Data protection & privacy laws in Oman (2026)

The Ministry of Transport, Communications and Information Technology (MTCIT) is the primary data-protection regulator. Its Personal Data Protection Department receives complaints, handles breach reports, issues processing permits, and conducts judicial enforcement activities.

Personal data may only be processed within a framework of transparency, honesty, and respect for human dignity; express written consent of the data subject is generally required before processing, with limited statutory exceptions.

Data subjects have the right to withdraw consent, access, correct, update or delete their data, and receive notification of any breach affecting their personal data. The Executive Regulations also recognise a right to data portability.

Controllers are required to appoint a Data Protection Officer. The Executive Regulations specify the selection criteria and duties of the DPO.

Non-sensitive personal data may be transferred outside Oman with the data subject's consent, provided it does not prejudice national security. Transfers of sensitive personal data require prior approval from the Cyber Defense Center; the receiving entity must maintain protection standards no lower than those under the PDPL.

The law's most severe penalty is a fine of up to OMR 500,000 (approximately USD 1.3 million) for the unlawful transfer of personal data outside Oman. Lesser fines apply for other violations.