Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Jordan - Data Protection Overview

Jordan - Data Protection Overview

October 2022

1. Governing Texts

Even though the uptake of data has marked a new dawn for effective and accountable governance on a massive scale, Jordan has not yet promulgated a unified, overarching, and flexible legal framework that streamlines data protection for the purpose of compliance and surveillance. However, the draft data protection bill ('the Bill') is neatly devised and is expected to provide some breathing space for data controllers, as well as to protect data subjects. Nevertheless, the Bill has been stalled in Jordanian Parliament ('the Parliament') leaving stakeholders nonplussed as to whether their security measures fulfil the current general legal requirements, therefore adding a layer of uncertainty around the legal fate of contemporary issues within the data protection landscape such as data inheritance, data accuracy, and data encryption and decryption. Additionally, the Bill is merely designed to address the protection of personal data, meaning that other types of sensitive data, such as geographical data, may fall outside the scope of the Bill and would therefore remain unregulated. An updated version of the Draft Bill was published on 15 January 2020 by the Legislation and Opinion Bureau (only available in Arabic here), and was approved by the Jordanian Cabinet of Ministers on 30 December 2021, and subsequently referred to the Parliament being the primary legislative authority and who may pass the Bill as is or introduce amendments to same before the Bill is officially approved and published in the Official Gazette. As of today, the Bill is still in draft form and has not been formalised to be published in the Official Gazette.

1.1. Key acts, regulations, directives, bills

Article 18 of the provides that Constitution of the Hashemite Kingdom of Jordan ('the Constitution') all postal, telegraphic, and telephonic communications shall be treated as confidential shall not be subject to censorship or suspension except in circumstances prescribed by law.

In addition, financial data is regulated by several pieces of legislation. The Central Bank of Jordan ('the CBJ') Law No. 23 of 1971 (only available in Arabic here) provides that all data submitted to the CBJ shall be considered to be confidential, and therefore shall not be publicised.

Article 72 of the Banking Law No. 28 of 2000 (only available in Arabic here) ('the Banking Law') states that a bank shall observe full confidentiality regarding all accounts, deposits, trusts, and safe-deposit boxes of its customers. Banks shall be prohibited from providing, directly or indirectly, any information except upon a written consent of the owner of such account, deposit, trust, or safe-deposit box, or an heir, or, upon a decision issued by a competent judicial authority in a current litigation, or due to one of the permissible situations pursuant to the provisions of the Banking Law. This prohibition shall remain in effect even if the relationship between the bank and the client has terminated for any reason whatsoever.

Articles 17, 18(b), and 23 of the Credit Information Law No. 15 of 2010 collectively place an emphasis that credit information shall remain confidential save for exceptional occasions determined by law, such as cases where an explicit written permission from the data subject exists or an official approval to exchange data with another qualified data company.

Articles 3 and 5 of the Law of Electronic Crimes No. 27 of 2015 (only available in Arabic here) criminalise any unauthorised access to an information system if the purpose behind such mischief is to leak stored data in part or in full.

Article 25 of the Electronic Transactions Act No. 15 of 2015 (only available in Arabic here) states that any institution engaged in the authentication of documents shall be penalised by the payment of a fine amounting to JOD 100,000 (approx. €120,000) if it discloses the secrets of any clients.

Under the Medical and Health Accountability Law No. 25 of 2018 (only available in Arabic here), service providers are prohibited from disclosing the secrets of the recipient of the service while practicing the profession or because of it, whether the recipient of the service has entrusted the service provider with the secret of whether the service provider has realised it themselves.

Under the Financial Consumer Protection Instructions for Electronic Payments No. 03 of 2021 (only available in Arabic here) ('Financial Consumer Protection Instructions for Electronic Payments') personal data is defined in the context of electronic payments as any data through which a customer can be identified and which is provided during any of its direct or indirect dealings with electronic payment providers. The Financial Consumer Protection Instructions for Electronic Payments further provide that electronic payment providers must have all measures in place to keep such personal data confidential. However, electronic payment providers may disclose personal data:

  • if so required pursuant to law or a judicial decision;
  • with the consent of the customer;
  • as requested from the electronic payment provider's financial auditors; or
  • in order to implement a transaction, provided that such disclosure is necessary for such implementation. The CBJ may impose administrative measures or penalties in the event of non-compliance with the Financial Consumer Protection Instructions for Electronic Payments.

1.2. Guidelines

The Cloud (Services & Platforms) Policy 2020 (only available in Arabic here) ('the Cloud Services Policy') covers issues related to cloud data storages, roles and responsibilities of cloud service providers, regulatory controls for cloud services providers, contracts, network, and information security, and information privacy.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Bill is intended to apply to all relatable cases regardless of the legal status of the person, meaning that all the above will be subject to the Bill once it effectuates, except regarding deceased individuals.

