : a person who determines the purposes and means of processing personal data and carries out this processing himself or herself or entrusts it to another.
  • Processor : The person who processes personal data on behalf of the controller.
  • Disclosure : Enabling a third party, by any means and for any purpose, to access, view, obtain or use personal data.
  • Personal data breach : Unlawful access to personal data in a manner that leads to its destruction, alteration, disclosure, access or processing in an unlawful manner.

Personal Data Protection Compliance Officer Appointment

Article (1)

  • Mr. Nadir bin Ali Al Habsi - Senior Compliance Officer in the Legal Affairs and Compliance Department is appointed as Personal Data Protection Compliance Officer to undertake the following tasks:
  • Providing proposals and consultations to the controller or processor regarding their obligations stipulated in the law, regulations and the present policy.
  • Following up on the implementation of the controller or processor's policies related to the protection of personal data.
  • Following up on the implementation of the controller or processor's obligations stipulated in the law and regulations.
  • Coordinating with the competent department at the Ministry of Transport, Communications and Information Technology on matters related to the processing of personal data.

Personal data subject rights

Article (2)

  • Personal data may only be processed within the framework of transparency, honesty, respect for human dignity, and after the express consent of the personal data subject.
  • The request to process personal data must be in writing and in a clear, explicit and understandable manner, and the controller is obligated to prove the written consent of the personal data subject to process his data.

Article (3)

The personal data subject has the right to:

  • Revoke his consent to the processing of his personal data, without prejudice to the processing that took place prior to the revocation.
  • Request to amend, update or block his personal data.
  • Obtain a copy of his processed personal data.
  • Transfer his personal data to another controller.
  • Request the erasure of his personal data unless such processing is necessary for national preservation and documentation purposes.
  • Notify him of any breach or violation of his personal data, and the measures taken in this regard.

Article (4)

The personal data subject may submit a written request to the controller to exercise any of his rights stipulated in Article 3 of this policy free of charge, and the controller must decide on the request within a period not exceeding (45) forty-five days from the date of receipt of the request. The personal data subject may request that the processing of his personal data be suspended until the request is decided. The controller may also reject the personal data subject’s request, in part or in full, if the request is unjustifiably repetitive, or if its implementation requires an extraordinary effort. The personal data subject must be notified of the rejection decision with reasons within the same period referred to above.

Article (5)

The personal data owner has the right to request the erasure of his personal data from the controller in any of the following cases:

  • If the purpose of the processing has ended.
  • If he revokes his consent to the processing of his data.
  • If the data processing does not comply with the provisions of the law or regulation.

The controller may - as the case may be - reject the request of the personal data owner in the following cases:

  • Implementing a legal obligation imposed on the controller under any law, judgment or judicial decision.
  • The existence of an existing dispute between the controller and the personal data owner.

Article (6)

The personal data subject has the right to request from the controller a copy of his processed personal data in a readable and clear electronic or paper format, provided that the copy he has provided is free of any personal data that identifies another person.

Article (7)

The personal data subject has the right to transfer his personal data to a new controller, provided that the controller transfers the personal data to the new controller if he is legally obliged to do so.

Obligations of the controller and processor

Article (8)

The controller may, in order to process personal data, contract with the processor, and the processor shall be, in his relationship with third parties in the services he provides, a representative of the controller, within the scope of applying the provisions of civil liability and administrative liability before the Ministry, and without prejudice to the criminal liability of the processor for any violation of the provisions of the law and regulations.

Article (9)

The controller is obligated, before processing personal data, to obtain the express consent of the personal data subject. The following conditions must be met for the consent to be valid:

  • The consent must be issued by a person of full legal capacity.
  • The consent must be issued in a clear manner and without coercion.
  • The consent must be in writing, electronically, or by any other means specified by the controller.

Article (10)

The controller is obliged to establish controls and procedures that must be adhered to when processing personal data, and must include in particular the following:

  • Identifying the risks that may be incurred by the owner of personal data as a result of the processing.
  • Procedures and controls for transferring and converting personal data.
  • Technical and procedural measures to ensure that the processing is carried out in accordance with the provisions of the law.

Article (11)

The controller is obligated, before starting to process any personal data, to notify the personal data owner in writing of the following:

  • Data of the controller and the processor.
  • Contact details of the personal data protection officer.
  • The purpose of processing the personal data, and the source from which it was collected.
  • A comprehensive and accurate description of the processing and its procedures, and the degrees of disclosure of personal data.
  • The rights of the personal data owner, including the right to access, correct, transfer, and update the data.
  • Any other information that may be necessary to fulfill the processing conditions.

Article (12)

The controller or processor must obtain the explicit consent of the child’s guardian before processing his or her personal data. The controller or processor may request from the child a minimum of the guardian’s data, for the purpose of verifying his or her identity and obtaining his or her consent.

Article (13)

The controller or processor must determine and provide how the child’s guardian can access the child’s personal data, in order to update and amend it.

