COLLECTION OF YOUR INFORMATION
We may collect information about you in a variety of ways. The information we may collect on the Site includes:
Personally identifiable information, such as your name, shipping address, email address, and telephone number, and demographic information, such as your age, gender, hometown, and interests, that you voluntarily give to us [when you register with the Site [or our mobile application,] or] when you choose to participate in various activities related to the Site [and our mobile application], such as online chat and message boards. You are under no obligation to provide us with personal information of any kind, however your refusal to do so may prevent you from using certain features of the Site [and our mobile application].
Information our servers automatically collect when you access the Site, such as your IP address, your browser type, your operating system, your access times, and the pages you have viewed directly before and after accessing the Site. [If you are using our mobile application, this information may also include your device name and type, your operating system, your phone number, your country, your likes and replies to a post, and other interactions with the application and other users via server log files, as well as any other information you choose to provide.]
The Site [and our mobile application] may by default access your Facebook basic account information, including your name, email, gender, birthday, current city, and profile picture URL, as well as other information that you choose to make public. We may also request access to other permissions related to your account, such as friends, checkins, and likes, and you may choose to grant or deny us access to each individual permission. For more information regarding Facebook permissions, refer to the Facebook Permissions Reference page.
Data From Social Networks
User information from social networking sites, such as [Apple’s Game Center, Facebook, Google+, Instagram, Pinterest, Twitter], including your name, your social network username, location, gender, birth date, email address, profile picture, and public data for contacts, if you connect your account to such social networks. [If you are using our mobile application, this information may also include the contact information of anyone you invite to use and/or join our mobile application.]
Mobile Device Data
Device information, such as your mobile device ID, model, and manufacturer, and information about the location of your device, if you access the Site from a mobile device.
Information from third parties, such as personal information or network friends, if you connect your account to the third party and grant the Site permission to access this information.
Data From Contests, Giveaways, and Surveys
Personal and other information you may provide when entering contests or giveaways and/or responding to surveys.
Mobile Application Information
If you connect using our mobile application:
- Geo-Location Information. We may request access or permission to and track location-based information from your mobile device, either continuously or while you are using our mobile application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device’s settings.
- Mobile Device Access. We may request access or permission to certain features from your mobile device, including your mobile device’s [bluetooth, calendar, camera, contacts, microphone, reminders, sensors, SMS messages, social media accounts, storage,] and other features. If you wish to change our access or permissions, you may do so in your device’s settings.
- Mobile Device Data. We may collect device information (such as your mobile device ID, model and manufacturer), operating system, version information and IP address.
- Push Notifications. We may request to send you push notifications regarding your account or the Application. If you wish to opt-out from receiving these types of communications, you may turn them off in your device’s settings.
USE OF YOUR INFORMATION
Having accurate information about you permits us to provide you with a smooth, efficient, and customized experience. Specifically, we may use information collected about you via the Site [or our mobile application] to:
- Administer sweepstakes, promotions, and contests.
- Assist law enforcement and respond to subpoena.
- Compile anonymous statistical data and analysis for use internally or with third parties.
- Create and manage your account.
- Deliver targeted advertising, coupons, newsletters, and other information regarding promotions and the Site [and our mobile application] to you.
- Email you regarding your account or order.
- Enable user-to-user communications.
- Fulfill and manage purchases, orders, payments, and other transactions related to the Site [and our mobile application].
- Generate a personal profile about you to make future visits to the Site [and our mobile application] more personalized.
- Increase the efficiency and operation of the Site [and our mobile application].
- Monitor and analyze usage and trends to improve your experience with the Site [and our mobile application].
- Notify you of updates to the Site [and our mobile application]s.
- Offer new products, services, [mobile applications,] and/or recommendations to you.
- Perform other business activities as needed.
- Prevent fraudulent transactions, monitor against theft, and protect against criminal activity.
- Process payments and refunds.
- Request feedback and contact you about your use of the Site [and our mobile application].
- Resolve disputes and troubleshoot problems.
- Respond to product and customer service requests.
