What is the scope of the Data Protection Law?

The provisions of the Law apply to any normal or sensitive personal information processing of natural persons, whether such data was collected or processed before or after the effectiveness of the Law, within Jordan, even if the controller is located outside Jordan. The Law is also applied to the transferring and exchanging of personal information inside and outside Jordan. However, it is worth mentioning that the Law does not apply to individuals who are processing their own personal information for personal use only. 

(Normal vs sensitive) personal information

Definitions

According to the Law, 'normal personal information' is defined as any information or data related to an individual that could be used to directly or indirectly identify an individual, regardless of its source or form, including data that are related to the individual, family status, or their whereabouts. On the other hand, 'sensitive personal information' is defined as the information that could be used to directly or indirectly identify an individual, including ethnic origin or political opinions; religious beliefs; health-related data; data concerning criminal records; or genetic data or biometric data that may be processed to identify a human being or any data that the Personal Information Protection Counsel defines it as sensitive data if harm shall be caused to the concerned individual when breached or was subject to misconduct.

Protection measures

According to the Law, the data controller is obliged to assign a data protection officer (DPO) when processing sensitive personal information, whose main responsibilities include, without limitation, the following:

• monitoring all procedures taken by the data controller regarding data protection and authenticating compliance with the Law and any related laws;
• supervising the periodic evaluation and examination of personal information base systems, personal information processing systems, and systems for maintaining the security and protection of personal information, provided that the DPO documents the results of the evaluation, issues the necessary recommendations for the protection of personal information and follows up on the implementation of these recommendations;
• working as a direct liaison officer with the supervisory authority and the security and judicial authorities regarding compliance with the provisions of the Law;
• developing internal instructions and policies for receiving and examining complaints, requests for data access, and requests for the correction or deletion of data; monitoring the adequacy of the technological means used to enable the concerned individuals to exercise their rights; and organizing training programs for data processing for data controllers' employees to qualify them to deal with personal information in full compliance with the requirements of the Law.

According to the Law, a data protection officer must be a natural person and capable of complying with the legal responsibilities as outlined above.

Conclusion

Although there are several differences in defining both normal and sensitive personal information, however, the Law has applied the same provisions on both normal and sensitive personal information, taking into consideration assigning a DPO as stated above.   

Data subject rights

According to Article 4 of the Law, there are several rights that concerned individuals are entitled to, mainly the following rights: to knowledge, access to, and to obtain held data by the data controller; to object and withdraw the prior consent; to be informed; to correct, reform, add, or update data; restriction of processing; to be forgotten; to ensure data erasure; to object to the data processing and diagnosis if it is not necessary to achieve the purposes for which data was collected for, or if it is more than its requirements, discriminatory, unfair, or in violation of the Law; to data portability; and to be aware of any data infringements and breaches. A regulation shall be issued in accordance with Article 4 of the Law to further clarify the data subject rights, and how be practiced. 

Moreover, individuals are entitled to monetary damages for harm and damage caused by data processors and data controllers. The civil law and tort provisions cover the actual damage, as well as damage for emotional distress.

Prior consent

According to Article 4 of the Law, the data subject has the right to protect its personal information, and processing of such data is subject to the prior written consent of the data subject. Taking into consideration that such consent is subject to several conditions as outlined in Article 5 of the Law, as follows:

• express and documented approval either in writing or electronically;
• to be specific in terms of duration and purpose;
• the request for approval should be in clear, simple, non-misleading language and be accessible; and
• the approval of one of the parents or guardians of the data subject, the judge based on a request by the organizational unit concerned with the protection of personal information in the Ministry, if the data subject does not have the legal capacity to provide its consent.

In some cases, prior approval shall not be considered if:

• such approval was issued on the basis of incorrect information, deceptive, or misleading practices; or
• the nature, type, or objectives of the data processing were changed without obtaining the prior consent of the data subject.

Nevertheless, there are some situations whereby prior consent is not required as outlined in Article 6 of the Law, and the data processing shall be considered legitimate if:

• processing carried out directly by a competent public authority to the extent required to carry out the tasks entrusted to it by law or through other contracted bodies, provided that the contract shall include all the obligations and conditions stipulated in the Law and the regulations and instructions issued pursuant thereto;
• such processing is necessary for preventive medical purposes, medical diagnosis, or evaluation of health care by the licensee to practice any of the medical professions;
• data processing is necessary to protect the life of the data subject or to protect their vital interests;
• data processing is necessary to prevent or detect a crime by a competent authority, or to prosecute crimes committed in violation of the provisions of the Law;
• data processing is required or authorized under or in the implementation of any of the legislation, or by a decision of the competent court;
• it is required for the purposes of the entities subject to the control and supervision of the Central Bank of Jordan carrying out their work in accordance with the Central Bank of Jordan decisions, including transferring and exchanging data inside or outside Jordan;
• data processing is carried out according to the regulation which shall be issued according to the Law;
• data processing is necessary for the purposes of scientific or historical research, provided that the purpose shall not be taking any decision or action concerning a specific person;
• data processing is necessary for statistical purposes, national security requirements, or to achieve the public interest; or
• the personal information is publicly available to the concerned individual.