2.2. Territorial scope

Current Legal Framework: According to the territorial principle, the legal effects of the Jordanian legal regime only apply to legal persons and legal cases within the territory of Jordan and does not transcend the Jordanian borders unless consented by the parties involved.

Article 22 of the Bill allows the transfer of data outside Jordan, with the following exceptions:

  • if the data storage takes all technically admissible cybersecurity measures that preclude and detect cyber-attacks;
  • if a data transfer was an application to judicial co-operation treaty that Jordan abides by;
  • if a data transfer is intended to co-operate with international organisations working in the field of crime prevention or criminal prosecution;
  • if a data transfer fulfils a legitimate interest that the Council of Ministers approves; or
  • if the data subject accepts the data transfer.

2.3. Material scope

As mentioned above, there is no hitherto promulgated legislation in Jordan that governs data processing. However, the Bill lays various general conditions for data processing as detailed hereunder:

  • the objective behind processing data shall be legitimate, clear, and determined;
  • processing data shall not go beyond the purpose for which the data is processed;
  • data shall be accurate, complete, and real-time; and
  • the process shall be consented by the data subject in principle.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Currently, the Ministry of Digital Economy and Entrepreneurship ('the Ministry') and the National Council for Cybersecurity ('the Cybersecurity Council') take the reins of regulating and managing data-related issues. Furthermore, the National Centre for Cybersecurity ('the Centre') has been established. The Centre aims to build a national cybersecurity structure to safeguard the national security of Jordan and the safety of individuals, properties, and information.

The Bill will form an independent commission ('the Commission') for personal data protection and a special unit ('the Unit') for data protection.

3.2. Main powers, duties and responsibilities

The Ministry is in charge of managing the technological and telecommunication domains in Jordan.

The Cybersecurity Council will have the following powers and duties:

  • to approve cybersecurity strategies, policies, and standards;
  • to approve plans and programs required for the Centre to carry out its duties and responsibilities including international and regional cooperation programs;
  • to approve the quarterly reports of Jordan's cybersecurity situation and the annual report of the Centre's work;
  • to form relevant coordination committees to enable the Centre to achieve its objectives, provided that its decision shall determine its tasks and duties and how to hold its meetings and take its decisions; and
  • to approve the annual budget of the Centre.

The Cybersecurity Centre, which was formed under the provision of Article 5 of the Cybersecurity Law No. 16 of 2019 (only available in Arabic here) ('the Cybersecurity Law'), aims to build, develop, and organise an effective cybersecurity system at the national level in a way that ensures the sustainability of work and the preservation of national security and the safety of people, property, and information. In order to achieve its objectives, the Centre will have the following functions and powers:

  • prepare cybersecurity strategies, policies, and standards, monitor their implementation, and develop plans and programs to implement them and submit them to the Cybersecurity Council for approval;
  • develop and implement cybersecurity operations and provide the necessary support and advice to build cybersecurity operations teams in the public and private sector, coordinate response efforts and intervene when needed; and
  • define cybersecurity standards and controls and classify cybersecurity incidents according to instructions issued for this purpose.

The Bill specifies that the Commission will be responsible for:

  • devising the policies and the strategies of data protection;
  • determining the necessary surveillance measures;
  • issuing instructions that articulate the settlement means of disputes emanated from data subjects, data controllers, and data processors; and
  • issuing instructions about the procedures and the requirements of obtaining an approval or approval cancelation.

The Bill specifies that the Unit will be responsible for:

  • providing recommended reforms to data protection laws;
  • putting forward new strategies and policies that may facilitate the enforcement and the compliance;
  • receiving complaints from stakeholders and taking the necessary legal procedures;
  • surveillance; and
  • representing the Kingdom of Jordan in regional and international events that relate to data protection.

4. Key Definitions

Data controller: Not applicable.

Data processor: Not applicable.

Personal data: Not applicable.

Sensitive data: Not applicable.

Health data: Not applicable.

Biometric data: Not applicable.

Pseudonymisation: Not applicable.

5. Legal Bases

5.1. Consent

There is no explicit legislative provision that regulates consent as a legal ground. However, it is legally admissible that data controllers process data based upon the consent of data subjects. This situation provokes two concerns:

  • the data subject may not be informed of the ability to withdraw consent; and 
  • consent might not be easily proved if disputed before courts since the evidence law does not clarify the weight of the most common e-ways used by users to express the consent (Checkboxes, 'Accept' buttons).

