Jordanian Personal Data Protection Law In Force

Jordan's Personal Data Protection Law of 2023: Safeguarding Privacy in the Digital Era

In an era where personal information is increasingly valuable and vulnerable, Jordan has taken a significant step to protect its citizens' privacy with the enactment of the Personal Data Protection Law of 2023. This law aims to regulate the processing of personal data, ensuring individuals have control over their information while also allowing for necessary data usage in various sectors.

Defining Key Terms

The law begins by defining crucial terms such as "Personal Data" and "Sensitive Personal Data." Personal Data encompasses any information related to a natural person that could identify them directly or indirectly. Sensitive Personal Data includes details such as origin, race, political opinions, health status, and more, recognizing the heightened sensitivity and potential risks associated with this type of data.

Rights of the Concerned Person

Central to this law is the recognition of individuals' rights over their data. Every natural person has the right to protect their data, ensuring it is not processed without their prior consent, except in specific cases authorized by law. In particular, the concerned person enjoys a range of rights, including:

• Accessing and obtaining their data from the official

• Withdrawing prior consent

• Correcting, amending, or updating their data

• Objecting to processing and diagnosis if unnecessary or unfair

• Transferring a copy of their data to another official

• Being informed of any breaches of data security and integrity

Conditions for Processing

The law outlines lawful conditions for processing personal data without prior consent. This includes scenarios such as processing by a public entity for their tasks, preventive medical purposes, protection of life or vital interests, crime prevention or detection, compliance with legislation, and more. Additionally, data processed for scientific research or statistical purposes, not affecting specific individuals, is permitted.

Responsibilities of Data Handlers

Entities responsible for processing data, such as administrators and processors, bear significant responsibilities under this law, in specific they must:

• Take measures to protect data in their custody;

• Implement security measures to prevent breaches;

• Establish mechanisms for complaints and data access;

• Ensure accuracy and completeness of data;

• Enable concerned persons to exercise their rights;

Transparency and Consent

Transparency is a cornerstone of this law. Before processing data, the concerned person must be informed of the data, purpose, duration, processor, security measures, and diagnosis involved. Processing must have a legitimate, specific purpose, and consent must be explicit, specific, and not based on deceptive practices.

Data Transfer and Cross-Border Flow

Transferring data to recipients, whether within or outside the Kingdom, requires the concerned person's consent and adherence to specific conditions. The law emphasizes that data cannot be transferred outside Jordan if the recipient country offers lower data protection standards than those in the Kingdom, except in limited circumstances such as international cooperation on crime prevention or health emergencies.

Governance and Oversight

A significant aspect of this law is the establishment of the Personal Data Protection Board. Chaired by the Minister of Digital Economy and Entrepreneurship, this board comprises various members, including the Information Commissioner and representatives from cybersecurity and human rights entities.

Enforcement and Penalties

To ensure compliance, the law outlines penalties for violations. Violators may face fines, suspension or revocation of licenses, and even court-ordered destruction of data. The law empowers the Unit, responsible for data protection, to investigate violations, issue warnings, and recommend penalties to the Board.

Transition Period and Regulations

Recognizing the need for adjustment, entities handling data before the law's enactment have one year to align with its provisions. The Cabinet is tasked with issuing detailed regulations for implementing the law. These regulations will cover various aspects, including types of licenses, conditions for consent, data disclosure rules, and more.

Conclusion

Jordan's Personal Data Protection Law of 2023 is an important step towards in the digital age. It strikes a balance between protecting individuals' data and facilitating legitimate data processing activities vital for societal and economic functions. With robust rights for concerned persons, stringent responsibilities for data handlers, and the oversight of the Personal Data Protection Board, this law sets a comprehensive framework to safeguard privacy and ensure responsible data use in Jordan. As the digital landscape evolves, this law provides a solid foundation for data protection and privacy rights in the Kingdom.

What Next!

Further regulations are expected to be issued , including:

1. types of licenses and permits;

2. licenses and permits requirements and conditions;

Companies should prioritize compliance with the law's stringent requirements regarding the processing and protection of personal data. This includes obtaining explicit and specific consent before processing data, ensuring transparency in data processing activities, implementing robust security measures to prevent breaches, and respecting individuals' rights over their data. Compliance not only mitigates legal risks but also builds trust with customers and stakeholders in this digital age where data privacy is paramount.