Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Jordan: Comparing the JPDPA and the GDPR - part one
On September 17, 2023, the Jordanian Personal Data Protection Act 2023 (JPDPA), which regulates privacy in Jordan, was issued and entered into force on March 17, 2024. In issuing the JPDPA, Jordan has become one of the leading countries in the Middle East and North Africa (MENA) region to regulate and govern personal information protection rules and regulations. The JPDPA resembles the General Data Protection Regulation (GDPR), which has been in effect since May 25, 2018, aiming to protect individuals' privacy and personal data in light of economic, business, and commercial rapid growth.
However, in examining both the GDPR and the JPDPA, it becomes evident that while both regulations share the common goal of protecting individuals' data protection, privacy, and security, there are distinguished differences in their methods, scope, and implementation. In part one of this comparative series, Mariana Abudayah, of Nsair & Partners – Lawyers, explores the differences in the scope, definitions, and legal bases for processing to gain an inclusive and better understanding of the two frameworks.
Scope
Personal scope
JPDPA: Articles 2, 3, and 4 of the JPDPA and Article 30 of the Jordanian Civil Code
Data subject
The provisions of the JPDPA apply to any normal or sensitive personal information processing of data subjects that are natural persons, whether such data was collected or processed before or after the effectiveness of the JPDPA, within Jordan, even if the processor and/or the controller are located outside Jordan.
Applied to living individuals
The JPDPA has not clearly outlined whether it is applicable to deceased individuals. However, according to Section 30 of the Jordanian Civil Code, the personality of a natural person begins with their birth and ends with their death, and pursuant to Article 4 of the JPDPA, it is applicable to living natural persons.
Applied to natural persons only
The provisions of the JPDPA regarding the protection of information only apply to natural persons and do not apply to legal persons.
Nationality of the data subject
The JPDPA makes no explicit reference to its scope of application in relation to the nationality of individuals. However, the relevant provisions of the JPDPA apply to any individual, entity, organization, and/or company in Jordan.
GDPR: Articles 3, and 4(1) and Recitals 2, 14, 22-25, and 27
Data subject
The GDPR applies to the processing of personal data of data subjects who are physically located in the EU, whether data processors and/or controllers are located in the EU or abroad, provided that, in the latter provision, processing refers to activities related to offering goods or services to such data subjects irrespective of whether they are connected to a payment.
Applied to living individuals
The GDPR applies to living individuals only and does not apply to the personal data of deceased persons. However, Member States may provide for rules regarding the processing of personal data of deceased persons.
Applied to natural persons only
The GDPR provisions regarding the protection of information only apply to natural persons and do not apply to legal persons.
Nationality of the data subject
The GDPR clearly mentions that it applies to the processing of personal data of data subjects who are in the EU, regardless of their nationality.
Territorial scope
JPDPA: Articles 2, 4, 8, 9, 14, and 15
Within Jordan
The JPDPA applies to all organizations, companies, and/or entities within Jordan that collect, use, process, and/or disclose personal information of a data subject.
Extraterritorial scope
The JPDPA has not expressly defined its extraterritorial scope. However, after a thorough review, the JPDPA applies to data collected within Jordan, even if the processor and/or the controller are located outside Jordan. In other words, the JPDPA applies if the data is collected from individuals in Jordan, regardless of their nationality, whether or not the processor and/or data collector are in Jordan.
GDPR: Articles 3, 4, and 11 and Recitals 2, 14, and 22-25
Within the EU
In general, the GDPR applies to the processing of personal data in the context of the activities of an establishment or a company in the EU, regardless of whether the processing takes place in the EU or not.
Extraterritorial scope
Moreover, the GDPR applies to any establishment or company operating outside the EU whereby the processing activities of such entity are intended to offer goods or services to data subjects in the EU, to monitor the data subjects' behavior which takes place in the EU, and/or whereby a Member State as defined by the GDPR applies the GDPR.
Material scope
The material scope includes but is not limited to the protection of personal data, including sensitive data, and governs various processing activities carried out by both data controllers and processors within the territorial scope as previously discussed. Both the GDPR and the JPDPA have regulated the material scope within various articles that can be defined as below.
JPDPA: Articles 2-15, and 24
Each article of the JPDPA has regulated and governed the material scope of the JPDPA, especially in Articles 2 to 15. Also, according to Article 24 of the JPDPA, bylaws shall be issued to further detail and regulate several scopes.
