Law No. 24 of 2023 Jordan

    Overview

    Jordan's Personal Data Protection Law No. (24) of 2023 establishes a framework for safeguarding personal and sensitive data, aiming to protect individuals' data rights and regulate data processing activities conducted by public and private entities. The law sets out requirements for obtaining consent, defining responsibilities for data controllers and processors, and outlining penalties for violations. It applies universally to data collected before and after its enforcement, with provisions for sector-specific exemptions and supervisory mechanisms.

     

    Regulation Summary

    Timeline
    • September 17, 2023 – published in the Official Gazette.
    • March 17, 2024 – became effective.
    • March 17, 2025 – End of the transition period; organizations must be in full compliance.
    What Businesses Are Affected?
    • All entities processing personal data in Jordan.
    • Foreign businesses offering services to Jordanian residents.
    • Both public and private sector organizations.
    Exemptions
    • Personal and household data processing.
    • Journalistic, artistic, literary, and academic activities, provided they do not violate privacy rights.
    • Government data processing for national security, law enforcement, and regulatory purposes.
    Responsibilities for Businesses
    • Obtain informed consent before processing personal data.
    • Process data fairly, transparently, and for a lawful purpose.
    • Implement security measures to protect data from breaches.
    • Ensure data accuracy and allow individuals to access and correct their data.
    • Report data breaches to the designated regulatory authority.
    • Appoint a Data Protection Officer (DPO) for businesses processing sensitive data at scale.
    Specific Website Owner Responsibilities
    • Provide a clear and accessible privacy policy.
    • Allow users to withdraw consent easily.
    • Ensure data security measures are in place.
    • Report data breaches in accordance with regulatory requirements.
    Additional Requirements
    • Restrictions on cross-border data transfers unless adequate protections are ensured.
    • Parental consent required for processing children's data.
    • Maintain processing records for regulatory compliance.
    Data Subject Rights
    • Access their personal data.
    • Request correction or deletion of their data.
    • Object to data processing in certain cases.
    • Withdraw consent at any time.
    • File complaints with the regulatory authority.
    Enforcement
    • Regulated by the Personal Data Protection Council.
    • Fines for non-compliance range from JOD 1,000 to JOD 10,000 (~USD 1,410 to 14,100). Daily fines of JOD 500 (~USD 705) apply for ongoing violations, up to a maximum of 3% of annual revenues. 
    • Repeated violations may result in doubled penalties.
    • In addition to fines, courts may order the destruction of unlawfully processed data or the cancellation of a database following a final conviction​.
    Supervisory Authority

    The supervisory authority for Jordan's data protection law is the Personal Data Protection Council.

    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596