On 5 February 2026, the transition period for Oman's Personal Data Protection Law (Royal Decree 6/2022) ended. The Ministry of Transport, Communications and Information Technology is now actively overseeing compliance and can exercise its enforcement powers. Organisations processing personal data in the Sultanate of Oman must have their frameworks in place — not in progress, not planned, but operational.
For organisations using AI systems, the PDPL creates obligations that go beyond traditional data protection. AI systems consume personal data at scale, make or support decisions that affect individuals, and often operate in ways that are difficult to explain. The law does not contain a separate chapter on artificial intelligence, but its requirements for lawful processing, transparency, data subject rights, and breach notification apply fully to AI-driven processing activities.
This guide maps the PDPL's key obligations to the 7-Pillar AI Governance Model and provides a practical checklist for organisations that need to verify their compliance posture.
Lawful Processing and Consent — Pillars 3 and 5
The PDPL requires organisations to obtain explicit and informed consent from data subjects before processing personal data, unless a statutory exclusion applies. For AI systems, this obligation has specific implications that many organisations overlook.
Verify that every AI system that processes personal data has a documented lawful basis. This is not a general statement in a privacy policy — it is a per-system record that identifies what personal data the system processes, what the purpose of processing is, and what the legal basis is (consent, statutory obligation, legitimate interest under an applicable exclusion). If the lawful basis is consent, verify that the consent mechanism is specific to the AI processing activity, not bundled into a general terms-of-service acceptance. The PDPL requires consent to be freely given, unambiguous, and verifiable. A checkbox buried in a registration form that mentions "analytics and automated processing" in a paragraph of other purposes is unlikely to meet this standard.
For AI training data, verify that the datasets used to train or fine-tune models were collected with consent that covers the specific processing purpose. If the organisation is using historical data that was collected before the PDPL came into force, assess whether the original consent or legal basis extends to AI training. If it does not, the organisation needs to either obtain fresh consent or demonstrate that a statutory exclusion applies.
Transparency and Privacy Notices — Pillars 2 and 5
The PDPL requires organisations to provide data subjects with clear written information about the controller, the purpose of processing, the source of personal data, and the rights available under the law. Privacy notices must be accurate, accessible, and communicated prior to data collection.
For AI systems, transparency means more than a general privacy notice on the website. Verify that your privacy notices explicitly disclose any automated decision-making or profiling that affects data subjects. If an AI system makes or supports decisions about credit, eligibility, pricing, recruitment, or service access, the privacy notice should describe this in terms a non-specialist can understand. Verify that the notice identifies the types of personal data used in automated processing and explains the general logic involved — not the technical architecture, but a meaningful description of what factors influence the decision and how.
The PDPL requires privacy notices to be provided in Arabic. Organisations may provide dual-language versions, but the Arabic version should be treated as the primary reference. Verify that your AI-related disclosures are included in the Arabic version, not only in the English text.
Data Subject Rights — Pillars 2, 3, and 5
The PDPL grants data subjects the right to withdraw consent, request correction or deletion of personal data, obtain copies, and request data portability. Organisations must respond to written requests within 45 days and may need to suspend processing while the request is being addressed.
For AI systems, these rights create operational requirements that must be planned in advance. If a data subject withdraws consent for the processing activity that feeds an AI system, verify that the organisation has a documented process to stop processing that individual's data in the AI pipeline — including in training datasets, feature stores, and inference logs. If a data subject requests correction of personal data that has been used to train a model, consider how the correction affects the model's outputs. Full retraining may not be practical for every correction request, but the organisation must have a documented position on how corrections are handled and communicated to the data subject.
If a data subject requests deletion, verify that the organisation can identify and remove that individual's data from AI training datasets, or that it can demonstrate that the data has been anonymised to a degree that re-identification is not reasonably possible. The 45-day response window means these processes must be designed and tested before a request arrives, not improvised when one does.
Cross-Border Transfers — Pillars 3 and 6
The PDPL requires that transfers of personal data outside Oman have the explicit consent of the data subject and must not prejudice national security. Recipient jurisdictions must provide protections equivalent to the PDPL. Sensitive data transfers may require approval from the Cyber Defence Centre.
