Skip to Content

Self-assessment of the controller/processor to measure compliance with the provisions of the Data Protection Law

Take Again

Organizational Measures

Have the controls and procedures that must be followed when processing personal data been established? *

In particular:

  • Identifying the risks that may affect the data subject as a result of processing.

  • Procedures and controls for the transfer and transmission of personal data.

  • Technical and procedural measures to ensure that processing is carried out in accordance with the provisions of the Personal Data Protection Law.

The controller is obliged to notify the data subject in writing before starting the processing of personal data as follows:

  • Details of the controller and the processor.

  • Contact details of the Data Protection Officer.

  • The purpose of processing personal data and the source from which it was collected.

  • A comprehensive and accurate description of the processing, its procedures, and the levels of disclosure of personal data.

  • The rights of the data subject, including the right to access, rectify, transfer, and update the data.

  • Any other information that may be necessary to meet the conditions of processing.

Privacy Policy

Has this policy been placed in a visible location that allows the data subject to review it before the processing of their personal data begins? *

(The policy shall include, at a minimum, the mechanism and procedures for the data subject to exercise their rights as stipulated in the Law and the Regulation).


Has your Personal Data Protection Policy been prepared? *

(The policy shall include, at a minimum, the mechanism and procedures for the data subject to exercise their rights as stipulated in the Law and the Regulation).


Data Subject Rights

Has the request for processing personal data from the data subject been prepared in a clear, explicit, and understandable manner? *

(There must be a clear mechanism to obtain the explicit written consent of the data subject and to enable them to exercise the following rights:

  • Withdraw their consent to the processing of their personal data, without prejudice to the processing carried out before the withdrawal, and request the correction, updating, or blocking of their personal data.

  • Obtain a copy of their processed personal data.

  • Transfer their personal data to another controller.

  • Request the erasure of their personal data, unless such processing is necessary for national archiving and documentation purposes.

  • Be notified of any breach or violation of their personal data and the measures taken in this regard).



Have controls and procedures been established to enable the data subject to exercise their rights, such as requesting to withdraw their consent for processing, requesting the correction, updating, or blocking of their personal data, requesting a copy of their processed personal data, and requesting the transfer of their personal data to another controller, etc.? *

(There must be a clear mechanism to obtain the explicit written consent of the data subject and to enable them to exercise the following rights:

  • Withdraw their consent to the processing of their personal data, without prejudice to the processing carried out before the withdrawal, and request the correction, updating, or blocking of their personal data.

  • Obtain a copy of their processed personal data.

  • Transfer their personal data to another controller.

  • Request the erasure of their personal data, unless such processing is necessary for national archiving and documentation purposes.

  • Be notified of any breach or violation of their personal data and the measures taken in this regard).



Is the explicit written consent of the data subject obtained for the purpose of processing their personal data? *

(There must be a clear mechanism to obtain the explicit written consent of the data subject and to enable them to exercise the following rights:

  • Withdraw their consent to the processing of their personal data, without prejudice to the processing carried out before the withdrawal, and request the correction, updating, or blocking of their personal data.

  • Obtain a copy of their processed personal data.

  • Transfer their personal data to another controller.

  • Request the erasure of their personal data, unless such processing is necessary for national archiving and documentation purposes.

  • Be notified of any breach or violation of their personal data and the measures taken in this regard).



Personal Data Processing Permit

Does the controller process any of the personal data referred to in Article (5) of the Personal Data Protection Law? *

(Processing the personal data referred to in Article (5) of the Personal Data Protection Law requires, in addition to the explicit consent of the data subject, obtaining a permit from the Ministry to process it.)



Has a permit been obtained from the Ministry to process it? *

(Processing the personal data referred to in Article (5) of the Personal Data Protection Law requires, in addition to the explicit consent of the data subject, obtaining a permit from the Ministry to process it.)



Processing of Children’s Personal Data

Has the explicit consent of the child’s guardian been obtained if the controller processes the child’s personal data? *

(Means must be provided to enable the guardian to access the child’s personal data, and the controller or processor may not disclose or share the child’s personal data with others except after obtaining the explicit consent of the guardian).



Has compliance been ensured with the controls for processing children’s personal data, such as making sure the purpose of processing is clear, direct, safe, and free from deception or misleading practices, and that the processing is limited to the minimum personal data necessary to achieve its specified purpose? *

(Means must be provided to enable the guardian to access the child’s personal data, and the controller or processor may not disclose or share the child’s personal data with others except after obtaining the explicit consent of the guardian).



Have means been provided to enable the child’s guardian to access the child’s personal data in order to update or amend it? *

Processing of Children’s Personal Data:


(Means must be provided to enable the guardian to access the child’s personal data, and the controller or processor may not disclose or share the child’s personal data with others except after obtaining the explicit consent of the guardian).



Advertising / Marketing / Commercial Purposes

Have the requirements for processing personal data been fulfilled before sending any advertising, marketing, or commercial materials? *

(Before sending any advertising, marketing, or commercial materials to the data subject, the controller must comply with the following controls:

• Obtain the written consent of the data subject.

• Notify the data subject of the means by which the advertising, marketing, or commercial materials will be sent.

• Specify a mechanism to opt out of receiving advertising, marketing, or commercial materials.

• Cease sending advertising, marketing, or commercial materials immediately upon receiving an opt-out request from the data subject, free of charge).





Publication / Sharing / Disclosure of Personal Data Referred to in Article (5) of the Personal Data Protection Law

Have procedures been established in the event of disclosing the personal data referred to in Article (5) of the Personal Data Protection Law? *

(The publication, sharing, or disclosure of personal data referred to in Article (5) of the Personal Data Protection Law must be within the legally prescribed limits and cases, or if it is in execution of a court ruling or decision).

