What To Know About Jordan’s Personal Data Protection Law of 2023

I. Introduction

Law No. 24 of 2023 regarding personal data protection in Jordan, better known as the Personal Data Protection Law of 2023 (PDPL), was published in the country's Official Gazette on September 17, 2023. It came into effect six months after its publication in the Gazette on March 17, 2024. However, it will become fully operational once the one-year grace period ends on March 17, 2025.

It establishes a body within the Council of Ministers to oversee the PDPL’s enforcement and imposes severe financial and other penalties on entities found to violate its provisions.

Furthermore, the Prime Minister and Ministers from the Council are all deemed responsible for implementing the provisions of the PDPL.

Read on to learn more about Jordan's PDPL in greater detail.

II. Who Needs to Comply With The PDPL

The provisions of the PDPL apply to all personal data within Jordan, regardless of when it was collected or processed, including data collected and processed before the PDPL’s enactment.

However, it does not apply to natural persons who process their personal data for personal purposes.

III. Definitions of Key Terms

Here are the definitions of some key terms used under the PDPL:

a. Council

Council refers to the Personal Data Protection Council formed under the provisions of the PDPL.

b. Minister

Minister refers to the Minister of Digital Economy and Entrepreneurship.

c. Ministry

Ministry refers to the Ministry of Digital Economy and Entrepreneurship.

d. The Unit

The Unit refers to the department within the Ministry responsible for protecting personal data.

e. Personal Data

Personal Data refers to any data or information that can directly or indirectly identify an individual, regardless of its source or form. This includes data related to the individual, their family status, or location.

f. Sensitive Personal Data

Sensitive Personal Data refers to data and information that can directly or indirectly reveal an individual's origin, race, political opinions, religious beliefs, financial status, health, physical or mental condition, genetic data, biometric data, criminal record, or any information whose disclosure or misuse could harm the individual involved.

g. Controller

Controller refers to a natural or legal person, based inside or outside Jordan, who has users' data in their custody.

h. Processor

Processor refers to a natural or legal person processing the data on behalf of the controller.

i. Data Protection Officer

The Data Protection Officer is the person who oversees the databases and processing operations within an organization, as required by the PDPL.

j. Recipient

Recipient refers to any natural or legal entity, based inside or outside Jordan to whom the controller transfers data.

k. Profiling

Profiling refers to automated data processing that identifies trends, preferences, choices, and behaviors from data subjects.

l. Data Breach

Data breach refers to any incident involving unauthorized access, processing, transfer, or any action that would compromise the security and integrity of the data.

IV. Obligations For Organizations Under The PDPL

Some of the obligations for organizations, whether controller or processor, per PDPL, are as follows:

a. Consent Requirements

Valid consent from the user to proceed with data processing must meet the following conditions:

• It must be explicit and be documented, either in writing or electronically;
• It must be specific to a purpose and duration;
• The request for consent must be clear, simple, in unambiguous language and easily accessible; and
• If the data subject lacks legal capacity, consent must be obtained from a parent or legal guardian. If necessary, a judge may grant approval upon the Unit’s request, considering the best interests of the individual.

Similarly, consent will not be considered valid in the following cases:

• If it was obtained by providing data subjects incorrect information or via misleading practices that influenced the data subjects' decision;
• If the processing's nature, type, and purposes have changed and consent was not obtained for such changes.

b. Lawful Basis Requirements

Processing may be considered lawful and permissible without the data subject's valid consent in the following cases:

• Processing is done by a competent public authority where it is necessary to carry out a legally assigned task per the country's law or through other entities contracted with the public entity, provided that their contract includes adherence to all obligations per Jordanian law;
• It is necessary for preventive medical purposes, medical profiling, or the provision of healthcare by a licensed professional;
• It is vital to protect the life or vital interests of the data subject;
• It is necessary to prevent a crime or to disclose it to a competent authority or aid in its prosecution;
• It is required or permitted by legislation or is executed per the decision of a competent court;
• It is necessary for financial institutions under the supervision of the Jordanian Central Bank to perform their functions, including the transfer and exchange of data within and outside Jordan.
• It is in accordance with the provisions of the PDPL;
• It is necessary for scientific and historical research purposes, provided it does not involve making a decision concerning a specific individual;
• It is necessary for statistical purposes, national security requirements, or matters of public interest;
• If the data being processed is made publicly available by the data subject.

