October 2023

1. Governing Texts

The significance of data protection has increased since the collection and processing of data has become easier and widely spread and frequently required under rapid technological and digital developments. Consequently, it has become necessary to have specific data protection legislation in place to regulate and govern the protection of personal data.

Law No. 24 of 2023 Personal Data Protection Law (only available in Arabic here) ('the Law') aims to boost the constitutional freedoms and rights contained in the Constitution of the Hashemite Kingdom of Jordan (only available in Arabic here) ('the Constitution'), Jordanian Laws, international conventions, and the Universal Declaration of Human Rights, and to affirm the place of Jordan with the other countries that regulate the digital environment and mainly to protect the personal data of the Jordanian citizens and the residents of Jordan as the Law also aims to establish a balanced digital environment in Jordan to ensure the safety and security of the natural individual 'the data subject' in Jordan.

1.1. Key acts, regulations, directives, bills

The Law governs and regulates the processing of data in Jordan, which following its publication in the Jordanian Official Gazette on September 17, 2023, will have full legal effect in six months from such date.

The Law states that the terms of the Law shall be implemented and applied to all bodies that deal with data after one year from the effective date, so all companies and organizations that deal with data are given a grace period of one year to comply with the terms and conditions contained in the Law as from April 2024. Overall, the Law will not be applicable until one and a half years from the date of publication in the Official Gazette.

Nevertheless, the Law outlines that suitable and appropriate regulations, directives, and instructions to regulate the implementation of the terms of the Law have not been released yet as the Law states that it will apply to all data processing even where it was conducted before the law came into effect. In addition, the Law sets forth a provision on forming the Personal Data Protection Council ('the Council') and the Personal Data Protection Unit ('the Unit') at the Ministry of Digital Economy and Entrepreneurship ('the Ministry') with clear stipulations on the duties and responsibilities of such regulatory Council and Unit. 

1.2. Guidelines

The Law outlines that personal data protection shall be governed, regulated, and supervised under the Ministry, and the Council formed in accordance with the Law to be headed by the Minister of Digital Economy and Entrepreneurship alongside a Unit at the Ministry. The Council is responsible for issuing data protection guidance, general policies, strategies, plans, and programs and monitoring the correct implementation of the Law in addition to issuing the licenses for processing data. The Unit is responsible for monitoring compliance with the Law and preparing as well as drafting the terms of the regulations, directives, and instructions for projects related to the Law. In addition, the Unit is responsible for receiving complaints about violations of the Law, regulations, and directives, and reviewing and investigating such complaints to be raised to the Council afterward.  

1.3. Case law

The Law is still new legislation in Jordan and therefore no case law and judicial precedents have been issued.

2. Scope of Application

2.1. Personal scope

The Law applies to all natural individuals and legal entities in Jordan that process data whether they are private or public organizations.

However, in some instances, the Law does not apply to public organizations, as the Law permits public organizations (government authorities) to process the personal data of natural individuals without obtaining their prior consent if the processing of such data was conducted for the purposes of the public authority carrying out its functions and missions as per applicable local laws provided that the processing shall be limited to the extent of implementing its public missions only.

Likewise, the Law shall not apply to natural individuals who process their own personal data for their own personal purposes.

2.2. Territorial scope

The Law shall apply to data processing of natural individuals conducted in Jordan and shall also apply to the responsible person who is defined in the Law as the natural individual or legal entity for which data is under their or its custody even if such person responsible is based outside Jordan.   

2.3. Material scope

The Law provides for the protection of personal data and sensitive personal data of any kind which may identify, directly or indirectly, a natural individual, whereby 'personal data' is defined by the Law as any data or information related to any natural individual, whatever the source or form of such data is, including data which is related to the natural individual's personality or marital status or family status or the geolocation data. Sensitive personal data is defined as any data or information that is related to a natural individual which indicates directly or indirectly their origin, heritage, or ethnicity or indicates their opinions or political interests, religious beliefs, or any data that belongs to their financial status or health whether physical, mental, or genetic conditions, biometrics, their criminal records, or any information or data the Council deems and decides to be sensitive data in case the disclosure or misuse of such data will cause damages to the natural individual concerned.

