Last modified 8 February 2026

Data Protection in Jordan

Collection and processing in Jordan

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Jordan

Personal Data Protection Law No. (24) of 2023.

Related resources

Definitions

Definitions in Jordan

Ministry: The Ministry of Digital Economy and Entrepreneurship.

Minister: The Minister of Digital Economy and Entrepreneurship.

Council: The Personal Data Protection Council formed pursuant to the provisions of this law.

The Unit: The organisational unit responsible for the protection of Personal Data within the Ministry.

Personal Data: Any data or information related to a natural person that directly or indirectly identifies them, regardless of its source or form. This includes data concerning the individual, their family status, or their location.

Sensitive Personal Data: Any data or information related to a natural person that directly or indirectly indicates their origin, race, political opinions, religious beliefs, financial status, health, physical or mental condition, genetic data, biometric data, criminal record, or any information deemed sensitive by the Council if its disclosure or misuse could harm the individual concerned.

Data: Both Personal Data and Sensitive Personal Data.

Databases: Electronic or non- electronic files or records containing data.

Processing: One or more operations carried out in any form or by any means, with the purpose of collecting, recording, copying, storing, organising, revising, utilising, using, transmitting, distributing, publishing, linking to other Data, making available, transferring, displaying, concealing its identity, encoding, destroying, registering, erasing, modifying, describing, or disclosing by any and all possible means.

Data Subject: The natural person whose Data is being processed.

Controller: Any natural or legal person, located inside or outside the Kingdom, who has the Data under their custody.

Processor: The natural or legal person responsible for processing the Data.

Data Protection Officer: The appointed natural person overseeing databases and processing in accordance with the provisions of this law.

Recipient: Any natural or legal person, located inside or outside the Kingdom, to whom Data is transferred or exchanged by the controller.

Consent: The prior consent of the Data Subject for processing.

Profiling: The automated processing of Data to identify the trends, preferences, choices, or behaviours of the Data subject.

Data Breach: Any unauthorised access, process, transfer, or action on Data that compromises its security and integrity.

Related resources

Authority

National data protection authority in Jordan

The Ministry of Digital Economy and Entrepreneurship and the organisational unit responsible for the protection of Personal Data as defined in the Law.

Related resources

Registration

Registration in Jordan

Please note that under the current applicable data protection framework in Jordan, there is no general requirement for companies, whether acting as controllers of personal data or undertaking specific processing activities (including the processing of sensitive data), to register with a local data protection authority.

Accordingly, there is presently no mandatory registration obligation imposed on companies in this regard.

Related resources

Data protection officers

Data protection officers in Jordan

The Data Protection Officer is the appointed natural person overseeing databases and processing in accordance with the provisions of the law.

According to Article (11) of the Law:

The Controller shall appoint a Data Protection Officer in the following cases:

- If the primary activity of the Controller involves processing Personal Data.
- When Processing Sensitive Personal Data.
- When Processing Data of individuals who lack legal capacity.
- When Processing Data that includes financial information.
- When transferring to databases outside the Kingdom.
- In any other case determined by the Council requiring the Controller to appoint a Data Protection Officer.
The Data Protection Officer shall assume the following tasks and responsibilities:
- Monitoring the procedures put in place by the Controller related to Data protection and documenting their compliance with the provisions of this law and related legislations.
- Ensuring the execution of periodic assessments and reviews of database systems, data processing systems, and systems for maintaining the security, safety, and protection of data, and documenting the assessment results and issuing necessary recommendations for data protection, and monitoring the implementation of these recommendations.
- Acting as a direct liaison with the Unit and other security and judicial authorities regarding compliance with the provisions of the law.
- Developing internal instructions for receiving and studying complaints, Data access requests, requests for correction, erasure, hiding, or transfer of Data, and ensuring that such access is provided to the Data Subject in accordance with the provisions of the Law.
- Enabling the Data Subject to exercise their rights as provided in this law.
- Organising necessary training programs for the staff of the Controller and Processors to equip them to handle Data in line with the requirements of this law and the regulations and instructions issued accordingly.
- Any other tasks or responsibilities assigned to the Data Protection Officer in accordance with the provisions of the law and the regulation and instructions issued pursuant to it.

Related resources

Collection and processing

Collection and processing in Jordan

Processing is defined in the Law as one or more operations carried out in any form or by any means, with the purpose of collecting, recording, copying, storing, organising, revising, utilising, using, transmitting, distributing, publishing, linking to other Data, making available, transferring, displaying, concealing its identity, encoding, destroying, registering, erasing, modifying, describing, or disclosing by any and all possible means.

Therefore, 'collection' of data is within the scope of Processing.

According to Article (7) of the Law, processing must meet the following requirements:

The purpose of Processing must be lawful, specific, and clear.
It must be aligned with the purposes for which the Data was collected.
It must be conducted through legal means.
It must be based on accurate, truthful, and up-to-date Data.
It must not lead to identifying the Data subject after fulfilling its purpose.
It must not cause harm to the Data Subject or directly or indirectly affect their rights.
It must be carried out in a manner that ensures the confidentiality and integrity of the information and prevents any unauthorised alterations.

