Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Jordan: Comparing the JPDPA and the GDPR - part one

On September 17, 2023, the Jordanian Personal Data Protection Act 2023 (JPDPA), which regulates privacy in Jordan, was issued and entered into force on March 17, 2024. In issuing the JPDPA, Jordan has become one of the leading countries in the Middle East and North Africa (MENA) region to regulate and govern personal information protection rules and regulations. The JPDPA resembles the General Data Protection Regulation (GDPR), which has been in effect since May 25, 2018, aiming to protect individuals' privacy and personal data in light of economic, business, and commercial rapid growth.  

However, in examining both the GDPR and the JPDPA, it becomes evident that while both regulations share the common goal of protecting individuals' data protection, privacy, and security, there are distinguished differences in their methods, scope, and implementation. In part one of this comparative series, Mariana Abudayah, of Nsair & Partners – Lawyers, explores the differences in the scope, definitions, and legal bases for processing to gain an inclusive and better understanding of the two frameworks.  

Christoph Hetzmannseder/Moment via Getty Images

Scope  

Personal scope   

JPDPA: Articles 2, 3, and 4 of the JPDPA and Article 30 of the Jordanian Civil Code

Data subject 

The provisions of the JPDPA apply to any normal or sensitive personal information processing of data subjects that are natural persons, whether such data was collected or processed before or after the effectiveness of the JPDPA, within Jordan, even if the processor and/or the controller are located outside Jordan.  

Applied to living individuals 

The JPDPA has not clearly outlined whether it is applicable to deceased individuals. However, according to Section 30 of the Jordanian Civil Code, the personality of a natural person begins with their birth and ends with their death, and pursuant to Article 4 of the JPDPA, it is applicable to living natural persons.  

Applied to natural persons only 

The provisions of the JPDPA regarding the protection of information only apply to natural persons and do not apply to legal persons.  

Nationality of the data subject 

The JPDPA makes no explicit reference to its scope of application in relation to the nationality of individuals. However, the relevant provisions of the JPDPA apply to any individual, entity, organization, and/or company in Jordan. 

GDPR: Articles 3, and 4(1) and Recitals 2, 14, 22-25, and 27 

Data subject

The GDPR applies to the processing of personal data of data subjects who are physically located in the EU, whether data processors and/or controllers are located in the EU or abroad, provided that, in the latter provision, processing refers to activities related to offering goods or services to such data subjects irrespective of whether they are connected to a payment. 

Applied to living individuals 

The GDPR applies to living individuals only and does not apply to the personal data of deceased persons. However, Member States may provide for rules regarding the processing of personal data of deceased persons. 

Applied to natural persons only 

The GDPR provisions regarding the protection of information only apply to natural persons and do not apply to legal persons.  

Nationality of the data subject 

The GDPR clearly mentions that it applies to the processing of personal data of data subjects who are in the EU, regardless of their nationality.  

Territorial scope

JPDPA: Articles 2, 4, 8, 9, 14, and 15  

Within Jordan 

The JPDPA applies to all organizations, companies, and/or entities within Jordan that collect, use, process, and/or disclose personal information of a data subject.  

Extraterritorial scope 

The JPDPA has not expressly defined its extraterritorial scope. However, after a thorough review, the JPDPA applies to data collected within Jordan, even if the processor and/or the controller are located outside Jordan. In other words, the JPDPA applies if the data is collected from individuals in Jordan, regardless of their nationality, whether or not the processor and/or data collector are in Jordan.   

GDPR: Articles 3, 4, and 11 and Recitals 2, 14, and 22-25 

Within the EU 

In general, the GDPR applies to the processing of personal data in the context of the activities of an establishment or a company in the EU, regardless of whether the processing takes place in the EU or not.  

Extraterritorial scope 

Moreover, the GDPR applies to any establishment or company operating outside the EU whereby the processing activities of such entity are intended to offer goods or services to data subjects in the EU, to monitor the data subjects' behavior which takes place in the EU, and/or whereby a Member State as defined by the GDPR applies the GDPR. 

Material scope  

The material scope includes but is not limited to the protection of personal data, including sensitive data, and governs various processing activities carried out by both data controllers and processors within the territorial scope as previously discussed. Both the GDPR and the JPDPA have regulated the material scope within various articles that can be defined as below.  

JPDPA: Articles 2-15, and 24 

Each article of the JPDPA has regulated and governed the material scope of the JPDPA, especially in Articles 2 to 15. Also, according to Article 24 of the JPDPA, bylaws shall be issued to further detail and regulate several scopes.  

