Oman PDPL

Personal Data Protection Law (Royal Decree No. 6/2022)

Flag of OM
Sultanate of OmanOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
February 5, 2026
Enacted
February 9, 2022
Enforcing Authority
Ministry of Transport, Communications and Information Technology (MTCIT)
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Oman

Overview

Oman's PDPL is one of the strictest data protection laws in the Middle East, enacted in 2022 with full enforcement from February 2026. The law mandates written consent with no legitimate interests basis — stricter than GDPR. The tiered penalty structure escalates from OMR 500 for notification failures to OMR 500,000 for unlawful cross-border data transfers, the highest single penalty under the law.

What This Means for Your Website

  • Written consent is mandatory before processing personal data of Omani visitors
  • There is no legitimate interests basis — consent or another explicit lawful basis is required
  • Standard implied consent or browsing-based consent mechanisms are insufficient
  • Cross-border data transfers face strict controls with the highest penalties (OMR 500,000)
  • Data subjects can revoke consent and request modification or deletion
  • DPO appointment is required for certain processing activities

Key Requirements

MTCIT enforces the law with a tiered penalty structure: OMR 500-2,000 for notification failures, OMR 1,000-5,000 for processing violations, OMR 15,000-20,000 for sensitive data and children's data violations, and up to OMR 500,000 for unlawful cross-border transfers. The absence of a legitimate interests basis means consent is the primary lawful mechanism for most website data processing.

How ConsentStack Handles This

ConsentStack applies strict opt-in consent collection for Omani visitors, supporting the written consent requirement and ensuring no data processing occurs without explicit authorization.

Penalties

OMR 500-2,000 (notification failures). OMR 1,000-5,000 (processing violations). OMR 15,000-20,000 (sensitive data/children/breach response). Up to OMR 500,000 (unlawful cross-border transfers).

Maximum Fine
OMR500,000 per violation

Key Requirements

  • Written consent mandatory before processing personal data
  • NO legitimate interests basis for processing (stricter than GDPR)
  • Data subjects have rights to revoke consent, request modification, and deletion
  • DPO appointment required for certain processing activities
  • Data breach notification required
  • Cross-border transfers subject to strict controls

Notable Provisions

  • STRICT consent model: NO legitimate interests, written consent mandatory
  • Tiered penalties escalating by violation severity
  • OMR 500,000 for unlawful cross-border transfers (highest single penalty)
  • Full enforcement from February 2026 after extended transition period

Other Middle East & North Africa Regulations

KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.

Frequently Asked Questions

Why is Oman's consent model stricter than GDPR?

Oman's PDPL has no legitimate interests basis for processing and requires written consent — GDPR allows legitimate interest as a lawful basis without explicit consent.

What is the highest penalty under the Oman PDPL?

OMR 500,000 for unlawful cross-border data transfers, reflecting the law's strict stance on international data flows.

When does full enforcement begin?

Full enforcement began in February 2026, after an extended transition period from the law's enactment in February 2022.

Stay compliant with Oman PDPL

ConsentStack helps you implement Opt-in consent for Sultanate of Oman automatically.

Get started