- Send you a newsletter.
- Solicit support for the Site [and our mobile application].
DISCLOSURE OF YOUR INFORMATION
We may share information we have collected about you in certain situations. Your information may be disclosed as follows:
By Law or to Protect Rights
If we believe the release of information about you is necessary to respond to legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of others, we may share your information as permitted or required by any applicable law, rule, or regulation. This includes exchanging information with other entities for fraud protection and credit risk reduction.
Third-Party Service Providers
We may share your information with third parties that perform services for us or on our behalf, including payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance.
With your consent, or with an opportunity for you to withdraw consent, we may share your information with third parties for marketing purposes, as permitted by law.
Interactions with Other Users
If you interact with other users of the Site [and our mobile application], those users may see your name, profile photo, and descriptions of your activity, including sending invitations to other users, chatting with other users, liking posts, following blogs.
When you post comments, contributions or other content to the Site [or our mobile applications], your posts may be viewed by all users and may be publicly distributed outside the Site [and our mobile application] in perpetuity.
We may use third-party advertising companies to serve ads when you visit the Site [or our mobile application]. These companies may use information about your visits to the Site [and our mobile application] and other websites that are contained in web cookies in order to provide advertisements about goods and services of interest to you.
We may share your information with our business partners to offer you certain products, services or promotions.
Our mobile application may display a third-party hosted “offer wall.” Such an offer wall allows third-party advertisers to offer virtual currency, gifts, or other items to users in return for acceptance and completion of an advertisement offer. Such an offer wall may appear in our mobile application and be displayed to you based on certain data, such as your geographic area or demographic information. When you click on an offer wall, you will leave our mobile application. A unique identifier, such as your user ID, will be shared with the offer wall provider in order to prevent fraud and properly credit your account.]
[Social Media Contacts
If you connect to the Site [or our mobile application] through a social network, your contacts on the social network will see your name, profile photo, and descriptions of your activity.]
Other Third Parties
We may share your information with advertisers and investors for the purpose of conducting general business analysis. We may also share your information with such third parties for marketing purposes, as permitted by law.
Sale or Bankruptcy
We are not responsible for the actions of third parties with whom you share personal or sensitive data, and we have no authority to manage or control third-party solicitations. If you no longer wish to receive correspondence, emails or other communications from third parties, you are responsible for contacting the third party directly.
Cookies and Web Beacons
You should be aware that getting a new computer, installing a new browser, upgrading an existing browser, or erasing or otherwise altering your browser’s cookies files may also clear certain opt-out cookies, plug-ins, or settings.
SECURITY OF YOUR INFORMATION
We use administrative, technical, and physical security measures to help protect your personal information. While we have taken reasonable steps to secure the personal information you provide to us, please be aware that despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. Any information disclosed online is vulnerable to interception and misuse by unauthorized parties. Therefore, we cannot guarantee complete security if you provide personal information.
POLICY FOR CHILDREN
We do not knowingly solicit information from or market to children under the age of 13. If you become aware of any data we have collected from children under age 13, please contact us using the contact information provided below.
CONTROLS FOR DO-NOT-TRACK FEATURES
OPTIONS REGARDING YOUR INFORMATION
You may at any time review or change the information in your account or terminate your account by:
- Logging into your account settings and updating your account
- Contacting us using the contact information provided below
Emails and Communications
If you no longer wish to receive correspondence, emails, or other communications from us, you may opt-out by:
- Noting your preferences at the time you register your account with the Site [or our mobile application].
- Logging into your account settings and updating your preferences.
- Contacting us using the contact information provided below.
If you no longer wish to receive correspondence, emails, or other communications from third parties, you are responsible for contacting the third party directly.
OMANI PRIVACY RIGHTS
1. THE LAW
1.1. Overview of the privacy/data protection situation
Currently in Oman, there is no comprehensive law dealing with data protection issues. Personal data is protected in limited terms by certain provisions stipulated across a range of laws, as mentioned below.
