Introduction
Jordan’s Personal Data Protection Law 2023 has created a new governance framework for personal data, establishing both a Data Protection Council and a dedicated regulatory unit within the government. For local and international companies operating in Jordan, this marks a significant shift: compliance with data protection is no longer optional or based on best practice, it is now a matter of law, oversight, and enforcement.
The Role of the Data Protection Council
The newly established Data Protection Council functions as the policy and supervisory authority responsible for:
- Setting national standards for the processing of personal data
- Approving and issuing instructions and codes of practice for both public and private entities
- Supervising the Data Protection Unit, which handles licensing, investigations, and monitoring
- Reviewing complaints submitted by individuals whose rights may have been violated
- Ensuring alignment with Jordan’s broader digital transformation strategy and global privacy standards
The Council’s work ensures that individuals’ rights are protected and that companies have a clear and transparent compliance framework to follow.
Compliance Obligations for International Companies
1. Data Governance and Accountability
International companies must establish internal systems for managing personal data collected in Jordan, supported by policies on collection, use, retention, and destruction. Accountability now requires documented evidence of compliance.
2. Consent and Transparency
The law requires that individuals give explicit, informed consent before their data is processed. Companies must also provide clear privacy notices explaining:
-
What data is collected
-
The purpose and duration of processing
-
How individuals can exercise their rights
3. Data Protection Officer (DPO)
Certain organizations, especially those handling sensitive data or operating on a large scale, will be expected to appoint a Data Protection Officer in Jordan. The DPO serves as the company’s liaison with the Data Protection Council and Unit, and oversees internal compliance.
4. Cross-Border Data Transfers
Moving personal data outside Jordan requires special care. Companies must demonstrate that the destination country or the receiving entity provides adequate safeguards, or else secure explicit approval from the data subject.
5. Security and Breach Management
Organizations must implement technical and organizational measures to secure personal data. In case of a breach, they are obliged to notify both the regulator and affected individuals within defined timeframes.
6. Training and Culture
Compliance is not only about policies, it is about people. International businesses must train their staff in Jordan on data protection practices to build a culture of compliance and respect for privacy.
Strategic Implications for Multinationals
The creation of the Data Protection Council means that Jordan is moving toward a more European-style privacy model, similar in spirit to the GDPR. For multinational companies, this creates both challenges and opportunities:
Challenges: New compliance costs, stricter oversight, potential fines for non-compliance.
Opportunities: Greater consumer trust, smoother digital transactions, and a more predictable regulatory environment.
For companies already GDPR-compliant, Jordan’s framework will feel familiar — but it still requires local adaptation, particularly regarding approvals, DPO appointments, and cross-border data transfers.
Jaradat Lawyers’ Role
At Jaradat Lawyers, we assist international and local clients in:
- Conducting compliance gap assessments under Jordan’s Personal Data Protection Law
- Drafting and updating privacy notices, consent forms, and data processing agreements
- Advising on cross-border data transfers and lawful bases for processing
- Supporting the appointment and training of Data Protection Officers
- Representing companies before the Data Protection Council and Unit in case of audits or investigations
Conclusion
The establishment of Jordan’s Data Protection Council signals a new era of regulatory oversight for personal data. International companies operating in Jordan must now take active steps to achieve compliance, not only to avoid penalties but also to build trust with customers, employees, and regulators.
With nearly five decades of combined legal expertise, Jaradat Lawyers is well-positioned to guide businesses through this transition, ensuring that data protection becomes a source of strength rather than a regulatory burden.