5.2. Contract with the data subject

Please see section on consent for further information.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

The legislator had empowered government agencies to analyse data in their databases to deduce the social transformation and market behaviour, even where there is no explicit consent from the data subject.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles 

The Bill stresses the importance of confidentiality and transparency, as well as the accuracy and the completeness of data.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable.

7.2. Data transfers

Between private entities, according to the Cloud Services Policy, Cloud Service Providers ('CSPs') must not enable any person or entity to access data without the prior clear approval from concerned beneficiary. In the event that the CSP wish to enter into a contract with a third party, the CSP must obtain the prior approval of that by the concerned beneficiary and sign a non-disclosure agreement with the third party to ensure the security of the data and systems.

Data Localisation

Article 22 of the Bill allows the transfer of data outside Jordan under the following exceptions, otherwise, data must be localised in Jordan:

  • if the data storage takes all technically admissible cybersecurity measures that preclude and detect cyberattacks;
  • if the data transfer was an application to judicial co-operation treaty that Jordan abides by;
  • if the data transfer is intended to co-operate with international organisations working in the field of crime prevention or criminal prosecution;
  • if the data transfer fulfils a legitimate interest that the Council of Ministers approves; or
  • if the data subject accepts the data transfer.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Not applicable at the moment, however, the Bill specifies that the data protection officer ('DPO') shall monitor and fulfil the following procedures:

  • observe data processors in regard with data protection and the compliance to data protection law;
  • monitor data processing and report on its legality;
  • perform periodic tests for the cybersecurity measures of databases and data processing systems and document its legality and the process outcomes; and
  • monitor the technological means used to enable data processor to access to collected data.

7.6. Data breach notification

According to Article 8/B/3 of the Cybersecurity Law, all public and private entities shall inform competent authorities of the incidence of any cyber-crime.

According to the Cloud Services Policy, CSPs shall inform the beneficiary and Telecommunications Regulatory Commission ('TRC') of any data breach or technical defects in the services provided in accordance with the contract and data, or any technical defect in the services provided in accordance with the contract concluded with it, and TRC shall coordinate and notify the concerned authorities with cybersecurity.

7.7. Data retention

There is no legal duty to store the personal data for a specific period under the current legal regime. However, the longest period that you may need to store such data is up to 15 years.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Not applicable.

7.10. Controller and processor contracts

According to the Cloud Services Policy, contracts between the beneficiary and CSPs must include the following minimum requirements:

  • full description of services to be provided, the contract's duration, payment terms, and termination.
  • details on the Service Level Agreements ('SLAs');
  • CSP's customer care services depending on a service offering.
  • beneficiaries' rights to retrieve their data stored in the CSP's system, if the cloud contract is terminated, in line with related legislations;
  • restrictions on cloud service providers if their responsibilities are unacceptably excluded or the terms of the contract are unfairly exploited, for example, damage to or loss of data, deterioration in service quality, lack of service, or data breach;
  • return/back out plan for using cloud services;
  • cases that require changing CSPs and moving to a second provider for these services;
  • penal conditions; and
  • cases where one of the parties is entitled to terminate the contract by the service provider or the beneficiary.

8. Data Subject Rights

Currently, there is no promulgated law that explicitly grants data subjects these rights.

8.1. Right to be informed

Not applicable.

8.2. Right to access

Not applicable.

8.3. Right to rectification

Not applicable.

8.4. Right to erasure

Not applicable.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

The Centre may take one or all of the following procedures against whoever violates the provisions of the Cybersecurity Law, regulations, instructions, and decisions issued pursuant to and in accordance with the nature of the violation and who commits it:

  • issuing a written warning to correct the violation during a specified period of time, correcting the violation, and claiming the correction fees that the Centre has sustained from the violator;
  • blocking, cancelling, confiscating, or disabling the connection network, information system, information network, telecommunication devices, emails of the violator, suspected violator, or any party who participated in any acts that constitute a cybersecurity incident;
  • obligating the violating body to take legal procedures against the person who violated the Cybersecurity Law;
  • suspending or terminating the license of the licensee for the period the Centre finds appropriate; and
  • imposing a fine not less than JOD 500 (approx. €730) and not more than JOD 100,000 (approx. €145,380)

Whereas, the Bill imposes three different penalties:

  • fines if DPO's or data processors do not perform any of the duties prescribed under the Bill.
  • fines for anyone who has committed one of the following:
    • unconsented data transfer;
    • violated data localisation rules;
    • provided incorrect data to the database;
    • broken the cybersecurity measures; and/or
    • unauthorised access to data; and
    • data deletion might be the right discipline if the court views that.

9.1 Enforcement decisions

Not applicable.