1.2. Constitutional provisions
Royal Decree No. 101/96 Promulgating the Basic Statute of the State (‘the Basic Statute’) effectively serves as the Constitution of Oman, and grants freedom from interference of correspondence by any means of communication. The Basic Statute guarantees freedom of postal, telegraphic, telephonic, and other forms of communication and their confidentiality (subject to law). It is not permitted to monitor, inspect, or reveal the contents of such communications unless pursuant to law.
1.3. Other applicable laws (e.g. cybercrime law, privacy of communications)
Royal Decree No. 69/2008 promulgating the Electronic Transactions Law (‘the Electronic Transactions Law’) which applies to parties who have agreed to perform their transactions electronically, and safeguards the confidentiality of information or data contained in such transactions. Chapter 4 (Methods of Protecting Electronic Transactions) of the Electronic Transactions Law states at Article 18 that ciphering (i.e. encryption) is an essential means to be used for the purpose of protecting electronic transactions. This step can be efficient in keeping the information of the electronic message confidential and preventing others from infringing the data.
The Electronic Transactions Law also sets out ways of protecting private data. It states that any government body or authentication service provider may collect personal data directly from the concerned person or from others following their explicit consent, and only for the purpose of issuing certification or keeping it or facilitating such issuing or keeping. It is not permitted to collect, process, or use such data for any other purpose without the explicit consent of the person from whom such data is collected. The authentication service provider must follow the appropriate procedure to ensure confidentiality of the personal data in his/her possession.
Similarly, Royal Decree No. 12/2011 issuing the Cyber Crime Law (‘the Cybercrime Law’) was promulgated to address areas of unlawful activities in general cyberspace. The Cybercrime Law makes it a criminal offence to violate the privacy of individuals using technology. In fact, Article 3 of the Cybercrime Law states that those ‘who intentionally and illegally access an electronic site, informational system, or information technology tools or part of it or exceeded his authorised access to it or continued his existence therein after being aware of his access, shall be punished with imprisonment for a period not less than one month and not exceeding six month and a fine not less than OMR 100 (approx. €240) and not more than OMR 500 (approx. €1,200) or by either penalty.’ Other provisions namely, Articles 4 to 10 under Chapter 2 of the Cybercrime Law cover various acts in relation to privacy that constitute a cybercrime.
More, generally, Royal Decree No. 97/99 Promulgating the Criminal Procedure Law (only available in Arabic here) (‘the Criminal Procedure Law’) contemplates that correspondence and cables may not be confiscated or perused, newspapers, publications, and parcels may not be confiscated, conversations taking place at a private place may not be recorded, telephone may not be tapped and telephonic dialogues may not be recorded without the permission of the Public Prosecutor.
1.4. Case law
1.5. Mention of whether there are any public sector data protection laws
In a general manner, Royal Decree No. 7/2018 Promulgating the Penal Law (‘the Penal Law’) has tackled the issue of data protection in the public sector. The Penal Law addresses the issue of forgery of reports, minutes, books, registers, records etc. and sets strict penalties for these offences. The aim is to protect the data and establish penalties to that end.
1.6. Possible amendments/draft data protection laws under discussion
At the time of writing this guidance note, there were no legislative proposals for data protection under consideration. However, suggestions have been raised by various actors in the Omani legal landscape to enact an independent data protection law in the near future.
2. SECTORAL LEGISLATION
2.1 FINANCIAL SECTOR
2.1.1. Law: Scope of application/ Key provisions
Presently there is no dedicated data protection legislation in the Omani financial sector. However, Royal Decree No. 114/2000 Issuing the Banking Law (‘the Banking Law’) sets out certain general provisions on the protection of customer information.
The Banking Law prohibits all licensed banks, their directors, officers, managers, or employees from disclosing information relating to any customer without customer consent except when such disclosure is required under the laws of Oman or if instructed by the Central Bank of Oman (‘CBO’). It clarifies that the customer may give general consent for purposes such as bank advertisements.