The Law also considers the processing of data to mean 'process', in any form or mean aiming to collect, record, copy, save, store, organize, edit, exploit, use, send, distribute, or publicize that data or linking such data to other data or making it available, transferring, displaying, anonymizing, encoding, destroying, restricting, erasing, adjusting, describing, or disclosing the data in any means whatsoever. The Law also regulates the matter of processing data by automated means to identify the interests and orientations or behaviors of the concerned individual. Moreover, the Law prohibits processing personal data of any concerned individual without obtaining the prior explicit consent of such individual as the consent request must include the specific purpose of processing, which must be for a legitimate, clear, and specified purpose since the processing must also be in line with the purposes for which the data was initially collected.

However, the Law permits the processing of personal data without obtaining the consent of the concerned individual and without notifying such individual in specific and certain cases. Such processing of data shall be legal and legitimate in the following instances:

• the processing is conducted by a competent public authority to the extent it needs to perform its duties as per the terms and conditions of the applicable local laws or the processing is conducted through another organization contracted, provided that the contract takes into consideration all the commitments and conditions as stipulated in the Law, regulations, and instructions emanating from such Law;
• if the processing of data is necessary for preventive medical purposes, medical diagnosis, or for providing health care services by a person or an entity licensed to practice any of the medical professions;
• if the processing is necessary to protect the life of the concerned individual or to protect their vital interests;
• if the processing is necessary to prevent a crime or to discover it by a competent authority, or to pursue the crimes perpetrated in violation of the terms of the Law;
• if the data was required or disclosed based on any legislation or if the data is required to enforce legislation or based on a court order;
• if the data was required for the purposes of performing the duties of the entities that are subject to the monitoring and supervision of the Central Bank of Jordan including the transfer and exchange of data inside and outside Jordan in this regard;
• the processing is being conducted as per the terms of the regulations emanating from the Law;
• if the processing is necessary for the purposes of historical or scientific research, provided that the purpose of such processing is not meant to take any action or decision concerning a specific individual;
• if the processing is necessary for statistical purposes or national security requirements or to achieve the public interest; and
• if the processing is conducted upon data that is made available to the public by the concerned individual.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator of data protection shall be the Council formed and constituted pursuant to the Law. The Council shall be presided over by the Minister of Digital Economy and Entrepreneurship and also forms the Unit at the Ministry.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibility of the Council is to:

• set out the policies, strategies, plans, and programs concerning the protection of data and monitoring its implementation;
• set out the special criteria and measures for protecting data including codes of conduct for the good performance of the responsible person and the processor in carrying out their activities;
• issue the licenses and permits pertaining to the storing, processing, diagnosing, and transferring of data;
• set out the forms for prior consent, to withdraw consent, and to review the objections and requests submitted by the concerned individuals as per the terms of the Law;
• review the complaints and requests by the concerned individual or their agent made against the responsible person, or the complaints made by the responsible person against another responsible person and take the necessary actions in this regard;
• provide opinions on conventions, treaties, legislation, and instructions pertaining to the protection of data;
• represent Jordan in the local, regional, and international forums pertaining to the protection of data;
• issue a periodical and up-to-date list containing the countries, commissions, and international as well as regional organizations that are accredited by Jordan as having a sufficient level of data protection and to publicize such a list by any means the Council may deem fit;
• suggest plans for international cooperation in terms of data protection and to exchange expertise with the international authorities and organizations;
• coordinate and cooperate with the governmental and non-governmental authorities to ensure the correctness of data protection measures;
• issue instructions relative to the terms of the Law; and
• approve the annual report of data protection as prepared by the Unit and raise the same to the Council of Ministers.

The main regulatory duties and responsibilities of the Unit shall be to:

• prepare and draft bills and instructions which are related to data protection and raising them to the Council;
• receive reports and complaints concerning violations of the terms of the Law, regulations, and instructions emanating from the Law and investigate such reports and complaints, and make recommendations to the Council to take suitable and appropriate decisions on the same;
• monitor compliance with the terms of the Law, regulations, and instructions emanating from the same;
• make a registry in order to list the names of persons responsible for data, data processors, and data controllers therein, and to supervise and regulate such a registry as per the instructions to be issued by the Council for this purpose;
• prepare the annual report concerning the activities of the Unit and raise such a report to the Unit to approve it; and
• other duties assigned by the Minister of Digital Economy and Entrepreneurship and the Council.