Confidentiality of Personal Data

Have controls and procedures been established to ensure the confidentiality of personal data? *

(The controller must ensure the confidentiality of personal data in accordance with the following controls and procedures:
• Establish, use, and activate electronic systems to prevent unauthorized access, leakage, tampering, or misuse of personal data.
• Implement systems for the recovery of personal data in the event of a physical or technical incident.
• Conduct tests to verify the effectiveness of the existing technical measures).

Retention of Personal Data Processing Records

Has a time period been determined for retaining personal data processing records that is consistent with the purpose and nature of the processing? *

(The controller or processor, as applicable, must comply with the following controls:
• The reason for retaining processing documents must be specific and legitimate.
• A retention period must be determined that is consistent with the purpose of the processing.
• Technical protection systems must be provided to ensure the secure retention of processing documents.)

Has the reason for retaining these records been specified and legitimate, with technical protection systems provided to safeguard the processing documents? *

(The controller or processor, as applicable, must comply with the following controls:
• The reason for retaining processing documents must be specific and legitimate.
• A retention period must be determined that is consistent with the purpose of the processing.
• Technical protection systems must be provided to ensure the secure retention of processing documents.)

Record of Personal Data Processing Activities

Has a dedicated record for personal data processing activities been established? *

(The record of processing activities must be continuously updated and should include at least the following data:
• Details of the Data Protection Officer.
• The timeframes for processing, along with its restrictions and scope.
• The mechanism for erasing, correcting, or processing personal data.
• The purpose of processing personal data.
• Other data as stipulated in Article (28) of the Executive Regulations.)


Personal Data Breach

Have internal procedures been established to report personal data breach incidents, including procedures for notifying the relevant management and notifying the data subject? *

(The controller must establish internal procedures to report personal data breach incidents, comply with procedures for notifying the relevant management and the data subject, and document all breach incidents in the record of personal data processing activities.)

Has a personal data breach report been recorded? *

(The controller must establish internal procedures to report personal data breach incidents, comply with procedures for notifying the relevant management and the data subject, and document all breach incidents in the record of personal data processing activities.)

Has the relevant management been notified within no more than 72 hours from the date of becoming aware of the breach if it is likely to result in a risk to the rights of data subjects? *

The report must include at least the following:
• A description and details of the nature of the breached data and the consequences of the breach.
• Contact details of the controller or any other point of contact for further information.
• A description of the potential impacts of the breach.
• Corrective actions or technical/organizational measures that the controller will take to address the breach, including, if necessary, measures proposed to mitigate potential adverse effects.
• Corrective actions and technical/organizational measures that the controller took immediately upon becoming aware of the breach and before notifying the relevant management.


(The controller must establish internal procedures to report personal data breach incidents, comply with procedures for notifying the relevant management and the data subject, and document all breach incidents in the record of personal data processing activities.)

Has the data subject been notified within 72 hours of the controller/processor becoming aware of the breach if the breach is likely to cause serious harm or high risk to the data subject? *

And the notification must include:
• The type and nature of the breach.
• Details of the personal data affected by the breach.
• Recommendations to limit or mitigate the impact of the breach, if necessary.


(The controller must establish internal procedures to report personal data breach incidents, comply with procedures for notifying the relevant management and the data subject, and document all breach incidents in the record of personal data processing activities.)

Have personal data breach incidents been documented, including their causes, consequences, corrective actions, and technical/organizational measures taken, and retained according to the period determined by the relevant management in the record of processing activities? *

(The controller must establish internal procedures to report personal data breach incidents, comply with procedures for notifying the relevant management and the data subject, and document all breach incidents in the record of personal data processing activities.)

Data Protection Officer (DPO)

Has a Data Protection Officer been appointed, with clearly defined roles and responsibilities? *

(The appointment of a Data Protection Officer must comply with the following requirements:

• The DPO must be qualified to perform the tasks set out in Article (35) of the Executive Regulations, which include:

  • Providing proposals and advice to the controller or processor regarding their obligations under the Law and the Regulations.

  • Monitoring the implementation of the controller’s or processor’s policies related to personal data protection.

  • Overseeing the controller’s or processor’s compliance with their obligations under the Law and the Regulations.

  • Coordinating with the competent authority on matters related to personal data processing.)*





Have the details of the Data Protection Officer been published? *

(The data subject must be enabled to exercise their right to contact the Data Protection Officer regarding all matters related to the processing of their personal data.)





Cross-Border Transfer of Personal Data

In the event that the controller wishes to transfer or transmit personal data outside the borders, has compliance been ensured with the requirements and procedures stipulated in Chapter Eight of the Executive Regulations before transferring or transmitting the personal data abroad? *

(Before transferring or transmitting personal data outside the borders of the Sultanate of Oman, the controller is required to obtain the explicit consent of the data subject, and the transfer or transmission must not compromise national security or the higher interests of the State. However, obtaining the data subject’s consent is not required in any of the following cases:

• If the transfer or transmission is carried out in execution of an international obligation under an agreement to which the Sultanate of Oman is a party.

• If the transfer or transmission is carried out in a manner that anonymizes the data subject and ensures that the data cannot be linked back to them or identified by any means.

In addition, the controller is obliged to ensure that the external processing entity provides an adequate level of personal data protection that is no less than the level of protection prescribed in the Law and the Regulations. The controller must also conduct an assessment of the level of protection offered by the external processing entity and the risks associated with the cross-border transfer or transmission of personal data.)




A