Customer consent to disclosure of information is not required where disclosure is instructed by the CBO. As per the Banking Law, no government agency or person may ask a licensed bank directly to disclose any information or take any action against a customer. All such requests must be submitted to the CBO to decide if action is required and instruct licensed banks to do so. Decisions of the CBO in relation to such requests are final.
2.1.2. Case law
2.1.3. Presence of a regulator, its role/powers
The CBO is the supervisory authority for the financial sector in Oman. It licenses financial institutions and oversees other regulatory aspects of the industry including any data protection related issues in the financial sector.
2.1.4. Key definitions
2.1.5. Data retention
See 2.1.1., above.
2.1.6. Specific provisions on data breach and data breach notification
See 2.1.1., above.
2.1.7. Specific provisions imposing limitations on data transfers
See 2.1.1., above.
2.1.8. Sanctions and penalties
The CBO has the right to instruct licensed banks to disclose information relating to customer, however, its decision may be challenged before the courts which have wide discretion in judicially reviewing such decisions.
2.2 HEALTH AND PHARMA SECTOR
2.2.1. Law: Scope of application/ Key provisions
There is no data protection law specific to the health and pharma sector in Oman. However, recently a new law, namely, Royal Decree No. 75/2019 Promulgating the Law on Governing the Practice of the Medical Profession and Allied Health Professions (‘the Healthcare Law’), was passed which repeals an earlier law (namely, Royal Decree No. 22/1996 on Issuing the Practice of Human Medicine and Dentistry Law (only available in Arabic here)). The Healthcare Law aims to bring existing Omani healthcare legislation in line with international standards in healthcare, including standards of professional ethics, the use of patient information, and the circumstances in which medical research on humans is permitted. The Healthcare Law addresses the issue of disclosing patient information, and states that patient information may not be disclosed to any person without the patient’s express written consent. Exceptions to this rule permit disclosure in certain circumstances, including where disclosure is necessary to prevent a crime, where a patient is subjected to a condition that threatens public health and safety, or where disclosure is required for health insurance companies.
2.2.2 Case law
2.2.3 Presence of a regulator, its role/powers
The Ministry of Health is responsible for ensuring the availability of healthcare to the people of Oman. It regulates all matters pertaining to the healthcare sector.
2.2.4. Key definitions
2.2.5. Data retention
See 2.2.1., above.
2.2.6. Specific provisions on data breach and data breach notification
See 2.2.1., above.
2.2.7. Specific provisions imposing limitations on data transfers
See 2.2.1., above.
2.2.8. Sanctions and penalties
The Healthcare Law mandates that anyone who violates obligations related to the disclosure of patient information, may be punished with imprisonment for a period of no less than one month and not exceeding one year, or a fine of no less than OMR 500 (approx. €1,200) and no more than OMR 1,000 (approx. €2,400), or both.
2.3 TELECOMMUNICATIONS SECTOR
2.3.1. Law: Scope of application/ Key provisions
There is no sector-specific data protection law in relation to the telecommunications sector in Oman. The general provisions on the protection of information over telecommunications networks are contained in Royal Decree No. 30/2002 for Issuing the Telecommunications Regulatory Act (‘the Telecommunications Regulatory Act’).
The Telecommunications Regulatory Authority (‘TRA’) is responsible for establishing controls that guarantee the protection of user data and ensure its confidentiality and privacy.
2.3.2. Case law
2.3.3. Presence of a regulator, its role/powers
The TRA regulates all matters pertaining to the telecommunications sector including licensing and other issues.
2.3.4. Key definitions
See 2.3.1., above.
2.3.5. Data retention
See 2.3.1., above.
2.3.6. Specific provisions on data breach and data breach notification
See 2.3.1., above.
2.3.7. Specific provisions imposing limitations on data transfers
See 2.3.1., above.
2.3.8. Sanctions and penalties
The Telecommunications Regulatory Act stipulates that penalties may include imprisonment for a period not exceeding one year, a fine not exceeding OMR 1,000 (approx. €2,400), or both. In all cases, the penalty may be doubled in the case of repeat offences.
Ibex Financial and Management Consulting
P.Cl: 116 Mina Al Fahal