Furthermore, the Unit is responsible for receiving complaints by natural individuals, investigating them, and recommending to the Council the issuance of warnings to the body that is violating the terms of the Law including to cease violating the Law, regulations, and instructions and to remove the violation causes and its effects. The Unit may also issue recommendations to the Council to render a suitable sanction. Furthermore, the Unit is eligible to publish a statement on the violations that were proved to have been committed at the expense of the violating body, by any means and way the Unit deems appropriate.

4. Key Definitions

Data controller: the responsible person is defined in the Law as the natural individual or the legal entity whether inside or outside Jordan, who has the data under their custody.  Please note 'data controller' is meant in the Law as the data owner or the data controller as may be defined in other international data protection legislation).

Data processor: the natural person or the legal entity that is specialized in processing the data.

Personal data: any data or information related to any natural individual, that can lead to defining the natural individual whether directly or indirectly whatever the source or form including data that is related to the natural individual's personality or marital status or family status, or the places they go to and locations.

Sensitive data: any data or information related to a natural individual which indicates directly or indirectly their origin or heritage or ethnicity, their opinions or political interests, religious beliefs, any data that belongs to their financial status, health, physical, mental, or genetic conditions, biometrics, criminal records or any information or data the Council deems and decides to be sensitive data in case the disclosure or misuse of the same shall cause damages to the concerned individual.

Health data: there is no specific definition for health data in the Law since health data is categorized as sensitive personal data.

Biometric data: there is no specific definition for biometric data in the Law as biometric data is only categorized as sensitive personal data in the Law.

Pseudonymization: there is no specific definition of pseudonymization in the Law.

Data Subject: the individual concerned is defined in the Law as the natural individual whose data is being processed.

Data Protection Officer: the 'controller' is defined in the Law as the natural person who is appointed to supervise the database and processing of data in accordance with the terms of the Law.

5. Legal Bases

5.1. Consent

The Law requires and stipulates the processor who wants to process the personal data of a natural individual must first obtain the prior consent of the data subject prior to initiating data collection and processing as the law also stipulates that such consent must be explicit and documented electronically or in writing and be for a legitimate and clear purpose. In addition to this, the consent must be specific in terms of its duration and purpose, and the language of the consent request must be simple, clear, specific, and easily accessible. In terms of obtaining the consent of the individual who has a disability that affects their decision or is under the legal age and who does not therefore have legal capacity, the Law stipulates in this case the consent of any of their parents, their legal guardian\custodian, or the consent of a judge at court upon the request of the Unit, must be obtained.

However, there are some restrictions on consent, one of which is that consent shall not be approved and considered legal where it was issued and obtained based on the provision of incorrect information, delusional, or deceptive practices which were the causes that led the data subject to grant their consent. Secondly, consent is not considered valid when the nature or type and aims of the processing of the personal data for which the data subject has granted the consent have been changed without obtaining new consent on such a change from the data subject.  

Nevertheless, the responsible person must inform the data subject before initiating the processing of the data, electronically or in writing, of the data to be processed, the date on which the processing commenced, and the purpose for which the processing of their data is being conducted as well as the duration for which the data shall be processed. Such duration will not be extended unless the data subject provides their consent to such intended extension and the processing of the data is conducted in accordance with the terms of the Law. The responsible person must also inform the data subject of the data processor who will work with the responsible person in conducting the processing activity and the terms and criteria of the adopted security and safety measures for conducting the processing besides informing the data subject of information about the identification processing.      

 

5.2. Contract with the data subject

The Law does not set forth any provision on the matter of agreements or contracts with the data subject. However, the Law implicitly addresses contracts, the Law obligates the person responsible to erase or hide the data if a request to erase or hide the data was submitted by the data subject as a fulfillment of a legal or contractual commitment.