Any processing activity must fulfil the following requirements to be considered lawful:

• The purpose of the processing must be lawful, specific, and transparent;
• It must align with the purpose for which the data was collected;
• Processed data must not be retained after the purpose of its processing has been fulfilled unless required by a specific Jordanian regulation;
• It must be conducted via legal means;
• It must be based on accurate, truthful, and updated data;
• It must not lead to direct identification of the data subject after fulfilling its purpose;
• It must not cause harm to the data subject or directly or indirectly affect their rights;
• It must be carried out to ensure the confidentiality and integrity of the data collected and prevent any unauthorized alterations.

c. Data Breach Requirements

In the event of a serious data security breach that could cause harm to data subjects, the controller must take the following actions:

• Notify all affected data subjects within 24 hours of discovering the breach, providing details on the incident and the measures they can take to mitigate any negative consequences.
• Notify the Unit within 72 hours of discovering the breach, including information on the source of the breach, affected data subjects, the mechanisms involved, and any other relevant details.

If the controller is found guilty of gross negligence or misconduct, they will be liable to compensate the affected data subjects.

d. Data Protection Officer Requirement

The data controller must appoint a Data Protection Officer in the following cases:

• If the primary activity of the controller involves personal data processing;
• When processing sensitive personal data;
• When processing data of individuals who lack the legal capacity to consent;
• When processing financial information;
• When transferring collected data outside Jordan;
• In any case, determined by the Council requiring the appointment of a Data Protection Officer.

e. Internal Data Transfer Requirements

The transfer or exchange of personal data between the controller and any other organization, including the recipient, is prohibited unless the data subject provides explicit consent and the following conditions are met:

• The transfer serves the legitimate interests of both the controller and the recipient.
• The data subject has been sufficiently informed of the purposes of the data transfer.
• The transfer is not for marketing products or services unless the data subject has provided consent for that specific purpose.

The controller must maintain detailed records of all data transfers or exchanges with the recipient, including the purpose of the transfer and documented proof of the data subject's consent.

Data transfer between public authorities is permitted only to the extent necessary for performing their legal duties. The recipient will be subject to the same legal responsibilities and obligations as the controller and must implement appropriate measures to ensure the security and integrity of the transferred data, as well as mechanisms to detect and track any security breaches.

f. Cross-Border Data Transfer Requirements

Personal data must not be transferred to any third party outside Jordan, including a recipient, if the level of protection they provide is lower than that required by the PDPL, except in the following circumstances:

• It is necessary for regional or international judicial cooperation under international agreements or treaties to which Jordan is a party.
• It is necessary for cooperation between international or regional agencies engaged in combating crimes or prosecuting criminals.
• It is necessary for the exchange of medical data concerning a data subject when required for their treatment.
• It is necessary for the exchange of data related to epidemics, health crises, or other matters affecting public health in Jordan.
• The data subject has explicitly consented to the transfer after being informed that the destination does not provide an adequate level of protection.
• It is necessary for the transfer of funds outside Jordan.

g. Data Processor Obligations

Entities operating as data processors must comply with the following obligations:

• Conduct processing activities in accordance with the regulatory requirements of the PDPL and other applicable Jordanian laws.
• Ensure that processing does not exceed the specified purpose and duration.
• Erase all processed data once the processing period expires or transfer it back to the controller.
• Refrain from any actions that would allow unauthorized access to the data or processing results, except in circumstances permitted by the PDPL.

All data undergoing processing is considered confidential, and both the controller and processor are responsible for maintaining its confidentiality.

h. Privacy Notice Requirements

Before processing personal data, the controller must inform the data subject, either in writing or electronically, of the following:

• The fact that their data will be processed and the date when processing will begin.
• The purpose of the data processing.
• The duration of the data processing, with no extensions unless explicitly consented to by the data subject.
• The identity of the processor responsible for processing their data.
• The security, safety, and data protection measures in place.
• Whether profiling will be conducted as part of the processing.

The PDPL grants all data subjects the right to protect their personal data. Processing is only permitted with the data subject’s explicit and valid consent or in cases expressly allowed under Jordanian law.

V. Data Subject Rights

The PDPL provides all data subjects with the following rights:

a. Right to Access

Data subjects have the right to access and obtain a copy of all personal data collected about them by a controller.

b. Right to Withdraw Consent

Data subjects have the right to withdraw previously provided consent for data processing at any time.

c. Right to Correction

All data subjects have the right to request that any data collected on them be corrected, amended, edited, or updated owing to the data becoming obsolete or out of date since it was collected.

d. Right to Erasure

All data subjects have the right to request that a controller erase and delete all data collected on them.

e. Right to Limit Processing

All data subjects have the right to request that any data processing they consent to be strictly limited to a specific scope.

f. Right to Object

All data subjects have the right to object to both processing and profiling if they are unnecessary for the purpose for which data was collected or if they are excessive to these purposes while also being discriminatory, prejudiced, and in violation of other provisions of Jordanian law.

g. Right to Data Portability

All data subjects have the right to request that their data be transferred from the possession of one data controller to another.

h. Right to Be Notified

All data subjects have the right to be notified of any data breaches or violations that may compromise their data's security and integrity.