Personal data definition 

The JPDPA has defined personal information as any data or information that is related to a natural person, which could lead to their direct or indirect identification, regardless of the data or information's source and/or form, including information that is related to the data subject's personality, family status, or whereabouts. This definition is for ordinary personal information.  

Types of personal data 

According to the JPDPA, there are two types of personal information which are outlined below:  

  • Ordinary personal information: As defined above.  
  • Sensitive personal information: Any data or information related to a natural person that directly or indirectly indicates their origin, ethnicity, political opinions, affiliations, religious beliefs, financial situation, health status, physical, mental, genetic, or biometric (vital) fingerprint, criminal record, or any information or data deemed sensitive by the Personal Data Protection Council (the Council) if its disclosure or misuse causes harm to the data subject. 
Processing definition 

The JPDPA has defined processing as one or more operations carried out in any form with the aim of collecting, recording, copying, storing, organizing, revising, exploiting, using, transmitting, distributing, publishing, linking with other data, making available, transferring, displaying, concealing, encoding, destroying, restricting, erasing, modifying, describing, or disclosing data by any means.  

Processing requirements 

Although data processors are not obliged to comply with formal protocols regarding data encryption, the JPDPA obliges data processors to ensure the security and privacy of personal data.  

Processing sensitive information 

While the JPDPA has applied the same provisions for processing ordinary personal data and sensitive personal data, it is crucial for data processors to assign and appoint a Data Protection Officer (DPO) to monitor the data processing.   

Assigning DPOs 

The JPDPA has explicitly mentioned that data processors are required to assign and appoint a DPO who has the capability to abide by their legal responsibility, especially in the following circumstances:  

  • if the main activity of the data processor is data processing;  
  • when processing sensitive personal data;  
  • when processing an incompetent person's personal data;  
  • when processing personal data related to credit information; and  
  • other circumstances that shall be defined in this article.  
Not applicable to personal use 

The provisions of the JPDPA do not apply to natural persons who process their data for personal purposes. 

GDPR: Articles 2-4, 9, 26, 28-32, and 37 and Recitals 15-26 

Personal data definition 

The GDPR defines personal information as any information relating to an identified or identifiable natural person. The GDPR mentions several examples of identifiable data such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.  

Processing definition 

According to the GDPR, processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.  

Processing requirements 

According to the GDPR, data processing shall only be carried out by processors who provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject, by virtue of a contract or other legal act that is binding to the processor. The GDPR sets out different measures and obligations which include, but are not limited to, ensuring an appropriate level of security to the risk, including inter alia as appropriate:  

  • the pseudonymization and encryption of personal data;  
  • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;  
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and  
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. 
Processing sensitive information 

According to Article 9 of the GDPR and as a general rule, processing of special categories of personal data is prohibited. Such categories include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. Some exceptions may be applied which include processing such special categories if explicit consent of the data subject is provided, and other exceptions as further detailed in Article 9 of the GDPR.  

Assigning DPOs 

According to the GDPR, the controller and the processor are obliged to assign a DPO in any of the following cases:  

  • processing is carried out by a public authority or body, except for courts acting in their judicial capacity; 
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope, and/or purposes require regular and systematic monitoring of data subjects on a large scale; or 
  • the core activities of the controller or the processor consist of the large-scale processing of special categories of data or personal data relating to criminal convictions and offenses as referred to in Article 10 of the GDPR, where such processing shall be carried out only under the control of official authority or when the processing is authorized by the EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.  
Not applicable to personal use 

The GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.  

Key definitions  

Personal data 

JPDPA: Article 2  

Definition of personal information  

The JPDPA definition of personal data is described above.  

GDPR: Articles 4 and 9(1) and Recital 26 

Definition of personal information 

The GDPR definition of personal data is described above. 

Pseudonymization 

JPDPA: Articles 2 and 4 

The JPDPA has not governed the pseudonymization process. However, the JPDPA has considered concealing the processing of personal data. The data subject also has the right to erase or conceal their data under the JPDPA.  

GDPR: Article 4 

The GDPR defines pseudonymization as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. 

Controllers and processors  

JPDPA: Articles 2, 8, 9, 11, and 12  

Types of interacting personnel with personal data 

The JPDPA, in the definitions section, defines four types of personnel who interact with personal data: 

  • responsible person (controller): Any natural or legal person, whether inside or outside Jordan, to whom the data shall be entrusted. 
  • processor: The natural or legal person who specializes in data processing.  
  • observers: The natural person who is appointed to supervise the databases and processing in accordance with the provisions of the JPDPA. 
  • recipient: Any natural or legal person, whether inside or outside Jordan, to whom data is transferred or exchanged by the responsible person. 
The legal basis for controllers and processors 

Responsible persons (controllers), processors, and other entities are required to comply with the provisions of the JPDPA, subject to the permit and license requirements that would be defined by bylaws that shall be issued accordingly.  