However, despite the absence of a specific provision in the Law, a contract between the data subject and any organization or company processing data shall be permissible based on other locally applicable laws since there is no legal ban on entering into contracts or agreements that contain data processing as one of the obligations of a party; or if the processing was an initial contractual step to the process, the processing, in this case, must, however, be necessary for the purposes of fulfilling the contractual obligations contained in the contract only. In all cases the processing must be conducted under the rules contained in the Law as processing data that includes personal data and sensitive personal data shall be protected by the Law and therefore must rely on a legitimate and legal basis.

5.3. Legal obligations

Organizations or companies can rely on legal obligations if they need to process personal data to abide by the Law or any legal commitments vested upon them as contained in other applicable local legislations since the Law stipulates certain legal obligations that will be the legitimate legal basis for processing the data; one of which is for the person responsible and the recipient to keep a record documenting the data that was transferred or exchanged with the recipient of such data and the purpose of such transfer and exchange of the data in addition to documenting the consent of data subjects to such transfer.

The Law also stipulates that the data processor shall be obliged to abide by the requirements and conditions of the Law, regulations, and instructions emanating from the responsible person when conducting and performing the processing of data as the Law also obligates the data processor not to exceed the specified duration and purpose of processing the data and to erase the data upon the laps of the specified duration of the processing or upon the delivery of the processed data to the person responsible. The Law also obligates the data processor not to take any action that would make the data accessible to the public and would make the results of the processing available to the public except in the instances permitted by law since the Law obligates data processors to keep data as secret and confidential.  

5.4. Interests of the data subject

In principle, the interest of the data subject must override the interests of the organization or company that intends to process the data of a natural individual. Therefore, the processing must be based on a legal basis, for a legitimate, clear, and specific purpose, for a limited period of time, in line with the purpose on which the data was initially collected, be up to date, correct, and accurate, and not identify the data subject after the purpose of processing ends, not cause any damages to the data subject or affect their rights whether directly or indirectly, and be conducted in a way that guarantees the confidentiality, secrecy, and safety of the information and not make any change to such information.

However, the Law permits processing the data of a natural individual when it is necessary to protect an interest that is vital for the life of the data subject or as it relates to the vital interest of another natural individual.

5.5. Public interest

The Law permits the processing of the personal data of a natural individual where the processing is meant for the public interest of an official authority to perform its missions and functions as such processing must be carried out in favor of the public or for exercising the official authority duties. Processing in these cases shall be legal and legitimate even without notifying the data subject of the data processing in specific instances such as:

• processing that is being conducted by a competent public authority to the extent it needs to perform its duties as per the terms and conditions of the applicable local laws or the processing is conducted through another organization contracted, provided that the contract takes into consideration all the commitments and conditions as stipulated in the Law, regulations, and instructions emanating from such Law;
• if the processing of data is necessary for preventive medical purposes, medical diagnosis, or for providing health care services by a person or an entity licensed to practice any of the medical professions;
• if the processing is necessary to protect the life of the individual concerned or to protect their vital interests;
• if the processing is necessary to prevent a crime or to detect it by a competent authority or to pursue the crimes perpetrated in violation of the terms of the Law;
• if the data was required or disclosed based on any of the legislations or if the data is required to enforce such legislations or based on a court order;
• the processing that is being conducted as per the terms of the regulations emanating from the Law; and
• if the processing is necessary for the purposes of historical or scientific research provided that the purpose of such processing is not meant to take any action or decision concerning a specific individual.

5.6. Legitimate interests of the data controller

Data processing must not be conducted without obtaining the consent of the individual concerned and must be in accordance with the provisions specified in the Law unless the processing is based on a legal and legitimate basis.

However, relying on legitimate interests as a basis to process the data entails the person responsible considered the rights and interests of the data subject carefully, which must not override the interest of the responsible person anyway. Therefore, processing personal data may be based on the responsible person's legitimate interests in cases where there is a direct relationship between the responsible person and data subject such as:

• processing the data for statistical, historical, or scientific research;
• transferring the data of the natural individual between the branches of the company or organization for better management of the business of the company or organization;
• for direct marketing provided that there is prior consent to such marketing, unless the data subject was a client of the responsible person and the processing for marketing purposes, in this case, was for promoting the products of the responsible person to such data subject specifically after they have consented to the same.