Personal data definition
The JPDPA has defined personal information as any data or information that is related to a natural person, which could lead to their direct or indirect identification, regardless of the data or information's source and/or form, including information that is related to the data subject's personality, family status, or whereabouts. This definition is for ordinary personal information.
Types of personal data
According to the JPDPA, there are two types of personal information which are outlined below:
- Ordinary personal information: As defined above.
- Sensitive personal information: Any data or information related to a natural person that directly or indirectly indicates their origin, ethnicity, political opinions, affiliations, religious beliefs, financial situation, health status, physical, mental, genetic, or biometric (vital) fingerprint, criminal record, or any information or data deemed sensitive by the Personal Data Protection Council (the Council) if its disclosure or misuse causes harm to the data subject.
Processing definition
The JPDPA has defined processing as one or more operations carried out in any form with the aim of collecting, recording, copying, storing, organizing, revising, exploiting, using, transmitting, distributing, publishing, linking with other data, making available, transferring, displaying, concealing, encoding, destroying, restricting, erasing, modifying, describing, or disclosing data by any means.
Processing requirements
Although data processors are not obliged to comply with formal protocols regarding data encryption, the JPDPA obliges data processors to ensure the security and privacy of personal data.
Processing sensitive information
While the JPDPA has applied the same provisions for processing ordinary personal data and sensitive personal data, it is crucial for data processors to assign and appoint a Data Protection Officer (DPO) to monitor the data processing.
Assigning DPOs
The JPDPA has explicitly mentioned that data processors are required to assign and appoint a DPO who has the capability to abide by their legal responsibility, especially in the following circumstances:
- if the main activity of the data processor is data processing;
- when processing sensitive personal data;
- when processing an incompetent person's personal data;
- when processing personal data related to credit information; and
- other circumstances that shall be defined in this article.
Not applicable to personal use
The provisions of the JPDPA do not apply to natural persons who process their data for personal purposes.
GDPR: Articles 2-4, 9, 26, 28-32, and 37 and Recitals 15-26
Personal data definition
The GDPR defines personal information as any information relating to an identified or identifiable natural person. The GDPR mentions several examples of identifiable data such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing definition
According to the GDPR, processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Processing requirements
According to the GDPR, data processing shall only be carried out by processors who provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject, by virtue of a contract or other legal act that is binding to the processor. The GDPR sets out different measures and obligations which include, but are not limited to, ensuring an appropriate level of security to the risk, including inter alia as appropriate:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Processing sensitive information
According to Article 9 of the GDPR and as a general rule, processing of special categories of personal data is prohibited. Such categories include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. Some exceptions may be applied which include processing such special categories if explicit consent of the data subject is provided, and other exceptions as further detailed in Article 9 of the GDPR.
Assigning DPOs
According to the GDPR, the controller and the processor are obliged to assign a DPO in any of the following cases:
- processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope, and/or purposes require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of the large-scale processing of special categories of data or personal data relating to criminal convictions and offenses as referred to in Article 10 of the GDPR, where such processing shall be carried out only under the control of official authority or when the processing is authorized by the EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.
Not applicable to personal use
The GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.
Key definitions
Personal data
JPDPA: Article 2
Definition of personal information
The JPDPA definition of personal data is described above.
GDPR: Articles 4 and 9(1) and Recital 26
Definition of personal information
The GDPR definition of personal data is described above.
Pseudonymization
JPDPA: Articles 2 and 4
The JPDPA has not governed the pseudonymization process. However, the JPDPA has considered concealing the processing of personal data. The data subject also has the right to erase or conceal their data under the JPDPA.
GDPR: Article 4
The GDPR defines pseudonymization as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Controllers and processors
JPDPA: Articles 2, 8, 9, 11, and 12
Types of interacting personnel with personal data
The JPDPA, in the definitions section, defines four types of personnel who interact with personal data:
- responsible person (controller): Any natural or legal person, whether inside or outside Jordan, to whom the data shall be entrusted.
- processor: The natural or legal person who specializes in data processing.
- observers: The natural person who is appointed to supervise the databases and processing in accordance with the provisions of the JPDPA.
- recipient: Any natural or legal person, whether inside or outside Jordan, to whom data is transferred or exchanged by the responsible person.
