INTRODUCTION

As our lives increasingly unfold online, personal data has become the new currency of the digital age. From banking apps to healthcare platforms and e-commerce sites, vast amounts of personal information are exchanged every second. Protecting that information is no longer a luxury but a necessity for preserving public trust.

Recognizing this, Jordan took a landmark step with the enactment of the Personal Data Protection Law No. 24 of 2023 (“PDPL”), the Kingdom’s first comprehensive framework governing the collection, use, storage, and transfer of personal data.

Now, in 2025, Jordan has entered the law’s full implementation phase. The Council of Ministers has issued two pivotal regulations:

1. Regulation No. 28 of 2025 on the Disclosure of Data (“Disclosure Regulation”), and
2. Regulation No. 68 of 2025 on Organizing Data Subject Rights (“Data Subject Regulation”) -
   alongside accompanying instructions and standardized forms issued by the Ministry of Digital Economy and Entrepreneurship (“MODEE”).

Together, these instruments operationalize the PDPL’s core provisions, marking a significant step in Jordan’s digital transformation and aligning its data protection regime with global best practices.

BUILDING A FRAMEWORK FOR ACCOUNTABILITY

Under Article 2 of the PDPL, personal data is defined as any information that directly or indirectly identifies an individual, while sensitive data includes details relating to health, religion, finances, political opinions, and biometric or genetic traits. Importantly, Article 3 extends the PDPL’s scope to all data processed in Jordan, even if collected before the law’s enactment.

Oversight is divided between two authorities. Under Articles 16 and 17, the Personal Data Protection Council is empowered to issue national policies, approve DPO (as defined below) accreditations, and determine which jurisdictions offer adequate protection. Article 18 establishes the Data Protection Unit within MODEE to monitor compliance, investigate breaches, and maintain a registry of controllers, Processors, and DPOs (as defined below).

The Disclosure and Data Subject Regulations and accompanying MODEE instructions have now made these frameworks fully functional as they detail complaint-handling mechanisms, registration procedures, consent documentation standards, and the technical and organizational safeguards required of data controllers.

Collectively, they replace the fragmented privacy provisions once spread across Jordan’s sectoral laws with a unified system that embeds privacy protection into every stage of data handling.

CORE DUTIES AND COMPLIANCE OBLIGATIONS

The PDPL, together with its implementing Regulations, establishes actionable obligations and enforcement mechanisms.

Under Article 4, every individual has the right to the protection of their personal data. Article 5, reinforced by the Data Subject Regulation, requires that consent be explicit, purpose-specific, and time-bound. Controllers must document consent clearly and allow data subjects to withdraw it as easily as it was granted.

In parallel, MODEE has issued standardized forms to unify compliance practices across sectors:

1. The Pre-Consent Form, and
2. The Withdrawal of Consent Form.

These templates define the mandatory content of consent notices, including the type of data collected, purpose and duration of processing, recipients, data retention period, and contact details of the controller and DPO (as defined below). They also ensure individuals understand their rights and can revoke consent at any time without undue restriction. Together, these forms bridge the gap between the PDPL’s legal requirements and day-to-day business operations, providing controllers with a clear procedural roadmap for compliance.

Under Articles 8 and 9, controllers must adopt appropriate technical, security, and organizational measures, respond to complaints, and ensure full transparency before processing begins. They are also required to publish their complaint-handling procedures and provide data subjects with accessible means to exercise their rights, including access, correction, erasure, and objection. Entities that process sensitive, financial, or cross-border data must also appoint a Data Protection Officer (“DPO”) under Article 11, in accordance with the DPO Accreditation Criteria recently endorsed by the Council and MODEE.

TRANSFERS AND BREACH MANAGEMENT

Jordan’s new transfer and breach-management framework, now operational through the Disclosure Regulation, sets a new regional benchmark.

Under Article 14, domestic data transfers require the data subject’s explicit consent and must serve a legitimate interest of both the controller and the recipient. The data subject must also be informed of the purpose of the transfer, and all such activities must be recorded and safeguarded.

For cross-border transfers, Article 15 imposes a strict adequacy requirement: data cannot be transferred to any recipient outside Jordan unless that recipient provides a level of protection equivalent to that guaranteed by Jordanian law. Limited exceptions apply such as judicial cooperation, crime prevention, medical necessity, matters of public health, explicit informed consent after notice of inadequate protection, or cross-border financial transactions. Before initiating a transfer, controllers must verify and document the level of protection offered by the recipient and ensure that all security measures are in place. To complement this, Article 20 introduces precise breach notification deadlines: affected individuals must be notified within 24 hours, and the Data Protection Unit within 72 hours. MODEE’s implementing instructions now standardize the breach-reporting process and define the required form and content of notifications.

COMPARISON WITH THE GDPR

Although modeled on the EU General Data Protection Regulation (“GDPR”), Jordan’s PDPL and its implementing Regulations strike their own balance between regulatory rigor and practical adaptability.

As mentioned earlier, under Articles 4 and 5, the PDPL’s emphasis on time-bound, purpose-specific consent offers individuals tighter control than the GDPR’s multiple lawful bases for processing. Likewise, the PDPL’s transfer framework under Articles 14 and 15 places the full responsibility on controllers to assess adequacy , which is a stricter stance than the GDPR’s reliance on standard contractual clauses or binding corporate rules.

On enforcement, the PDPL adopts a corrective and educational approach. Instead of the GDPR’s large-scale penalties (up to €20 million or 4% of global turnover), the PDPL provides for administrative fines up to JOD 500 per day (capped at 3% of annual revenues) and criminal penalties ranging from JOD 1,000–10,000 for repeat violations. This measured approach reflects Jordan’s goal of fostering compliance through guidance and institutional oversight rather than deterrence alone.

CONCLUSION

The issuance of Jordan’s 2025 Regulations, official MODEE instructions, and standardized consent forms marks the PDPL’s full activation, transforming it from a legislative vision into an enforceable, operational framework. For organizations, this development signals the time to act: mapping data flows, reviewing consent mechanisms, registering controllers and DPOs, adopting breach-response procedures, and ensuring cross-border transfers comply with the new adequacy and documentation requirements.

At Atwan Attorneys, we assist clients in every stage of PDPL compliance, from gap assessments and registration to drafting privacy notices and transfer policies that meet both Jordanian and international standards.

The PDPL and its 2025 Regulations together represent not only a legal milestone but a cultural transformation: one that positions Jordan at the forefront of privacy, transparency, and digital governance in the Middle East.

Published by: Zaid Murrar - Trainee Lawyer