5.7. Legal bases in other instances

The Law does not explicitly outline or set forth rules on processing the data of employees by their employer. However, the Law does not restrict processing the personal data and the sensitive personal data of employees by their employers and so it is permitted to process such data of employees provided that the processing is in line with the rules of the Law.

Direct marketing can be carried out on the legal basis of prior consent and cannot be transferred to or exchanged by the person responsible with another person or recipient for marketing of products or services unless the data subject consents to such transfer or exchange for marketing.   

6. Principles

The main principle of the Law is protecting the rights of natural individuals by legally guaranteeing that their data is protected from being processed without obtaining their prior consent, and that the processing of their data must be proportionate to the legitimate and legal purpose of data processing as the natural individual must be enabled to object to the processing of their data and to withdraw their prior consent and to access the data, update it, and have all the means of assistance that would enable them to exercise such rights in a safe and secure way and to be enabled to exercise all their rights as stipulated in the Law.

Transparency: The Law stipulates that the responsible person and data processors must have certain policies and guidelines for processing and collecting such data and noting that such policies and guidelines must be published and made available to the public on the websites of the responsible person.

The Law also obligates the responsible persons to notify the data subject before initiating data processing, electronically or in writing, of the data that will be processed, the duration or time limit to conduct the processing of the data, and of the fact that the time limit will not be extended unless subsequent consent is obtained from the data subject. The responsible person must also provide the data subject with details on the data processor that will cooperate with the responsible person in conducting the processing, alongside notifying the data subject of the adopted measures which will be complied with for the protection, safety, and security of the data, and inform them about the information of identification. Moreover, the Law requires prior and consequent consent requests to be transparent as the language of the request must be clear, simple, and specific.

In addition, the Law requires transparency with the data subject about the recipient that their data will transferred to, or exchanged with, the purpose for which the data will be used, and whether or not the recipient of the data affords a data protection level lesser than the protection level imposed by the Law.

Purpose limitation: Processors must not exceed the purpose of the data processing for which consent has been initially given, as the processing of data must be limited to the same initial purpose unless the consequent consent of the natural individual has been obtained or unless the extended or new purpose of processing is permitted or required by the Law.

Data minimization: The Law obligates the responsible person to have the data processing limited to legitimate purposes and legal bases.

Accuracy: The Law obligates the responsible person to ensure the correctness and accuracy of data. Before initiating the processing, the responsible person shall be obliged to correct data that is incomplete or inaccurate where it is evident to them that the data is incorrect or is not compatible with the facts, and to make sure that no change shall occur on such data and information.

Storage limitation: The Law stipulates that data that has already been processed must be retained only for the period necessary to complete the legitimate purpose.

Confidentiality and accountability: Data that is being processed shall be considered secret and confidential and therefore the person responsible and processor must observe its confidentiality and secrecy.

The Law obligates the responsible person, data controller, and data processor to treat the information and data of the natural individual as confidential and secret information and not disclose, process, or transfer data without a legitimate cause, legal basis, or the prior consent of the data subject. Subsequently, the processed data must not identify the data subject after the purpose of processing the data has come to an end and the data processing must be conducted in a way that guarantees the confidentiality of the data and information and ensures its safety.

In terms of accountability, the responsible person shall be held accountable for significant damage caused to the data subject for breach of their data subject rights under the Law. The responsible person is subject to sanctions contained under the Law and shall also be obliged to indemnify the damage of the data subject in case of serious damage.

7. Controller and Processor Obligations

7.1. Data processing notification

The Law indicates upon the issuing of certain draft regulations, instructions, and directives by the Council and the Unit, the types of licenses and forms for requests and registration including specific requirements shall be released as they will be contained therein. Since the Law has been enacted recently, such regulations and instructions relating to data processing notification have not yet been issued by the Council and Unit and therefore no registration requirements have been identified yet.