Related resources

Transfer of personal data

Transfer of personal data in Jordan

In accordance with Article (14) of the Law:

The transfer and exchange of Data between the Controller and any other person, including the Recipient, shall not be allowed without the Consent of the Data Subject and in accordance with the following conditions:
- The transfer serves legitimate interests of the Controller and the Recipient.
- The Data Subject has sufficient knowledge of the purposes for which the Data will be used.
- The transfer is not for marketing products or services unless the Data Subject has given Consent for that purpose.
The Controller shall keep records documenting the Data that has been transferred or exchanged with the Recipient, as well as the purpose of the transfer, and document the Consent of the Data Subjects for the transfer.
Notwithstanding paragraphs (a) and (b) of this article, the transfer and exchange of Data between public authorities shall be allowed to the extent required for the performance of their legal duties.
The Recipient shall be subject to the same legal responsibilities and obligations as the Controller.
The Controller, Processor, and Recipient shall ensure the safety and security of the Data and provide appropriate measures to detect and track any breach of its security and safety.

Additionally, Article (15) prohibits the transfer of data outside the Kingdom to any person, including recipients, where the level of data protection is lower than that required under the law, unless specific exceptions apply. These exceptions include transfers carried out within the framework of regional or international judicial cooperation pursuant to treaties in force in the Kingdom, cooperation with regional or international entities involved in combating crime or pursuing criminals, the exchange of medical data necessary for the treatment of the data subject, and the exchange of data related to epidemics, health crises, or matters impacting public health in the Kingdom.

Related resources

Security

Security in Jordan

Pursuant to Article (13) of the Law, data undergoing Processing is considered confidential, and it is the responsibility of the Controller and the Processor to maintain its confidentiality.

Related resources

Breach notification

Breach notification in Jordan

Article (20) of the Law stipulates the following:

In the event of a serious breach of Data security and safety that could cause significant harm to the Data Subject, the Controller shall take the following actions:
- Notify the affected Data Subjects, whose data has been impacted, within (24) hours from the discovery of the breach and provide them with necessary measures to avoid any consequences resulting from the breach.
- Notify The Unit within (72) hours from the discovery of the breach about the source of the breach, its mechanism, the affected Data Subjects, and any other available information related to it.
In case of gross negligence or misconduct, the responsible Controller shall be liable to compensate the affected Data Subject.

Furthermore, the Data Subject Being notified of any data breach or violation regarding the security and integrity of their Data, as per Article (4/B/8).

Related resources

Enforcement

Enforcement in Jordan

Article 21 of the Law stipulates that:

In case of any violation of the provisions of this law, the regulations, and the instructions issued pursuant to it, the Unit shall warn the violator to cease the violation and remove its causes and effects within a period specified in the warning. If this period elapses without complying with the content of the warning, the Council, based on the Unit's recommendation, shall impose any of the following penalties:

- Warning to suspend the license or permit partially or completely.
- Partial or complete suspension of the license or permit.
- Partial or complete revocation of the license or permit.
- Imposition of a fine not exceeding (500) Dinars per day for each day the violation continues, provided that the total amount of the fine imposed does not exceed (3%) of the total annual revenues of the previous fiscal year for the violator.

The Unit may publish a statement of the violations proven to have been committed, at the expense of the violator, through any suitable means and methods.
The adoption of any measures delineated in Section A of this provision shall not preclude the aggrieved party from pursuing a civil action for damages arising from a breach of the terms of this law and the regulations and instructions issued pursuant to it.

Moreover, Article (22) provides that, without prejudice to any harsher penalty stipulated under other legislation, any person who violates the provisions of the law, its regulations, or the instructions issued pursuant thereto shall be subject to a monetary fine ranging from not less than one thousand (1,000) dinars to not more than ten thousand (10,000) dinars. In addition to the penalty, the relevant court upon the request of the public prosecution, may order the destruction of data or the cancellation of the database.

Additionally, in accordance with the Civil Code, if the concerned party suffers any tortuous damages, it may claim for the same in the competent court.

Related resources

Electronic marketing

Electronic marketing in Jordan

There is no specific provisions on Electronic Marketing in the Data Protection Law. However, Article (14) states:

The transfer and exchange of Data between the Controller and any other person, including the Recipient, shall not be allowed without the Consent of the Data Subject and in accordance with the following conditions:
- The transfer serves legitimate interests of the Controller and the Recipient.
- The Data Subject has sufficient knowledge of the purposes for which the Data will be used.
- The transfer is not for marketing products or services unless the Data Subject has given Consent for that purpose.

Accordingly, electronic marketing is allowed prior to the consent of the Data Subject.

Related resources

Online privacy

Online privacy in Jordan

The provisions of the mentioned Law apply to the Online Privacy of individuals. However, there is no specific clause that stipulates the provisions of online privacy.

Related resources

Key contacts

Data protection lawyers in Jordan

Omar M.H. Aljazy

Managing Partner

Aljazy& Co.

Amman

Email Full bio

Sewar Smierat

Head of Corporate

Aljazy& Co.

Amman

Therefore, 'collection' of data is within the scope of Processing.

According to Article (7) of the Law, processing must meet the following requirements:

The purpose of Processing must be lawful, specific, and clear.
It must be aligned with the purposes for which the Data was collected.
It must be conducted through legal means.
It must be based on accurate, truthful, and up-to-date Data.
It must not lead to identifying the Data subject after fulfilling its purpose.
It must not cause harm to the Data Subject or directly or indirectly affect their rights.
It must be carried out in a manner that ensures the confidentiality and integrity of the information and prevents any unauthorised alterations.

Quick links

Data Protection in Jordan

Collection and processing in Jordan

Continue reading