Definitions

Personal data protection is not regulated in Jordan under a specific law at the present time. Jordan is taking serious steps to bring legislation aimed at the protection of personal data in the near future. There is a circulated draft of the Data Protection Law. The Data Protection law will be in force after 6 months of the Parliament's approval in accordance with the latest circulated draft.  

Details on the draft law

Within this draft law, numerous restrictions are placed on the processing of personal data, the most important and notable one being the requirement for prior consent being “explicit and in writing and shall be granted for a specified time and purpose.” The draft law also stipulates that citizens should be informed in advance of their data’s fate and reasons for collection. It also criminalizes the processing of data for reasons other than the purpose intended. 

As for now, all communications that may contain personal information are protected and private under Article 18 of the Jordanian Constitution, which states that “All postal and telegraphic correspondence, telephonic communications, and other communications means shall be regarded as secret and shall not be subject to censorship, viewing, suspension or confiscation except by a judicial order in accordance with the provisions of the law”. Additionally, Article (7) states that personal freedom shall be protected, and that any infringement of the rights and public freedoms or sanctity of private life of Jordanians is a crime punishable by law.  

Personal information protection in the public sector is not regulated in Jordan under a specific law at the present time. Article 18 of the Jordanian Constitution in addition to the proposed draft Data Protection law are applicable to both private and public sector. 

The right of privacy is protected under the Jordanian Constitution and generally the government does not access the personal data retained by private sector organizations. However, in accordance with the draft of the Data Protection Law, a public authority may process personal data without prior consent or notifying the person if the processing is  carried out directly by a competent public authority to the extent required to carry out the tasks entrusted to it by law or through other contracted parties, provided that the contract (in case a governmental entity assigns its duties to another party to provide it services by signing a contract, then this contract must adhere to the provisions of the Data Protection Law.)  includes observance of all obligations and conditions stipulated in this law and the regulations and instructions issued pursuant thereto. 

Article (6) of the same provides for exceptions to the requirement of prior consent, as follows:  

1. Processing of personal data protection is legal and legitimate and may be conducted without prior approval or notification of the person concerned in the following cases:
   
   
2.  Processing carried out directly by a competent public authority to the extent required by the implementation of its functions by law or through other contractors, with the contract requiring that all obligations and conditions under this Law, and the regulations and instructions issued by virtue of the same, are observed. 
   
   
3.  If necessary for preventive medical purposes, medical diagnosis or evaluation of health care by the licensee to engage in any medical profession.
   
   
4.  If necessary to protect the life of the person concerned or to protect his vital interests.
   
   
5.  If it is necessary to prevent or detect a crime by a competent body, or to prosecute crimes committed in violation of the provisions of the law.
   
   
6.  If it is required or authorized by any of the legislation or its implementation, or by a decision of the competent court.
   
   
7.  If they are necessary for scientific or historical research, provided that they are intended to take any decision or action on a specific person.
   
   
8. If they are necessary for statistical purposes, national security requirements or for the public interest.
   
   
9. If the processing is publicly available data from the person concerned.
   
   
10. Data processed after the purpose of the processing has been completed may not be retained unless legislation states otherwise. 

Article (15) of the Draft law, relating to the cross-border transfer of personal data outside of the Hashemite Kingdom of Jordan, states that:  

It is also worth noting that it is not permissible to transfer any personal data outside the Kingdom to any person who does not have adequate levels of personal data protection, and the level of protection implemented by the receiving party shall be deemed inadequate if it is less than what is stipulated in the Jordanian law.  

However, the law further provides the following exceptions to the aforementioned rule: 

1. Regional or international judicial cooperation under international conventions or treaties in force in the Kingdom
   
   
2. Regional or international cooperation between the Kingdom and international or regional bodies, organizations or agencies working in the field of combating crime of all kinds or prosecuting the perpetrators.
   
   
3. Exchange of personal medical data of the person concerned with processing when necessary for processing and exchange of data related to epidemics or health disasters or what affects public health in the Kingdom.
   
   
4. If the transfer or exchange of data is for the sake of national interest, based on a decision of the Council of Ministers.
   
   
5. Availability of the consent of the concerned person for the data transfer after being informed that the level of data protection is inadequate.  

Article (8) of the Draft Law, carries on specifying the Special conditions for the processing (which includes transferring or sharing) of personal data: 

• It is prohibited to process personal data without the consent (standard of consent is set out above) of the owner of said data, unless the processing is necessary for any of the following: 
  
  
  • The execution of a contract to which the person concerned is a party.
    
    
  • Take steps at the request of the person concerned with the processing with the goal of concluding a contract.
    
    
  • Implementation of an obligation assigned by law which is contrary to a contract obligation, or issuance of an order from a competent court
    
    
  • Protecting the vital interests of the person concerned with processing.
    
    
• The processing of personal data may not exceed the purpose for which it was collected and specified when the consent of the person concerned is taken as described in this law.
  
  
• Without breach of the provisions of the laws requiring the processor to retain personal data in his custody for a specified period of time, the data may not be kept in the custody of the processor for more than the end date of any processing.

It is impermissible to conduct processing of personal data for anyone whom is incapacitated, without the prior written or electronic consent of one of his parents, and in the absence of a parent for any reason, the consent of the legally appointed guardian is taken to follow up on his affairs

As for the processing of sensitive personal data, the following conditions apply: 

It is prohibited to process sensitive personal data without the prior approval of the concerned person, except in the following cases: 

• Processing necessary to protect any human being if the concerned person, his guardian or custodian is legally unable to give his consent to this, provided that approval is obtained firstly from the unit.
  
  
• Publicly available data processing.
  
  
• Processing necessary for the purposes of preventive medicine, medical diagnosis or management of health care services by a license to practice any of the medical professions or any person obliged by law to maintain confidentiality.
  