For AI systems, cross-border transfer obligations are often triggered in ways organisations do not anticipate. If the organisation uses a cloud-based AI platform, verify where the data is processed and stored — not just where the provider's headquarters is located, but which specific data centres and regions handle the data. Many AI platforms route data through multiple jurisdictions for training, inference, or analytics. If any of these jurisdictions are outside Oman, the organisation must either obtain explicit consent for the transfer or ensure the data is processed exclusively within Oman or in a jurisdiction with equivalent protections.
If the organisation uses a third-party AI vendor that accesses personal data for model training, support, or improvement, verify that the data processing agreement explicitly addresses cross-border transfers and that the vendor can demonstrate where and how the data is handled. The PDPL places the compliance obligation on the controller, not the vendor.
Data Protection Officer — Pillars 2 and 7
The PDPL requires organisations to appoint a Data Protection Officer and make their contact details publicly available. The DPO serves as the primary point of contact for data subjects and the regulator, and the regulator has communicated a preference for the DPO to be physically located in Oman.
For organisations using AI, the DPO role takes on additional significance. The DPO should be involved in reviewing AI systems that process personal data — not necessarily at a technical level, but with sufficient understanding to assess whether the processing is lawful, transparent, and compliant with data subject rights. Verify that the DPO has been briefed on all AI systems that process personal data, has access to documentation about those systems (data flow diagrams, privacy impact assessments, consent records), and is included in the approval process for new AI deployments that involve personal data.
If the DPO lacks the technical background to assess AI systems, this is a training and competency issue that falls under Pillar 7 (Talent & Risk). The DPO does not need to be a data scientist, but they do need to understand enough about how AI systems process data to fulfil their regulatory role.
Breach Notification — Pillars 4 and 6
The PDPL requires organisations to notify the regulator within 72 hours of any personal data breach that may pose a risk to data subjects' rights. Where the breach is likely to result in serious harm, affected data subjects must also be notified within the same timeframe.
For AI systems, breach scenarios include not only traditional data exfiltration but also unauthorised access to model training data, manipulation of model outputs through adversarial inputs, and unintended exposure of personal data through model inference (where a model reveals information about individuals in its training data through its outputs). Verify that the organisation's incident response plan includes AI-specific breach scenarios and that the response team knows how to assess and contain breaches originating from or affecting AI systems.
The 72-hour window is tight. Verify that breach detection mechanisms cover AI infrastructure — not just traditional databases and network perimeters — and that the escalation path from the AI operations team to the DPO and the regulatory notification process is documented and rehearsed.
Penalties and Enforcement — All Pillars
The PDPL provides for administrative penalties including warnings, suspension or cancellation of processing permits, and fines of up to OMR 2,000 per violation. While the per-violation fine may appear modest compared to the GDPR's penalties, the cumulative exposure for an organisation with multiple AI systems processing personal data across multiple non-compliant activities can be significant. More importantly, the regulator's powers include the ability to suspend processing activities — which, for an AI system embedded in a business-critical workflow, could be operationally devastating.
The reputational risk compounds the regulatory risk. Oman's market is compact and relationship-driven. A regulatory finding against an organisation's AI practices would be known quickly across the sectors that matter.
Using This Checklist
This checklist is not a substitute for legal advice. It is a governance tool that helps organisations identify where their AI systems may create PDPL compliance gaps, mapped to the 7-Pillar AI Governance Model so that remediation efforts can be prioritised within a broader governance programme.
For each item above, document the current state (compliant, partially compliant, non-compliant, or unknown), the specific AI systems affected, the responsible owner, and the remediation action and deadline. Treat "unknown" as equivalent to "non-compliant" for planning purposes — if the organisation cannot verify compliance, it cannot demonstrate it to a regulator.
If the number of gaps is significant, consider engaging a structured AI governance assessment to prioritise remediation and build a comprehensive compliance roadmap. The 7-Pillar AI Governance Model's assessment methodology is designed to integrate PDPL compliance with broader governance maturity, so that the organisation addresses regulatory requirements within a sustainable governance framework rather than through ad-hoc fixes that may not hold up to scrutiny.
This is part of the Practitioner Guides series. For the conceptual foundation, see The Seven Pillars series.