New Personal Data Protection Law in Jordan
Key Insights:
Scope of application
The Law applies to collected personal data and sensitive personal data belonging to any natural person. It applies retroactively to data collected or processed before the enforcement date of the law. It is also applicable whether the process of data transfer, exchange or collection occurs inside Jordan or abroad.
However, the provision of this law is not applicable on natural persons who process data for personal purposes.
Data Categories
Personal Data: Any data or information related to a natural person that could directly or indirectly identify them, regardless of its source or form, including data related to his person, family situation, or whereabouts.
Sensitive Personal Data: includes data on ethnic or racial background, political opinions, religious beliefs, financial status, medical records, mental or genetic condition thereof; Besides, biometric fingerprints (Biometrics) or criminal record thereof, or any information or data that the Council deems sensitive, of which disclosure or misuse may bring harm to the concerned person.
Precautionary measures
Data stewards are required to assign a data controller if their work deals with processing personal data, sensitive personal data, financial data such as credit card information, or when transferring data outside of Jordan.
Consent
The PDPL imposes guidelines and restrictions on the processing, collection and use of personal data while requiring the element of prior informed consent while exempting certain cases as detailed in Article 5:
The Prior Consent shall be:
- Explicit and documented in writing or electronically;
- Specific in terms of duration and purpose;
- The request shall be in a clear, simple, non-misleading language and can be easily accessed; and
- For those who lack legal capacity, the consent of one of the parents or guardian shall be required, or the approval of the judge upon the request of the unit if it is in the best interest of the person lacking legal capacity.
B. Prior consent shall not be considered in the following two cases:
- If it was issued based on incorrect information or deceptive or misleading practices and they were the reason for the decision of the concerned person to grant it; or
- If the nature, type or objectives of the processing were changed without obtaining an approval thereon.
The Law provides each person with the right to know and access their individual data. Each data subject shall be able to amend, update, erase their collected data or to withdraw prior given consent for data collection.
Regulatory Body
Articles 16 & 17 introduce the formation of the Personal Data Protection Council and detail their responsibilities. These responsibilities include but are not limited to oversee matters such as approving policies, strategies, plans and programmers related to data protection, approve forms related to prior consent or withdrawal of approval, issuing licenses and permit for story, processing, profiling, and transferring data.
Compliance
Law No. 24 of 2023 grants data collectors a grace period not exceeding one year from the date of enforcement on 17 March 2024 to ensure that their practices are in compliance with the provisions of the law after which violators will be subject to fines and penalties according to Article 21 of the Law.
Ashrakat joined Thomson Reuters in 2022 as a Content Specialist. She is a graduate with Bachelor's Degree from York University, and a Paralegal Diploma from Seneca College. Ashrakat is also a Licensed Paralegal by the Law Society of Ontario, Canada. She is a native Arabic speaker and fluent in English.
Ashrakat is currently a Legal Editor for Thomson Reuters MENA. She is based in Dubai and is responsible for maintaining and providing the latest legal content updates in the MENA region.