Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Jordan: Comparing the JPDPA and the GDPR - part two
Part one of this comparison outlined the differences in the scope, definitions, and legal bases for processing between the Jordanian Personal Data Protection Act 2023 (JPDPA) and the General Data Protection Regulation (GDPR). In part two of the comparison between the two laws, Mariana Abudayah, of Nsair & Partners – Lawyers, explores the differences in controller and processor obligations, data subject rights, and enforcement for a better understanding of the two frameworks. This article will also consider the unique challenges and compliance considerations that companies and organizations may encounter.
Controller and processor obligations
Data transfers
JPDPA: Articles 2, 4, 11, 14, and 15
Processors and/or controllers must be assured of the security measures that must be taken by the outsourced processor before transferring the data. They must also obtain the prior consent of the data subject, as transfers are prohibited without consent.
Any cross-border transaction of personal information must be to a party that has a sufficient level of data protection, namely the same level as imposed by the JPDPA and regulations, except in some cases including the following:
- judicial cooperation established under international conventions;
- international cooperation in combating crimes;
- when transferring data is essential for the patient's treatment; and
- when the data subject has approved the transfer of data after being made aware that the level of protection outside the jurisdiction is not equivalent to the level imposed by the JPDPA and regulations.
GDPR: Articles 44 to 50 and 58 and Recitals 101 and 112
The GDPR emphasizes that any transfer of personal data to a third country or international organization may only occur if the data protection requirements set out in the GDPR are complied with by the data controller and processor. If such requirements are not met, transferring data must be based on one of the requirements mentioned in the GDPR, mainly:
- explicit consent of the data subject after being informed of the associated risks;
- if data transfer is required for the performance of a contract between the data subject and the data controller;
- public interest;
- filing claims or defending them; and/or
- to protect the data subject's interests or the interests of any other person when they cannot provide the required consent.
Data processing records
JPDPA: Articles 2 and 14
Records and guidelines
Data processors and controllers are obliged to set guidelines that stipulate all procedures and policies implemented for data processing and how complaints are being monitored. Moreover, they must keep complete records of the transferred data to any entity, the purpose of the transfer, and the approval of concerned individuals.
Data retention
The processed data must not be retained after the purpose of processing has been fulfilled unless otherwise specified by legislation.
GDPR: Article 30 and Recital 82
Records and guidelines
Data processors and controllers are obliged to keep records, whether in writing or electronic form, related to their processing activities. Records related to the data controllers and processors as set by the GDPR contain more detailed information than the JPDPA.
Data retention
The processed data must not be retained after the purpose of processing has been fulfilled, emphasizing the principles of purpose limitation, storage limitation, and accountability.
Data security and data breaches
JPDPA: Articles 7 and 13
The JPDPA stresses the importance of data confidentiality, mandating technical and organizational measures to protect personal information from disclosure or misuse by data controllers and processors, and ensuring data safety, security, and the ability to detect and trace threats.
GDPR: Articles 5, 24, and 32 to 34 and Recitals 74 to 77 and 83 to 88
The GDPR recognizes confidentiality, transparency, and integrity as vital principles of protection by requiring that data be processed in a manner that ensures an appropriate level of security of such data. The GDPR also requires that controllers and processors apply and implement appropriate organizational and technical measures to ensure the data's security and having the latter comply with GDPR rules.
Accountability
JPDPA: Articles 8, 11 to 13, and 20
The JPDPA sets out the minimum legal requirements for controllers and processors, including specifications for the processing techniques, procedures, and means. Failure to fulfill the requirements set by the JPDPA can lead to sanctions.
GDPR: Articles 5, 24 to 25, 35, and 37 and Recital 39
According to the GDPR, the primary responsibility for GDPR compliance lies with data controllers. However, data processors are also subject to certain obligations and are expected to demonstrate accountability for their processing activities, including the appointment of a Data Protection Officer (DPO) and conducting Data Protection Impact Assessments (DPIAs).
Data subject rights
JPDPA: Article 4
There are several rights concerning data subjects, mainly the following:
- to know, have access to, and obtain held data by the data controller;
- to object and withdraw prior consent;
- to be informed;
- to correct, rectify, add, or update data;
- to restrict processing;
- to be forgotten;
- to ensure data erasure;
- to object to data processing and assess whether the data is necessary to achieve the purposes for which it was collected, or if it is more than its requirements, discriminatory, unfair, or in violation of the JPDPA;
- to request data portability; and
- to be aware of any data infringements and breaches.
