Personal data protection is regulated in Jordan under the Law of Personal Data Protection No. (24) of the Year 2023 (the “Law”). Jordan took a serious steps to enact this legislation aimed at the protection of personal data. The Data Protection law was published in the Official Gazette no. 5881 page 4338 on 17 September 2023.

Details on the law

Within this Law, numerous restrictions are placed on the processing of personal data, the most important and notable one being the requirement for prior consent being “explicit and documented in writing or electronically, it should also be specific in terms of duration and purpose.” The Law also stipulates that citizens should be informed in advance of their data’s date and reasons for collection. It also criminalizes the processing of data for reasons other than the purpose intended. 

As for now, all communications that may contain personal information are protected and private under Article 18 of the Jordanian Constitution, which states that “All postal and telegraphic correspondence, telephonic communications, and other communications means shall be regarded as secret and shall not be subject to censorship, viewing, suspension or confiscation except by a judicial order in accordance with the provisions of the law”. Additionally, Article (7) states that personal freedom shall be protected, and that any infringement of the rights and public freedoms or sanctity of private life of Jordanians is a crime punishable by law.  

Personal information protection in the public sector is regulated in Jordan under a specific law. Article 18 of the Jordanian Constitution in addition to the Data Protection law are applicable to both private and public sector. 

The right of privacy is protected under the Jordanian Constitution and Law of Personal Data Protection. In accordance with the Data Protection Law, a public authority may process personal data without prior consent or notifying the person if the processing is carried out directly by a competent public authority to the extent required to carry out the tasks entrusted to it by law or through other contracted parties, provided that the contract (in case a governmental entity assigns its duties to another party to provide it services by signing a contract, then this contract must adhere to the provisions of the Data Protection Law). This includes observance of all obligations and conditions stipulated in this law and the regulations and instructions issued pursuant thereto. 

Article (6) of the same provides for exceptions to the requirement of prior consent, as follows:  

1. Processing carried out directly by a competent Public entity to the extent required to carry out the tasks entrusted to it in accordance with the provisions of the legislation in force or through other contracting parties provided that the contract includes compliance with all obligations and conditions stipulated in this Law and the regulations and instructions issued pursuant thereto.
2. If necessary to preventine medical purpose medical diagnosis or provision of health care by a licensee licensed to practice any of the medical professions.
3. If necessary to protect the life of the concerned person or his vital interests.
4. If necessary for the prevention of a crime or for its detection by a competent authority for the prosecution of crimes committed in violation of the provisions of the Law.
5. If required or authorized by virtue of any legislation or in implementation thereof or by virtue of a decision of the competent court.
6. If required for the purposes of the entities subject to the control and supervision of the Central Bank of Jordan to carry out their activities as determined by the Central Bank of Jordan including the transfer and exchange of data inside or outside the Kingdom.
7. The treatment carried out in accordance with the provisions of the Regulations issued pursuant to the provisions of this Law.
8. If necessary for the purposes of scientific or historical research if they are not intended to take any decision or action with respect to a specific person.  
9. If necessary for statistical purposes or national security requirements or achieve the public interest.
10. If the subject of the processing is publicly available data from the Person concerned.

Article (15) of the law, relating to the cross-border transfer of personal data outside of the Hashemite Kingdom of Jordan, states that:  

1. Regional or international judicial cooperation under international conventions or treaties in force in the Kingdom.
2. Regional or international cooperation between the Kingdom and international or regional bodies, organizations or agencies working in the field of combating crime of all kinds or prosecuting the perpetrators.
3. Exchange of personal medical data of the person concerned with processing when necessary for processing and exchange of data related to epidemics or health disasters or what affects public health in the Kingdom.
4. Exchange of data related to epidemics or health disasters or what affects public health in the Kingdom.
5. Transfer my occur if the concerned individual provides explicit consent after being informed that an adequate level of protection is unavailable.
6. Transactions involving banking operations and money transfers outside the Kingdom.

Before initiating the Data transfer, the Official is obligated to verify the level of protection guaranteed by the Recipient outside the Kingdom, ensuring the safety and security of the Data.

Article (7) of the  Law, carries on specifying the Special conditions for the processing (which includes transferring or sharing) of personal dataIt is prohibited to process personal data without the consent (standard of consent is set out above).

It is impermissible to conduct processing of personal data for anyone whom is incapacitated, without the prior written or electronic consent of one of his parents, and in the absence of a parent for any reason, the consent of the legally appointed guardian is taken to follow up on his affairs.

As for the processing of sensitive personal data, the following conditions apply: As per Article (6) of the Law, It is prohibited to process sensitive personal data without the prior approval of the concerned person, except in the following cases: 

1. Processing carried out directly by a competent Public entity to the extent required to carry out the tasks entrusted to it in accordance with the provisions of the legislation in force or through other contracting parties provided that the contract includes compliance with all obligations and conditions stipulated in this Law and the regulations and instructions issued pursuant thereto.
2. If necessary to preventine medical purpose medical diagnosis or provision of health care by a licensee licensed to practice any of the medical professions.
3. If necessary to protect the life of the concerned person or his vital interests.
4. If necessary for the prevention of a crime or for its detection by a competent authority for the prosecution of crimes committed in violation of the provisions of the Law.
5. If required or authorized by virtue of any legislation or in implementation thereof or by virtue of a decision of the competent court.
6. If required for the purposes of the entities subject to the control and supervision of the Central Bank of Jordan to carry out their activities as determined by the Central Bank of Jordan including the transfer and exchange of data inside or outside the Kingdom.
7. The treatment carried out in accordance with the provisions of the Regulations issued pursuant to the provisions of this Law.
8. If necessary for the purposes of scientific or historical research if they are not intended to take any decision or action with respect to a specific person. 
9. If necessary for statistical purposes or national security requirements or achieve the public interest.
10. If the subject of the processing is publicly available data from the Person concerned.

The protection officer, personal data processor and recipient of personal data are committed to ensuring the integrity and security of personal data and tracking cases of abuse of personal data security. The personal data must be handled and processed in such a way that ensures confidentiality, safety, and non-modification.