Article (14)

The controller or processor may not disclose or share the child’s personal data with third parties except after obtaining the explicit consent of the guardian.

Article (15)

The guardian, trustee or custodian of a person who is incapacitated, defective or incompetent shall act on his behalf and the provisions relating to children shall apply to the processing of his personal data.

Article (16)

The controller must, before sending any advertising, marketing or commercial material to the personal data subject, commit to the following:

  • Obtaining the written consent of the personal data subject.
  • Notifying the personal data subject of the means of sending advertising, marketing or commercial materials.
  • Determining the mechanism for stopping the reception of advertising, marketing or commercial materials.
  • Stop sending advertising, marketing or commercial materials immediately upon receiving the request to stop from the personal data subject and without charge.

Article (17)

The controller is committed to ensuring the confidentiality of personal data in accordance with the following controls and procedures:

  • Establishing, using and activating electronic systems to prevent unauthorized access to, leakage, tampering with or misuse of personal data.
  • Establishing systems to recover personal data in the event of a physical or technical accident.
  • Existence of testing processes for the effectiveness of the technical procedures in place.

Article (18)

The controller or processor is obligated to retain the processing documents, taking into account the following controls:

  • The reason for retaining the processing documents must be specific and legitimate.
  • A retention period must be specified that is commensurate with the purpose of the processing.
  • To provide technical protection systems for the secure retention of the processing documents.

Article (19)

The controller or processor shall be obliged to create a special record of personal data processing activities, which shall include at least the following:

  • Data of the personal data protection officer.
  • Description of the categories of personal data it has, and data of persons authorized to access personal data.
  • Time periods for processing, its restrictions and scope.
  • Mechanism for erasing, amending or processing personal data it has.
  • Purpose of processing personal data.
  • Parties to whom personal data is disclosed and purposes of disclosure.
  • Data of any party to which personal data is transferred or transferred.
  • Any data related to the movement and processing of personal data across borders.
  • Technical and organizational measures related to information security and processing operations.
  • Any breaches of personal data, including the facts surrounding the breach and its effects, and the remedial or corrective action taken.

Transfer and transfer of personal data across borders

Article (20)

The controller is obligated, before transferring or converting personal data outside the borders of the Sultanate of Oman, to obtain the express consent of the owner of the personal data, and that the transfer or conversion of the data does not result in harm to national security or the supreme interests of the state. It is not required to obtain the consent of the owner of the personal data in any of the following cases:

  • If it is in implementation of an international obligation under an agreement to which the Sultanate of Oman is a party.
  • If the transfer or conversion was carried out in a manner that leads to concealing the identity of the owner of the personal data and not linking this data to him and making it impossible to identify him in any way.

Article (21)

The controller is obligated, before transferring or transferring personal data outside the borders of the Sultanate of Oman, to ensure that the external processor has an adequate level of protection for personal data that is no less than the level of protection established in the Sultanate of Oman.

Article (22)

The controller shall assess the level of protection provided by the external processor and the risks of transferring or converting personal data, including the following:

  • A description of the nature and volume of the personal data to be transferred or converted, and the degree of its sensitivity.
  • The purpose of processing the personal data, the scope of processing, and the parties with whom the personal data will be shared.
  • The period for processing the personal data, whether it will be carried out on a restricted or occasional basis, one-time only, or on a recurring and regular basis over a limited period.
  • The stages of transferring or converting personal data and the countries through which it may pass and determining the destination of the personal data.
  • The effects and risks that may result from the transfer or conversion process, and the extent of its impact on the owner of the personal data.

Procedures to be followed in the event of a breach of personal data

Article (23)

The controller must notify the competent authority within a period not exceeding seventy-two (72) hours from the time of becoming aware of the breach if it is likely to lead to a risk threatening the rights of personal data owners.

The notification must include – at least – the following:

  • A description and details of the nature of the breached data and the consequences of the breach.
  • Data and contact information for the controller or any other point of contact in order to obtain more information.
  • A description of the potential impacts of the breach.
  • Corrective actions or technical and organizational measures that the controller will take to address the breach, including – where necessary – proposed measures to mitigate potential negative impacts.
  • Data and contact information for the controller or any other point of contact in order to obtain more information.

Article (24)

In the event of a breach of personal data, the controller is obligated to notify the owner of the personal data within a period not exceeding 72 (seventy-two) hours from becoming aware of the breach, if such breach is likely to cause serious harm or high risks to the owner of the personal data, and the notification must include the following:

  • The type and nature of the breach.
  • Details of the personal data that has been breached.
  • Recommendations to limit or mitigate the effects of the breach, if necessary.

Article (25)

The controller is obligated to document cases of personal data breaches, state their causes and consequences, and the corrective actions or technical and organisational measures that have been taken, and to keep them in accordance with the period specified by the competent administration.

ji

PERSONAL DATA & LIST OF SERVICES

Progress

1/9User Validation

User validation is an essential step in ensuring the security
and authenticity of our platform.