The Law permits the processing of data in certain instances without obtaining the prior consent of the natural individual concerned and without even notifying them as the processing in such instances shall be legal and legitimate. The Law does obligate the responsible person before initiating data processing to notify the data subject, electronically or in writing, of the data that will be processed, the date the processing will start, the purposes of the processing, as well as the duration, and requires them to provide information about the processor and the adopted measures for the security and safety of the data, as well as provide information on identification.

7.2. Data transfers

The Law restricts the transfer and exchange of data by and between the responsible person and any other person unless the consent of the data subject prior to such intended data transfer or exchange is obtained, provided that the following conditions are met:

• the transfer must achieve the legitimate interests of the responsible person and recipient;
• the data subject must be sufficiently aware of the recipient of the transferred or exchanged data and the purposes for which such data will be used; and
• the transfer purpose must not be for the marketing of products and services unless the data subject has consented to this.

The Law also provides that the transfer of data must not be made to any person outside Jordan including the recipient if the afforded data protection level for such transferred or exchanged data is less than the level of protection provided under the Law, unless the transfer is subject to the following exceptions:

• regional or international judicial cooperation in accordance with international treaties and conventions applicable in Jordan;
• international or regional cooperation with commissions or organizations or international or regional agencies working in the field of combating crimes of all kinds and the prosecution of its perpetrators;
• when necessary for data subject medical treatment;
• when necessary for pandemics or health disasters or where it affects the public health in Jordan;
• where the data subject has consented to the transfer after notifying them of the lack of sufficient protection for the transferred data;
• banking transactions and the transfer of monies outside Jordan; and 
• where the responsible person, before initiating the data transfer, has confirmed the level of protection the recipient has outside Jordan to guarantee the protection and security of the transferred data.

7.3. Data processing records

There is no clear stipulation in the Law that obligates the responsible person or data processor to maintain data processing records. However, Article 14(b) of the Law stipulates that the responsible person must maintain records documenting data that was transferred or exchanged and documenting the consents of data subjects to such transfers.

Nevertheless, it is expected that the Council and Unit shall draft directives, instructions, and regulations to implement and regulate the maintenance of data processing records.

7.4. Data protection impact assessment

Pursuant to Article 11(b)(2) of the Law, one of the duties of the controller is to carry out a periodic assessment and evaluation of the database, data processing systems, and systems preserving the security and safety of data. The controller must document the outcomes of such assessment and issue the necessary recommendation for protecting the data and implement such recommendations, alongside monitoring procedures adopted for protecting data and documenting compliance with the Law and relevant legislation.

However, there is no method on how to conduct an assessment in the Law as this issue is expected to be triggered and regulated in the regulations and instructions on data protection to be issued once they have been drafted by the Unit and the Council.

7.5. Data protection officer appointment

Article 11(a) of the Law provides that the responsible person shall be committed to appointing a controller in the following instances:

• if the main business of the person responsible is the processing of personal data;
• they process sensitive personal data;
• they process the personal data of natural individuals who do not have legal capacity;
• processing includes financial information;
• the responsible person transfers personal data outside Jordan;
• any other case for which the Council decides to oblige the responsible person to appoint a controller.

7.6. Data breach notification

The Law defines a breach of data security as any unauthorized access, operation, transfer, or action over the data. The Law obligates the responsible person to notify the data subject of any significant breach that may cause serious damage to them. The responsible person must take the following actions:

• notify data subjects that their data might have been affected within 24 hours of discovering or detecting the breach and provide such data subjects with the necessary procedures that will be taken to avoid any consequences;
• notify the Unit within 72 hours of discovering the breach of data and provide information about the source of the breach, its mechanism, the data subjects who have been affected by the breach, and any other information available about the breach.

7.7. Data retention

The Law does not permit the retention of data after the purpose for which it has been processed has come to an end unless other legislation states otherwise. Therefore, data must not be retained by the responsible person and processor for a period exceeding the time duration contained in the consent request unless the time duration has been extended and the natural individual has consented to such time extension.

