Data privacy

Introducing the Jordanian Personal Data Protection Law


The Hashemite Kingdom of Jordan has taken a significant step towards data privacy with the enactment of the Personal Data Protection Law No. 24 of 2023, effective March 17, 2024 (“the Law”). This Law establishes clear principles and requirements for natural persons or organizations ("Data Controllers")[1] processing personal data of individuals ("Data Subjects"), safeguarding their privacy and empowering them with greater control over their personal information.

Personal data and sensitive personal data are both types of data protected under the Law. Such types of data may be generally defined as any information and/or data that may be used to identify a Data Subject, their family situation, or current location, and that can provide insight into their ethnicity, nationality, opinions, and political ideology, religious beliefs, financial situation, health or mental and physical wellbeing, their genetic information, biometrics, or their criminal record.[2]

The rights provided to Data Subjects under this Law include the right to be informed[3], the right of access to personal data[4], the right to withdraw previously granted consent regarding the processing of personal data[5], and the right to rectify, alter, or update personal data[6]. Thus, when requesting to use a personal data of Data Subject, Data Controllers must identify the purpose for which personal data will be used, and how the processing of personal data shall be performed. Any consent granted for the specified usage can be revoked or limited at any time by Data Subjects, and the personal data itself may be changed, corrected, or updated as necessary. 

Moreover, Data Subjects have the right to object to the manner in which their data is processed[7], and the right to have personal data processed only within a specific scope[8]. Furthermore, the Data Subject has the right to have their personal data erased at any point in time pursuant to the provisions of Article 20 of the Law. The Data Subject is the final decision maker in how and when their personal data is transferred from one party to another pursuant to Article 21. More importantly, Article 17 establishes a notification obligation on Data Controllers who shall immediately notify Data Subjects of any violations, abuse, or breaches of the security and safeguarding of their personal data. Such obligation requires Data Controllers to set clear compliance strategy to deal with any plausible data breaches and cybersecurity threats.  The Law represents a significant milestone in safeguarding individual privacy and data rights within the Kingdom. An effective enforcement of this Law ensures that Data Subjects can actively participate in protecting their personal data and engage in informed decision-making regarding its use. Open dialogue and continued effort are crucial to ensure the Law's successful implementation and its positive impact on both individual rights and responsible corporate practices within the Jordanian economy.


[1] Organizations or natural persons can be both a Data Controller who is in possession of the data (Article 2) or a Data Processor who is responsible for processing the data (Article 2) 

[2] Article 2 of the Law.  

[3] Article 17 of the Law

[4] Article 14 of the Law 

[5] Article16 of the Law

[6] Article 18 of the Law

[7] Articles 16 and 17 of the Law

[8] Article14 of the Law.