In an era of rapid digital transformation, Jordan has taken a significant step in protecting individual privacy by enacting the Personal Data Protection Law No. 24 of 2023. This law establishes a comprehensive legal framework governing how personal data is collected, processed, and stored — with direct implications for businesses, institutions, and individuals operating in Jordan.

What Is Personal Data Under Jordanian Law?

The law defines personal data in Article 2 as any information relating to a natural person that identifies them directly or indirectly, regardless of its source or form, including information about their personal status, family situation, or whereabouts.

The law further distinguishes between regular personal data and sensitive personal data, which includes information about a person's racial or ethnic origin, political opinions, religious beliefs, financial status, physical or mental health, biometric data, and criminal records. Sensitive data carries stricter processing requirements and higher penalties for misuse.

The Rights of Data Subjects

The law grants individuals whose data is being processed a comprehensive set of rights, including:

•        The right to access their personal data held by any controller

•        The right to correct or update inaccurate data

•        The right to withdraw prior consent at any time

•        The right to object to processing or profiling

•        The right to transfer their data from one controller to another

•        The right to be informed of any breach or violation affecting their data security

•        The right to restrict the scope of processing

Obligations of Data Controllers

Before beginning any data processing, controllers are required under Article 9 to notify data subjects in writing or electronically of what data will be processed, the purpose of processing, the duration, who will participate in the processing, and what security measures are in place.

Controllers must notify data subjects within 24 hours of discovering a breach that may cause serious harm, and report to the relevant authority within 72 hours.

Transferring Data Outside Jordan

Under Article 15, transfers of personal data outside Jordan are only permitted if the receiving country provides an equivalent level of protection, or under specific exceptions, including judicial cooperation agreements, medical necessity, public health purposes, or explicit consent from the data subject.

Penalties for non-compliance

The law adopts a graduated approach. Article 21 requires the authority to first issue a warning. If the violation continues, penalties may escalate to license suspension or revocation, and fines of up to 500 dinars per day (not exceeding 3% of annual revenues). Article 22 provides for fines between 1,000 and 10,000 dinars for direct violations, doubling in cases of repeat offenses.

What This Means for Your Business

If your business collects, stores, or processes personal data in Jordan, you are required to comply with this law. This includes reviewing privacy policies, updating data processing agreements, establishing internal data security protocols, and training staff on compliance requirements.

At Shraideh Law Firm, our team provides specialized legal support in data protection compliance, including policy drafting, risk assessment, and representation in cases of violations or disputes.

For more on this topic, read our full legal guide on Personal Data Protection Laws in Jordan