Main data protection principles

Below are the main data protection principles addressed by the Law:

Transparency

Subject to Article 6 of the Law, and according to Article 9 of the Law, the data controller must, before starting processing, inform the concerned individual in writing or electronically of the following:

• the personal information that will be processed;
• the date that processing will commence;
• the purpose for which the personal information is being processed;
• the time period during which the personal information will be processed;
• the involved data processor who shall participate in data processing;
• the data security, safety, and protection; and
• information about identification.

Data accuracy

According to Article 7 of the Law, personal information should be accurate and subject to periodic updating to ensure that it is the same upon each use, as well as to verify that the purpose of the processing is legitimate, specific, and clear and that any subsequent procedure is conducted in a manner that is consistent with the purpose for which it was collected, through legitimate means.

Data minimization

Although the Law does not explicitly restrict the types or volume of personal information that may be collected, it is implicitly understood that the collected data must be used solely for the purpose of data processing and any data that is not related to this purpose shall be exempted and not be collected.

Data retention

According to Article 12 of the Law, the amount of personal information that may be held and the duration for which it may be retained for the purpose of data processing is restricted then the processor shall either erase the data or deliver the latter to the data controller, unless the duration is extended upon the approval of the concerned individual.

Purpose limitation

The Law has adopted the finality principle, as data processors must use the collected personal information only for the purposes for which it has been collected, unless the consent of the individual has been obtained, or as explicitly permitted or required by law.

If a data processor wishes to use the held personal information for a new purpose, prior consent must be obtained from the concerned individuals for their personal information to be used for the newly identified purpose.

Confidentiality

The Law has stressed the importance of data confidentiality, for example, data processing must be through using appropriate means to ensure its confidentiality according to Article 7 of the Law, also according to Article 13 of the Law, data and the subject matter of data processing are confidential. Therefore, the Law imposes general obligations on data controllers and processors to protect personal information from any disclosures or misuse, including, without limitation, ensuring their safety and security from any breach or disclosure, and the development of appropriate means to detect and trace attacks and threats on personal information security.

Accountability

The Law outlined the minimum requirements and rules with which each controller or processor of personal information must comply, as well as the requests from such entities regarding the techniques and procedures to be used in processing. If the controllers or processors have not set those internal controls or techniques, although they are obliged to do so, they must comply with the Law, otherwise, the breaching party shall be subject to sanctions.

Cross-border data transfers

In general, data processors or controllers, prior to transferring data, must be assured of the security and measures to be taken by the outsourced processor. Such data transfer is restricted without the prior consent of the data subject. Additionally, without the explicit agreement and consent of the data subject, the prior consent does not allow personal information to be sold or shared for targeted advertising purposes.

Any cross-border transaction of personal information must be transferred to a party that has a sufficient level of data protection. The level of protection afforded to a data recipient is equivalent to that imposed by Jordanian laws and regulations, except in the following cases: judicial cooperation is established under international conventions and treaties; international cooperation in the field of combating crimes; data exchange is essential for patient treatment if it is necessary for the patient's treatment; data exchange is related to epidemiological and health disasters or public health related to Jordan; the data subject has approved the transfer of data after being made aware that the level of protection outside the jurisdiction is not equivalent to the level imposed by Jordanian laws and regulations; and transfer of funds abroad.

Appointment of the DPO

Data controllers are obliged to appoint a DPO who has the capability to abide by their legal responsibilities, especially in the following circumstances:

• if the main activity of the data controller is data processing;
• when processing sensitive personal information;
• when processing an incompetent person's personal information;
• when processing personal information related to credit information;
• when transferring personal information outside Jordan; or
• in other circumstances defined by the council for the protection of personal information.