Signing a contract to govern processing 

While the JPDPA has not required signing a contract with the processor nor the controller to govern personal data processing, the JPDPA shall be applied if the controller and/or the processor breaches any of their obligations.   

GDPR: Articles 4, 17, 28, 30, 32, 33, 35, 37, 38, 42, 43, and 58 and Recitals 64, 90, and 93 

Types of interacting personnel with personal data 

The GDPR, in the definitions section, defines four types of personnel who interact with personal data:  

  • controller: The natural or legal person who determines the purposes and means of processing personal data.  
  • processor: A natural or legal person who processes personal data on behalf of the controller.  
  • recipient: A natural or legal person to whom the personal data is disclosed, whether a third party or not. 
  • representative: A natural or legal person established in the EU who, designated by the controller or processor in writing, represents the controller or processor with regard to their respective obligations under the GDPR.  
The legal basis for controllers and processors 

In general, controllers and processors should abide by the provisions mentioned in the GDPR. However, unlike the JPDPA, there shall be no permits or licenses for them, but rather such entities are subject to certification as defined in Article 42 of the GDPR.  

Signing a contract to govern processing 

The GDPR requires that processing by a processor is governed by a contract or other legal act under EU or Member State law.  

Children 

JPDPA: Articles 2, 5, and 11 of the JPDPA and Article 43 of the Jordanian Civil Code 

Definition 

The JPDPA does not specifically define the terms 'child' or 'children,' nor does it use these words explicitly. However, it employs a broader definition, referring to individuals who lack legal capacity and children fall into this category. According to the Jordanian Civil Code, individuals attain full legal capacity upon reaching the age of 18, and therefore any person under 18 years old is considered a child.  

Consent 

As per the JPDPA, if consent is needed concerning a child, it must be obtained from one of their parents or their legal guardian. Alternatively, the judge's approval may be sought based on a request from the specialized regulatory Personal Data Protection Unit (the Unit) within the Ministry of Digital Economy and Entrepreneurship (the Ministry) if it is in the best interest of those lacking legal capacity. The consent must be explicit and documented either in writing or electronically. 

GDPR: Articles 6, 8, 12, 40, and 57 and Recitals 38, 58, and 75  

Definition

The GDPR does not define 'child' or 'children.'  

Consent 

Under the GDPR, if consent is needed, the consent of a parent or guardian is required for a child below the age of 16. However, EU Member States can lower this age limit to 13. The controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology. 

Research 

JPDPA: Article 6 

The JPDPA has considered that data processing is lawful and legitimate and may be carried out without obtaining prior consent or informing the data subject if it is necessary for scientific or historical research purposes, provided that the purpose for processing shall not be to make any decision or take any action regarding the data subject.  

GDPR: Articles 5(1)(b), 9, 14(5), 17(3), 21(6), and 89 and Recitals 33, 52, and 151-161  

Principles related to data processing include that data must be collected for specified, explicit, and legitimate purposes, including research purposes. According to the GDPR, processing of data is considered lawful if it is vital and related to public interest in the public health sector and if processing is necessary for scientific or historical research purposes while ensuring appropriate safeguards to protect individuals' rights.  

Legal basis 

JPDPA: Articles 2, 4, and 5  

The JPDPA considers consent a legal basis to process personal data and includes specific requirements on how such consent must be obtained and how it can be withdrawn. However, processing could be done directly, without the consent of the data subject, if the data is deemed necessary for the prevention or detection of crime, based on an interpretation of a judicial decision or an order of the prosecutor, to fulfill the aim of preventing, detecting, or pursuing crimes committed contrary to the provisions of the JPDPA. Processing personal data is also permitted when necessary to protect the interests of the data subject concerning issues of life, death, or vital interests, as long as it is done in a legal way or if the personal data can be obtained or is directly accessible to the public. 

GDPR: Articles 4 to 10 and Recitals 39-48 

According to the GDPR, there are several legal bases for processing personal data, which include the data subject's consent and/or if data processing is necessary:  

  • for the performance of a contract with the data subject;  
  • for compliance with a legal obligation to which the data controller is subject; 
  • to protect the vital interests of the data subject or another natural person; 
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; and/or  
  • for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. 

Mariana Abudayah Legal Associate 
[email protected] 
Nsair & Partners – Lawyers, Amman