7.8. Children's data

The processing of children's data is implicitly indicated in the Law which restricts the processing of data of natural individuals who do not have the legal capacity to provide their consent in order to have their data processed. In this case, the consent of a parent, legal guardian consent, or judge must be obtained, taking into account that the legal age in Jordan is 18 years old.

However, pursuant to other legislation in Jordan, the consent of a child over seven years of age and below 18 years might be taken into consideration if they consented to processing where such processing is for the actual and pure interest and benefit of the child. However, if such processing has caused actual damage to the child, then the consent provided by such a child shall be null and void and if the processing consented to was not completely in the child's favor or was completely against the child's interest, then the approval or rejection of parental consent shall be taken into account.

7.9. Special categories of personal data

Special Categories of Personal Data are classified as sensitive personal data under the Law.

One of the requirements for the responsible person to process the sensitive personal data of data subjects including criminal records or the data of persons who do not have legal capacity owing to disabilities or being under the legal age, is to appoint a controller who must monitor and supervise the measures and standards taken by the responsible person for processing sensitive personal data.

7.10. Controller and processor contracts

The Law does not provide for a contract between the responsible person and data processors. However, the Law provides that the Council and Unit will draft directives and regulations to be issued by the Council and the government to implement and regulate the application of the terms of the Law.

8. Data Subject Rights

8.1. Right to be informed

The Law outlines that data subjects have the right to know their personal data available with the data controller and to obtain a copy of such data.

8.2. Right to access

The Law provides that data subjects have the right to see and access their personal data available with the data controller and to obtain a copy of such data.

8.3. Right to rectification

The Law provides that data subjects have the right to correct, edit, or make additions to or update data.

8.4. Right to erasure

The Law provides that data subjects have the right to have their data erased or hidden pursuant to the terms outlined in the Law.

8.5. Right to object/opt-out

Data subjects have the right to object to data processing and diagnoses, if such processing was not necessary to achieve the purposes for which the data was initially collected, if such processing is in excess of their legal basis, if the processing caused discrimination or injustice, or if the responsible person violated the Law.

Further, the Law also provides for the right to withdraw prior consent.

8.6. Right to data portability

The Law outlines that data subjects have the right to obtain a copy of data transferred from the responsible person to another responsible person.

8.7. Right not to be subject to automated decision-making

The Law does not provide for the right to not be subject to automated decision-making.

8.8. Other rights

Notably, data subjects have the right to have data processing limited to a specific domain.

Data subjects also have the right to be informed about any breach or violations of the security and safety of their data.

9. Penalties

The Law provides that in case of perpetrating any violation of the terms of the Law, the regulations, directives, and instructions emanating from the same, the Unit must warn the violating party to cease the violation and get rid of its causes and effects within a certain period of time to be set out in the warning notification. The Council may, based on the recommendation of the Unit, take any of the following penalties against the violating party:

• warning the violating party to suspend the permit or the licenses, partially or completely;
• suspending the permit or the licenses, partially or completely;
• canceling the permit or the licenses, partially or completely; or
• imposing a financial fine not exceeding JOD 500 (approx. $700) for each day on which the violations continue provided that the total amount of the fine must not be in excess of 3% of the total annual revenues of the preceding fiscal year of the violating responsible person.

The Unit also has the right to publish the violations that were proved to have occurred at the expense of the violating party.

1. Law also provides that everyone who violates the terms of the Law and the regulations, directives, and instructions emanating from the same shall be sanctioned with a fine not less than JOD 1,000 (approx. $1,400) and not less than JOD 10,000 (approx. $14,100) as such a penalty shall increase in double in the case of repetition. In addition to this, the competent court shall be eligible, based on its own decision, based on a request by the public prosecutor, or a request from the affected data subject, to destroy the data or to cancel the database which is the subject matter of the lawsuit in which a conclusive conviction decision has been rendered.

Furthermore, the affected or damaged data subject shall have the right based on the terms of tort law to claim for a just indemnification before the court against the violating party as the penalties taken by the Council and Unit shall not exempt the violating party from being sued by the data subjects before the competent courts in Jordan.

9.1 Enforcement decisions

The Law is still new and therefore, no notable enforcement precedents or decisions have been rendered.