Data protection authorities

Data protection council

The provisions of the Law have established a Council For The Protection Of Personal Information, the Council shall consist of the following members: the Minister of Economy and Entrepreneurship as its chairman, the information commissioner as vice-chairman, the general commissioner for Human Rights, the head of the National Center for Cyber Security, a representative of the Central Bank of Jordan, two representatives of the security agencies appointed by the directors of those agencies at the request by the Minister of Economy and Entrepreneurship, four persons with experience and specialization who shall be nominated by the Prime Ministry, including a representative from the telecommunications sector, a representative from the banking sector, and a representative from the information technology sector. The term of membership in the council shall be four years, renewable for once only.

Article 17 of the Law has stated the main responsibilities and roles of the councils, including but not limited to the following:

• approving policies, strategies, plans, and programs related to data protection and monitoring their implementation;
• adopting standards and measures for data protection, including codes of conduct for the proper performance of the controller and processor's performance;
• issuing licenses and permits for storing, processing, diagnosing, and transferring data;
• approving forms related to prior approval, withdrawal of approval, objections, and requests submitted by the concerned individual in accordance with the provisions of the Law;
• consider complaints and requests submitted by the concerned individual or their authorized representative against the controller, or submitted by a controller against other controllers, and take the necessary measures against them;
• expressing their opinion regarding treaties, agreements, legislation, and instructions related to data; and
• issuing a periodically updated list of countries, international or regional bodies, or organizations accredited to Jordan that have an adequate level of data protection and publishing it by any means the council deems appropriate.

Data protection unit

Also, according to a regulation issued in accordance with the Law, a personal information unit in the Ministry of Digital Economy and Entrepreneurship shall be established. This organizational unit is competent to protect personal information in the Ministry of Economy and Entrepreneurship, utilizing the powers specified under Article 18 of the Law, including preparing draft legislation and instructions related to the protection of personal information; receiving reports and complaints related to violations; investigating the perpetrators of violations and making appropriate decisions on these matters; monitoring the commitment of any person responsible for data processing, and the extent of their commitment to specific technical and administrative procedures; monitoring compliance with the provisions of the law, regulations and instructions; and opening, supervising and organizing an official registry of personal information officials, processors, and controllers.

Both the supervisory authority (the council and the unit) and the judicial system are responsible for triggering public rights complaints following penal and administrative procedures, and for supervising and executing the provisions of the law; however, the competent court has a wide range of references in terms of the adaption and estimation of the actual damage, and in determining compensation and punishment.

Licenses and permits

The Law, according to Article 24, has mentioned that data processing shall be through permitted and licensed persons, however, legal provisions related to such required permits and licenses shall be governed through regulations issued in accordance with the Law. Also, according to the later regulation, there would be some entities that shall be excepted from obtaining such permits and licenses. 

Personal data breach

According to the Information Commissioner's Office (ICO), a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal information. In the occurrence of a personal information breach that would cause serious harm to the concerned individual, according to Article 20 of the Law, the data controller must take the following measures:

• notify the concerned individuals whose data has been affected within (24) hours of discovering the breach, and provide them with the necessary procedures to avoid any consequences that may result from such breach; and
• inform the unit within (72) hours of discovering the breach about the source of the breach, its mechanism, the concerned individuals whose data was affected by such breach, and any other information available in this regard.

The data controller shall compensate the affected concerned individuals if such a breach is caused by serious fault or infringement.

Breaches of Data Protection Law

According to Article 21 of the Law, specific penalties are subject to be applied in response to any violation of the Law and the regulations and instructions issued according to it, and in proportion to the degree of the violation.

Initially, the established unit will have the authority to issue a warning that the violation must be stopped within a certain period. If the period lapses without due compliance with the warning, the Council for the Protection of Personal Information, based on the personal information unit's recommendation, has the authority to warn in partially or completely suspend, stop or withdraw the license or the permit, partially or completely suspend, stop or withdraw the license or the permit, as well as the power to impose daily fines not exceeding JOD 500 (approx. $700) per day till the violation is stopped, such fine shall not exceed 3% of the annual income for the default controller for the previous fiscal year. In addition, according to Article 22 of the Law, financial penalties of not less than JOD 1,000 (approx. $1,400), and not more than JOD 10,000 (approx. $14,100), may be imposed on those who violate the provisions of the Law. The court may also rule to destroy the personal information or erase the personal information subject to any case in which a conviction decision was issued.

Data protection compliance

All entities that cope with data are obligated to adjust their situations in accordance with the provisions of the Law within a period not exceeding one year from the effective date of the Law, even if such entities are coping with such data prior to the Law's effectiveness.

Mariana Abudayah Legal Associate
[email protected]
Nsair & Partners – Lawyers, Amman