Data NuanceData>Nuance

These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.

All checklistsScope review

Jordan Data Protection Compliance

Complete compliance checklist for Jordan Personal Data Protection Law No. (24) of 2023

Jordan Personal Data Protection Law No. (24) of 2023

Key Provisions

Key Definitions (Article 2)

  • Personal Data: Any data that directly or indirectly identifies a natural person
  • Sensitive Personal Data: Data revealing origin, race, political opinions, religious beliefs, financial status, health conditions, biometric details, or criminal records
  • Data Subject: The natural person whose data is being processed
  • Controller: Entity that determines purposes and means of processing personal data
  • Processor: Entity that processes personal data on behalf of the Controller
  • DPO: Individual responsible for overseeing data protection practices

Scope and Application (Article 3)

  • Territorial Scope: Applies to all personal data processing in Jordan
  • Coverage: Regardless of when data was collected
  • Exemptions: Does not cover processing by individuals for personal use

Rights of Data Subjects (Article 4)

  • • Awareness and Access to data
  • • Consent Withdrawal
  • • Correction of inaccurate data
  • • Restriction of processing
  • • Erasure/Concealment under certain conditions
  • • Data Portability
  • • Breach Notification

Consent Requirements (Article 5)

Valid Consent Requirements:
  • • Explicit and documented (written/electronic)
  • • Specific to duration and purpose
  • • Clear, simple, and accessible language
  • • Parental/guardian consent for those lacking legal capacity
Invalid Consent Cases:
  • • Obtained via incorrect or deceptive information
  • • Processing scope altered without re-consent

Exemptions from Consent (Article 6)

Processing is lawful without consent when:

  • • Performed by public entity for legal duties
  • • Necessary for medical purposes
  • • Essential for protecting data subject's life
  • • Required for crime prevention or prosecution
  • • Mandated by legislation or court order
  • • Required for Central Bank regulated entities
  • • For scientific/historical research
  • • For statistical, national security, or public interest
  • • Data is publicly available by the data subject

Controller Obligations (Articles 8-11)

General Duties (Article 8):
  • • Implement robust data protection measures
  • • Establish complaint resolution mechanisms
  • • Enable data subject rights exercise
  • • Correct inaccurate data
Notification Requirements (Article 9):
  • • Inform data subjects of processed data and start date
  • • Explain processing purpose and duration
  • • Identify processor and security measures

Cross-Border Data Transfer (Article 15)

Transfer prohibited unless:

  • • International judicial cooperation
  • • International crime prevention cooperation
  • • Necessary medical data exchange
  • • Public health crisis data exchange
  • • Informed Data Subject consent
  • • International fund transfers

Data Breach Notification (Article 20)

Upon severe breach, Controller must:

  • • Notify affected data subjects within 24 hours
  • • Notify The Unit within 72 hours
  • • Provide breach details and mitigation measures

Compliance Checklist

Lawful Basis for Processing

  • Obtain explicit, documented consent (Article 5A)
  • Process without consent under Article 6 exemptions
  • Use plain language for consent forms
  • Periodically audit consent records

Data Subject Rights

  • Enable rights (access, correction, erasure) per Article 4
  • Correct inaccurate data unless in criminal investigations
  • Create user-friendly mechanisms for rights requests

Security Measures

  • Implement technical/organizational safeguards
  • Maintain confidentiality (Article 13)
  • Conduct regular security audits
  • Use encryption for sensitive data

Transparency & Notification

  • Inform data subjects before processing
  • Provide data types, purpose, Processor identity
  • Provide layered privacy notices

Data Accuracy & Retention

  • Ensure data is accurate and up-to-date
  • Delete data after purpose fulfillment
  • Automate data validation checks
  • Set retention schedules aligned with purposes

Cross-Border Data Transfers

  • Verify recipient's protection level matches Jordan's
  • Transfer only under Article 15A exemptions
  • Use Standard Contract Clauses for transfers

Breach Notification

  • Notify data subjects within 24 hours
  • Notify the Unit within 72 hours for severe breaches
  • Develop incident response plan
  • Train staff on breach escalation

Data Transfer Records

  • Maintain transfer records (Article 14)
  • Use centralized logging tools for transfers

Processor Contracts

  • Processor must process only per Controller's instructions
  • Include indemnity clauses in contracts
  • Define breach reporting timelines

Sensitive Data Handling

  • Apply heightened safeguards for sensitive data
  • Limit access via role-based controls
  • Conduct DPIAs for high-risk processing

Post-Processing Obligations

  • Processor must erase/return data after processing
  • Controller must erase upon request
  • Obtain written confirmation of data deletion

Cooperation with Authorities

  • Comply with Unit investigations and sanctions
  • Designate legal/DPO contact for regulator communication

Need Expert Assistance with Jordan PDPL Compliance?

Our team of data protection experts can help you navigate Jordan's Personal Data Protection Law requirements and ensure full compliance.

Schedule a CallContact Us

Checklist to implementation

Need a fact-specific view?

Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.

Book a consultationSend structured brief