  
• Processing carried out by a public official institution to the extent required to carry out its legally mandated tasks. 

In all cases, a Personal Data Protection Officer must be appointed by the receiving party.  

The protection officer, personal data processor and recipient of personal data are committed to ensuring the integrity and security of personal data and tracking cases of abuse of personal data security. The personal data must be handled and processed in such a way that ensures confidentiality, safety, and non-modification.

Definition of Personal Data

There is no specific definition in the laws or the regulations.

Definition of Sensitive Personal Data

There is no specific definition in the laws or the regulations.

Not applicable.

No registration required.

Not applicable at present, but see details on the draft law.

The legislations in Jordan are silent in this regard, however see details on the draft law.

The Cybercrime Law No. (27) of 2015 (‘Cybercrime Law’) generally acts to criminalise unlawful access to websites or information systems such as access without authorisation, permission or in a manner that breaches the said authorisation or permission.  

Anyone who intentionally enters a computer network or an information system by any means without authorisation, or in violation of or exceeding the authorisation, shall be punished by imprisonment for a period of no less than a week and not exceeding three months, or by a fine of no less than (100) one hundred dinars and not more than (200) two hundred dinars, or both of these penalties. 

 If the entry stipulated above is accompanied with the intention to cancel, delete, add, destroy, disclose, damage, withhold, modify, change, transfer or copy data or information, or stop or disrupt the work of the information network or the information network information system, then the offender shall be imprisoned for a period of not less than three months and not exceeding one year and a fine of no less than (200) two hundred dinars and not more than (1,000) one thousand dinars.

Anyone who intentionally enters the information network or information system by any means without permission, or in violation of or exceeding authorisation with the aim of accessing data or information not available to the public and that affects national security, foreign relations of the Kingdom, public safety or the national economy shall be punished with imprisonment for a period of no less than four months and a fine of no less than (500) five hundred dinars and not more than (5000) five thousand dinars. 

If the entry referred to above is accompanied with the intention of cancelling, destroying, modifying, changing, transferring, copying or disclosing such data or information, the perpetrator shall be punished with temporary labour and a fine of no less than (1,000) thousand dinars and not more than (5000) five thousand dinars. 

Anyone who intentionally accesses a website to view data on information not available to the public that affects national security, the Kingdom’s foreign relations, public safety, or the national economy shall be punished by imprisonment for a period of no less than four months and a fine of no less than (500) five hundred dinars. 

If the entry referred to in the paragraph directly above is accompanied with the intention to cancel, destroy, modify, change, move or copy such data or information, the perpetrator shall be punished with temporary labour and a fine of no less than (1,000) one thousand dinars and not more than (5,000) five Thousands of dinars.

In the relation to the Cybercrimes, the injured party shall have the right to submit a complaint before the Cybercrime Unit and the latter shall review the complaint and transfer it to the court.

Mandatory breach notification

It is stated in the aforementioned draft Personal Data Protection law, under Article (6), that a unit will be established within the Ministry of Digital Economy and Entrepreneurship, which will be responsible for preparing a regulation that controls the process of receiving notifications and complaints regarding any violations that may affect personal data.

The second law is “Cyber Security Law No. 16 of 2019” as it has established a National Center for Cyber Security, which receives complaints and reports related to cyber security and cyber security incidents. The law opened the door for further collaboration with different official entities according to its sphere of specialty.

The Cybersecurity Framework for Jordan Financial Sector – V. 1 – July, 2021, states that organizational-level severity rating is performed by the entity to define the point at which the incident should be treated as a disaster, in addition to determine escalation procedures, as well as human resources and time durations to recover. The entity has to notify the Central Bank of Jordan / Financial Cyber Emergency Response Team about the incident according to the following timelines:

• Initial notification within 2 hours from confirming time.
• After the closure of the incident for “Low” incidents.
• Within 8 hours from confirming the incident and one time every two business days for “Medium” incidents.
• Within 4 hours from confirming the incident and once a day for “High” incidents.

Additionally, Article (49) of the Instructions for Handling Cyber Risks No. (26/1/1/1984) for the Year 2018 stipulates that “the company shall notify the Central Bank in the event of discovering that it has been exposed to any cyber incident or any attempt of cyber-attack characterised by a high degree of danger to its systems or networks, no later than 72 hours from the moment of discovery of the cyber-event and according to the mechanism that will be adopted by the Central Bank, and inform the relevant security services of any case of embezzlement, forgery, theft or fraud resulting from the cyber event as soon as it is discovered and in accordance with the relevant laws and instructions.”

The Cybercrime Unit is the body responsible to deal with any complaints and to assign it to the court.

In general, the court shall enforce the sanctions that are stated in the Cybercrime Law, and any other applicable laws and regulations.

The e-Procurement Instructions of 2018 mandates the use of JONEPS (Jordan Online E-Procurement System) in the implementation of public procurement.

The user of the system means the government entity, government unit, or interested party that submitted an application for registration on the electronic system and was approved by the electronic system manager.

The instructions explicitly state that the user of the system shall maintain the confidentiality of the information available in the system and take all necessary precautions and measures that would prevent the leakage of any information to any person, including the following:

• Prevent the disclosure of information to persons who are not authorised to view or disclose it, and apply the highest levels of privacy, confidentiality, security and transparency of information.
• Maintaining the security and integrity of data from alteration or modification by any party that does not have the authority to do so. 

Additionally, the tenderer shall provide security controls to protect the system and devices, such as using anti-virus programs, using strong and modern programs and programs to detect intrusions from people or programs, and constantly updating information security programs. 

Finally, the user of the system must use the system in a safe and sound manner, and it bears responsibility for any wrong use by it or by its users.

The legislations in Jordan are silent in this regard.