Jordan’s personal data protection law No. 24 of 2023

October 2023

View the original document

National Regulations

The Personal Data Protection Law No. 24 of 2023 is Jordan’s primary legislation regulating the collection, processing, and protection of personal data. It was published in 2023 and will come into effect six months after its publication in the Official Gazette.

Key definitions

Personal data: Any data identifying a natural person, directly or indirectly.
Sensitive personal data: Includes data on race, political views, religious beliefs, health, genetics, biometrics, finances, or criminal records.
Controller: The person or entity that determines the purposes and means of processing data.
Processor: The person or entity that processes data on behalf of the controller.
Data subject: The individual whose data is being processed.

Applicability and exceptions

Applies to all entities processing personal data in Jordan or targeting Jordanian residents.
Does not apply to individuals processing their own data for purely personal purposes.

Individual rights

Every data subject has the right to:

Access and obtain their personal data.
Withdraw consent at any time.
Correct or update inaccurate or incomplete data.
Limit processing to specific purposes.
Request deletion or anonymisation of data.
Object to unnecessary or excessive profiling or processing.
Transfer their data from one controller to another.
Be notified of any data breach affecting their data.

These rights must be enabled free of financial or contractual consequences for the individual.

Consent requirements

Consent must be:

Explicit and documented (written or electronic).
Specific in purpose and time.
Clear, simple, and not misleading.
Obtained from a legal guardian when the subject lacks legal capacity.

Consent is invalid if:

Obtained through deception or false information.
The purpose or nature of processing changes without renewed consent.

Lawful processing without consent

Processing is permitted without consent in cases such as:

Public authorities performing legal duties.
Medical care by licensed professionals.
Protection of vital interests or life.
Legal proceedings or law enforcement needs.
Compliance with other laws or court decisions.
Work of institutions under the Jordanian Central Bank.
Scientific or statistical research (without targeting individuals).
Public interest or national security.
Publicly available data.

Obligations of controllers

Controllers must:

Ensure data security and confidentiality.
Establish complaint handling procedures.
Provide clear mechanisms for data subjects to exercise their rights.
Appoint a Data Protection Officer in specified cases (e.g., sensitive data processing or cross-border transfers).
Inform subjects prior to processing about purpose, duration, security measures, and profiling activities.

Data transfers

Cross-border data transfers are restricted unless the receiving party ensures adequate data protection.
Exceptions include:
- International legal cooperation.
- Criminal investigations.
- Medical treatment and public health.
- Informed consent by the data subject.
- Financial transactions.

Controllers must maintain records of transfers and justifications.

Data protection council and unit

A Data Protection Council, chaired by the Minister of Digital Economy and Entrepreneurship, oversees the law’s implementation.
The Unit, a division within the Ministry, handles complaints, compliance checks, and maintains a registry of data controllers and processors.

Enforcement and penalties

The Unit may issue warnings, suspend or revoke licenses, and impose fines (up to 3% of annual revenue or 500 dinars/day of continued violation).
Courts may order data destruction or cancellation of databases in serious cases.
Violators may face fines from 1,000 to 10,000 dinars, doubled for repeat offenses.
Public disclosure of violations may be mandated.