Published: Oct 12, 2023

Jordan’s New Data Protection Law: Safeguarding Personal Data

Jordan has recently announced a significant development in data protection legislation. The new Data Protection Law, No. 24 of 2023 (the “Data Protection Law”), represents a crucial step forward in safeguarding user data and information. This law, in parallel to the European Union’s General Data Protection Regulation (“GDPR“), introduces important principles of data transparency, accuracy, storage limitation, and data minimization, although not as comprehensively inclusive.

  • Ratification and Validity: The Data Protection Law, which was recently approved by the Jordanian Parliament, is expected to come into force by March of next year and will bring significant changes to the legal landscape of data collection and processing in the country.
  • General Overview: The Data Protection Law aims to protect the rights and interests of individuals whose personal and sensitive data are collected or processed by various entities, such as businesses, government agencies, or non-governmental organizations. The Data Protection Law defines “personal data” as any information that relates to an identified or identifiable natural person, and “sensitive data” as any information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health status, sexual orientation, or criminal record.
  • Regulatory Bodies: The Data Protection Law establishes two entities responsible for the implementation and oversight of the personal data protection law: the Personal Data Protection Board and an organizational unit under the Ministry of Digital Economy and Entrepreneurship. The board will have the authority to issue licenses and authorizations for data maintenance, processing, diagnosis and transfer, and to determine the mechanisms for submitting and handling complaints relating to the violation of the law. The organizational unit will prepare data protection related legislation drafts and oversee the compliance with the law, and receive and investigate complaints.
  • Data Subject Rights: The Data Protection Law also sets out the rights and obligations of the individuals whose data are processed (the concerned individuals) and the entities that collect, maintain, or process the data (the data processors). The concerned individuals have the right to access, correct, modify, erase, conceal, add, update, or limit the processing of their data, and to withdraw their previous consent at any time. The data processors must obtain the prior consent of the concerned individuals before collecting or processing their data, unless the processing is lawful for other reasons specified in the law. The consent must be explicit, documented, specific, and clear, and must not be based on false or misleading information. The data processors must also take all necessary measures to protect the data from any unauthorized or unlawful access, alteration, disclosure, or damage, and to inform the concerned individuals of the purpose, duration, and processor of the data processing.
  • Data Transfer: The Data Protection Law also prohibits the transfer of personal and sensitive data without the consent of the concerned individuals and meeting the requirements of the law. The transfer of data outside Jordan is also restricted, unless the recipient jurisdiction offers the same level of data protection as Jordan, or the transfer falls under one of the exceptions listed in the law, such as judicial cooperation, medical treatment, public health, or individual agreement.
  • Compliance: The Data Protection Law also introduces a framework to ensure compliance and accountability for data protection. The Data Protection Law stipulates penalties for the violation of the law or any of the regulations or instructions that will be issued pursuant to it, ranging from fines to imprisonment. The Data Protection Law also grants the concerned individuals the right to claim damages resulting from gross error or the violation of the law or any of the regulations or instructions that will be issued pursuant to it.

How can we help?

As the leading law firm in the Middle East & North Africa Region, we are committed to helping clients navigate the Data Protection Law and ensure their compliance with its provisions. We have a team of experts who can advise you on the best practices and strategies for data collection, processing, transfer, and security, and assist you with any legal issues or disputes that may arise from the implementation of the law. If you have any question, please reach out to our key contacts David Yates or Thamer Shomar.

Key Contacts

David Yates

Partner, Head of Digital & Data

d.yates@tamimi.com