On March 17, 2024, the Jordanian Personal Data Protection Law No. 24 of the year 2023 (the “PDP Law” or the “Law”) officially came into effect, following its publication in the Official Gazette on September 15, 2023. The PDP Law establishes a comprehensive legal framework for the protection of personal data in Jordan, setting clear boundaries for the exchange and processing of personal information between entities and individuals. This legislation delineates the rights and obligations that must be adhered to when handling personal data, aiming to safeguard the privacy of individuals in an increasingly data-driven society.

The PDP Law outlines several critical areas that must be carefully considered by all registered entities, as the regulations apply to a wide range of activities that could be carried out by any organization at any time. Below is an overview of the most significant provisions under the PDP Law to provide a general understanding of its scope and requirements

For clarity, the term “Unit” refers to the Organizational Unit for the Protection of Personal Data, and the term “Council” refers to the Personal Data Protection Council.

“Council” refers to the Personal Data Protection Council.

Key Provisions of the PDP Law

Rights of Individuals

The PDP Law affirms that every individual has the right to the protection of their personal information, and such data cannot be processed without the individual’s prior consent. The rights afforded to individuals under the Law include the following

  • The right to be informed about and access their processed data.
  • The right to withdraw consent previously given for data processing.
  • The right to amend, modify, or update their data.
  • The right to object to or oppose the processing of their data if it no longer serves the primary purpose for which it was collected.
  • The right to be notified if their data is transferred from one data controller to another.
  • The right to be informed of any data breaches or violations affecting their processed data within 24 hours of the occurrence.

    The exercise of these rights shall not result in any financial or contractual consequences for the individual, without prejudice to the data controller’s lawful rights.

Conditions for Obtaining Consent

The PDP Law stipulates specific conditions that must be met for an individual’s consent to be considered valid for data processing:

  1. Consent must be precise and documented in writing or electronically.
  2. The duration of the data processing and the purpose behind it must be clearly stated.
  3. The language used must be clear and straightforward.
  4. If the individual lacks legal capacity, consent must be obtained from a legal guardian.

Exceptions to Consent Requirements

Certain circumstances under the PDP Law permit the processing of personal data without prior consent, including:

  1. Data processed directly by a competent authority.
  2. Data processed for medical purposes.
  3. Data processing necessary to protect an individual’s life or vital interests.
  4. Data processing required to prevent or detect a crime, or to prosecute offenders.
  5. Data processing mandated or authorized by prevailing legislation, court orders, or competent authorities.
  6. Data processing required by entities under the supervision of the Central Bank of Jordan for conducting their activities, including the transfer of data inside and outside Jordan.
  7. Data processing for the purposes of scientific or historical research.
  8. Data processing for statistical research, national security needs, or public interest.
  9. Data that has already been publicly shared by the individual concerned.


    Responsibilities of a Data ControllerThe PDP Law imposes several responsibilities on Data Controllers to ensure the protection and proper management of personal data:
    1. Implementing all necessary measures to protect the data in their custody.
    2. Applying security, technical, and administrative measures to safeguard processed data.
    3. Establishing procedures and methods for data processing.
    4. Receiving and responding to complaints related to data processing.
    5. Publishing their data processing procedures and complaint handling mechanisms on their official website.
    6. Correcting incomplete, outdated, or incorrect data.
    7. Managing requests for consent withdrawal.
    8. Informing individuals of the purpose of data processing, retention periods, and the identity of the Data Entry Clerk responsible for processing the data.
    A Data Controller must also appoint a Data Protection Officer (DPO) in specific circumstances, such as when the primary responsibility involves data processing, dealing with sensitive personal data, processing financial data, or transferring databases outside of Jordan.


    Responsibilities of a Data Protection Officer (DPO)The DPO is tasked with the following duties:
    1. Monitoring and documenting the Data Controller’s compliance with the PDP Law.
    2. Periodically assessing and auditing database processing and cybersecurity systems, documenting findings and recommendations to improve these systems.
    3. Acting as the liaison between the organization, the Unit, competent authorities, and the courts.
    4. Establishing internal regulations for handling complaints, data access requests, and requests for data modification, deletion, or transfer.
    5. Organizing training programs for employees involved in data processing under the supervision of the Data Controller or Data Entry Clerk.

    Responsibilities of a Data Entry ClerkData Entry Clerks are required to:
    1. Process data in accordance with the PDP Law and its associated regulations and instructions.
    2. Ensure that the data processing remains within the intended purpose and timeframe.
    3. Erase data once the processing period has ended or return it to the Data Controller.
    4. Refrain from disclosing data or the results of data processing unless legally authorized.


      Confidentiality and Data TransferThe PDP Law mandates that all processed data be treated as confidential, with legal liability placed on both the Data Controller and Data Entry Clerk to maintain this confidentiality. The transfer or exchange of personal data is prohibited without the prior consent of the individual concerned and must comply with the provisions of the PDP Law.Any transfer of data outside Jordan must meet the security standards established under the PDP Law, unless otherwise specified by the Law.

      Sanctions for Non-ComplianceIn cases of non-compliance with the PDP Law, the Unit is authorized to issue a warning to the violator, requiring them to rectify the violation and its consequences within a specified period. If the violator fails to comply, the Council, upon recommendation from the Unit, may impose one or more of the following sanctions:
      1. A warning of potential suspension of the violator’s license or permit, either partially or entirely.
      2. Partial or total suspension of the license or permit.
      3. Cancellation of the license or permit, either partially or entirely.
      4. Imposition of a fine not exceeding 500 Jordanian Dinars for each day the violation persists, with a maximum total fine not exceeding 3% of the violator’s total annual revenue for the previous fiscal year.
      5. Additionally, a fine ranging from 1,000 to 10,000 Jordanian Dinars may be imposed for violations of the PDP Law.
      All entities handling personal data prior to the enforcement of the PDP Law are required to comply with its provisions within one year from the date of its entry into force.