Data subjects must be free from any financial or contractual consequences of exercising any of the aforementioned rights.

VI. Regulatory Authority

The Personal Data Protection Council (the "Council") will be established under the PDPL. The Minister of Digital Economy and Entrepreneurship will chair the Council, which will consist of the following members:

• The Information Commissioner, serving as Vice-Chair.
• The General Commissioner for Human Rights.
• The President of the National Cyber Security Center.
• A representative from the Central Bank of Jordan.
• Two representatives from security agencies, appointed by the directors of those agencies at the Minister’s request.
• Four experienced and specialized individuals appointed by the Council of Ministers, including one representative from each of the Telecommunications, Banking, and Information Technology sectors.

Membership on the Council will be for a term of four years, renewable once.

The Council will issue regulations governing its meetings, decision-making mechanisms, and other related matters.

a. The Council’s Responsibilities

The Council will assume the following responsibilities and tasks:

• Approve policies, strategies, plans, and programs related to data protection and oversee their implementation.
• Adopt standards and measures for data protection, including codes of conduct outlining the responsibilities of controllers and processors.
• Issue licenses and permits for the storage, processing, profiling, and transfer of data.
• Develop standard models for obtaining consent, withdrawing consent, lodging objections, and handling other related requests submitted by data subjects.
• Review complaints and requests submitted by data subjects or their representatives against a controller, as well as complaints filed by one controller against another, and take appropriate action.
• Provide opinions on treaties, agreements, and regulations related to data protection.
• Represent Jordan in local, regional, and international forums on data protection.
• Issue and maintain an updated list of countries, entities, or organizations recognized by Jordan as having adequate data protection standards and publish it through official channels.
• Propose and oversee international cooperation initiatives in the field of data protection.
• Coordinate and collaborate with international entities and organizations on data protection strategies.
• Approve the annual data protection report prepared by The Unit and submit it to the Council of Ministers.
• Adopt guidelines and instructions in accordance with the PDPL.
• Carry out additional tasks necessary to ensure compliance with and enforcement of the PDPL.

b. The Unit’s Responsibilities

The Unit will have the following powers and duties:

• Draft regulations and instructions related to data protection and submit them to the Council for approval.
• Receive notifications and complaints regarding violations of the PDPL, conduct investigations, and recommend appropriate actions to the Council.
• Monitor and enforce compliance with the provisions of the PDPL.
• Maintain a registry of controllers, processors, and Data Protection Officers (DPOs) and oversee their activities in accordance with the Council's instructions.
• Prepare and submit an annual report on the Unit’s activities to the Council.
• Carry out any additional tasks assigned by the Council or the Minister.

VII. Penalties for Non-compliance

If an organization is found guilty of violating the PDPL, The Unit will issue a warning requiring the violator to cease the violation and take corrective measures to remove its effects and causes within a specified period. If the violation continues, The Unit may impose the following penalties:

• Issue a warning to permanently or partially suspend the organization’s operating license or permit.
• Permanently or partially suspend the organization’s operating license or permit.
• Permanently or partially revoke the organization’s operating license or permit.
• Impose a fine not exceeding 500 Dinars per day for each day the violation continues, provided that the total amount does not exceed 3% of the violator’s total annual revenue from the previous fiscal year.

The Unit may also publish a statement regarding the confirmed violations at the violator’s expense, using any suitable means.

In addition to these penalties, the aggrieved party has the right to pursue civil action for damages arising from the violation.

Separately, the PDPL provides for fines ranging from 1,000 to 10,000 Dinars for violations, which may be doubled in cases of repeated offenses.

Furthermore, upon request by the public prosecution, the aggrieved party, or on its own initiative, the relevant court may order the destruction of the violator’s database following a final conviction.

VIII. How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data+AI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Several of the world's most prestigious corporations rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.

The Data Command Center is equipped with several individual modules and solutions designed to ensure compliance with all major obligations an organization may be subject to under Jordan's PDPL. These include DSR automation, consent management, vendor management, and breach management, among others.

Furthermore, the centralized dashboard allows for real-time insights into an organization's obligations and compliance activities, thus enabling proactive interventions whenever necessary or convenient.

Request a demo now to learn more about how Securiti can help you comply with nearly all major data protection and privacy regulations worldwide.