A regulation shall be issued in accordance with Article 4 of the JPDPA to further clarify data subject rights and how they can be practiced.
GDPR: Articles 5-15, 17-18, 20 to 21, and 28 and Recitals 58 to 66, 68, and 73
According to the GDPR, there are several rights assigned to data subjects, providing them with adequate power and control over their personal data. These rights include:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure (right to be forgotten);
- the right to restrict processing;
- the right to data portability;
- the right to object to processing; and
- rights related to automated decision-making and profiling.
It is important to mention that such rights are subject to certain limitations and conditions set by the GDPR. Exercising these rights may also vary depending on the specific circumstances and the laws of individual EU Member States.
Enforcement
Monetary penalties
JPDPA: Articles 21 and 22
Initially, the established Personal Data Protection Unit (the Unit) will have the authority to issue a warning concerning the violation, requiring the breaching party to cease the processing within a specified period. Should this period elapse without due compliance, the Personal Data Protection Council (the Council), based on the Unit's recommendation, holds the authority to partially or completely suspend, stop, or withdraw the license or permit. Additionally, the Council has the authority to impose daily fines not exceeding JOD 500 (approx. $700) per day until the processing ceases. These fines should not exceed 3% of the default processor's/controller's annual income for the previous fiscal year. Moreover, financial penalties ranging from JOD 1,000 (approx. $1,400) to JOD 10,000 (approx. $14,100) may be imposed on those violating the provisions of the JPDPA. In certain cases, where a conviction decision was issued, the court may also order the destruction or erasure of personal information. Supervisory authorities may publicize fines to enhance transparency and serve as a warning to other organizations to ensure their compliance with the JPDPA.
GDPR: Articles 83 and 84 and Recitals 148-149
According to the GDPR, supervisory authorities may issue fines directly. When setting sanctions, such authorities must consider certain factors including the type of violations and infringements, actions taken by the infringing party to mitigate the damages, and the degree of cooperation with the supervisory authority. Fines are based on two tiers as follows:
- up to €10 million or 2% of the annual global turnover, whichever is higher, for less severe violations such as improper recordkeeping or failure to conduct DPIAs; or
- up to €20 million or 4% of the annual global turnover, whichever is higher, for more serious violations such as infringement of data subjects' rights or failure to comply with basic principles for processing data.
Supervisory authorities may publicize fines as it may improve transparency and serve as a warning to other organizations to ensure compliance with GDPR requirements.
Supervisory authority
JPDPA: Articles 16 and 17
The JPDPA established the Council and the Unit, with the Council possessing greater authority compared to the Unit which functions as an organizational entity. Both supervisory authorities (the Council and the Unit) and the judicial system are competent in handling data subject rights through penal and administrative procedures, as well as overseeing and implementing the JPDPA. However, the competent court holds extensive discretion in assessing actual damage, determining compensation, and issuing penalties.
According to the JPDPA, data processing shall be through permitted and licensed persons. The required procedures for such permits and licenses shall be governed by bylaws issued in accordance with the JPDPA. Some entities shall be exempted from needing to obtain such permits and licenses.
It is worth mentioning that bylaws that shall be issued according to the JPDPA and such bylaws shall include further detailed information related to data processing, data subject rights, required permits and licenses, and other regulations in this regard.
GDPR: Articles 51-84 and Recitals 117-140
Under the GDPR, each Member State is required to establish an independent public authority, known as a supervisory authority, to oversee and enforce compliance with the GDPR within their respective jurisdictions. These supervisory authorities play a crucial role in ensuring the protection of personal data and upholding the principles of the GDPR.
Although the GDPR does not require that data controllers and processors obtain certain permits and/or licenses, it promotes the establishment of certification mechanisms and data protection seals or marks as a means for organizations to demonstrate compliance with the GDPR's requirements, which develops trust and transparency in data processing activities.
Mariana Abudayah Legal Associate
[email protected]
Nsair & Partners – Lawyers, Amman