The legal basis for controllers and processors
Responsible persons (controllers), processors, and other entities are required to comply with the provisions of the JPDPA, subject to the permit and license requirements that would be defined by bylaws that shall be issued accordingly.
Signing a contract to govern processing
While the JPDPA has not required signing a contract with the processor nor the controller to govern personal data processing, the JPDPA shall be applied if the controller and/or the processor breaches any of their obligations.
GDPR: Articles 4, 17, 28, 30, 32, 33, 35, 37, 38, 42, 43, and 58 and Recitals 64, 90, and 93
Types of interacting personnel with personal data
The GDPR, in the definitions section, defines four types of personnel who interact with personal data:
- controller: The natural or legal person who determines the purposes and means of processing personal data.
- processor: A natural or legal person who processes personal data on behalf of the controller.
- recipient: A natural or legal person to whom the personal data is disclosed, whether a third party or not.
- representative: A natural or legal person established in the EU who, designated by the controller or processor in writing, represents the controller or processor with regard to their respective obligations under the GDPR.
The legal basis for controllers and processors
In general, controllers and processors should abide by the provisions mentioned in the GDPR. However, unlike the JPDPA, there shall be no permits or licenses for them, but rather such entities are subject to certification as defined in Article 42 of the GDPR.
Signing a contract to govern processing
The GDPR requires that processing by a processor is governed by a contract or other legal act under EU or Member State law.
Children
JPDPA: Articles 2, 5, and 11 of the JPDPA and Article 43 of the Jordanian Civil Code
Definition
The JPDPA does not specifically define the terms 'child' or 'children,' nor does it use these words explicitly. However, it employs a broader definition, referring to individuals who lack legal capacity and children fall into this category. According to the Jordanian Civil Code, individuals attain full legal capacity upon reaching the age of 18, and therefore any person under 18 years old is considered a child.
Consent
As per the JPDPA, if consent is needed concerning a child, it must be obtained from one of their parents or their legal guardian. Alternatively, the judge's approval may be sought based on a request from the specialized regulatory Personal Data Protection Unit (the Unit) within the Ministry of Digital Economy and Entrepreneurship (the Ministry) if it is in the best interest of those lacking legal capacity. The consent must be explicit and documented either in writing or electronically.
GDPR: Articles 6, 8, 12, 40, and 57 and Recitals 38, 58, and 75
Definition
The GDPR does not define 'child' or 'children.'
Consent
Under the GDPR, if consent is needed, the consent of a parent or guardian is required for a child below the age of 16. However, EU Member States can lower this age limit to 13. The controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology.
Research
JPDPA: Article 6
The JPDPA has considered that data processing is lawful and legitimate and may be carried out without obtaining prior consent or informing the data subject if it is necessary for scientific or historical research purposes, provided that the purpose for processing shall not be to make any decision or take any action regarding the data subject.
GDPR: Articles 5(1)(b), 9, 14(5), 17(3), 21(6), and 89 and Recitals 33, 52, and 151-161
Principles related to data processing include that data must be collected for specified, explicit, and legitimate purposes, including research purposes. According to the GDPR, processing of data is considered lawful if it is vital and related to public interest in the public health sector and if processing is necessary for scientific or historical research purposes while ensuring appropriate safeguards to protect individuals' rights.
Legal basis
JPDPA: Articles 2, 4, and 5
The JPDPA considers consent a legal basis to process personal data and includes specific requirements on how such consent must be obtained and how it can be withdrawn. However, processing could be done directly, without the consent of the data subject, if the data is deemed necessary for the prevention or detection of crime, based on an interpretation of a judicial decision or an order of the prosecutor, to fulfill the aim of preventing, detecting, or pursuing crimes committed contrary to the provisions of the JPDPA. Processing personal data is also permitted when necessary to protect the interests of the data subject concerning issues of life, death, or vital interests, as long as it is done in a legal way or if the personal data can be obtained or is directly accessible to the public.
GDPR: Articles 4 to 10 and Recitals 39-48
According to the GDPR, there are several legal bases for processing personal data, which include the data subject's consent and/or if data processing is necessary:
- for the performance of a contract with the data subject;
- for compliance with a legal obligation to which the data controller is subject;
- to protect the vital interests of the data subject or another natural person;
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; and/or
- for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Mariana Abudayah Legal Associate
[email protected]
Nsair & Partners – Lawyers, Amman