Data protection & privacy laws in Jordan (2026)

Law No. 24 of 2023 was published in the Official Gazette on 17 September 2023 and entered into force six months later on 17 March 2024. A one-year grace period for compliance elapsed on 17 March 2025.

A Data Protection Council — chaired by the Minister of Digital Economy and Entrepreneurship and including the Information Commissioner, Human Rights Commissioner-General, National Cyber Security Centre Chairman, Central Bank representative, and security agency representatives — sets national standards and hears individual complaints. An operational Data Protection Unit within the Ministry handles day-to-day compliance monitoring. The Unit's implementing regulation was approved in 2025.

Processing personal data requires prior written consent from the data subject specifying purpose and duration, unless another legal basis applies. Consent must be in clear, plain language; it may be withdrawn at any time.

The PDPL grants rights to: be informed; access personal data; withdraw consent; rectify, update, or erase data; portability (obtain and transfer a copy); object to unnecessary, excessive, or discriminatory processing/profiling; and be notified of a breach affecting their data.

Controllers must notify affected data subjects within 24 hours of discovering a breach likely to cause serious harm. Appointment of a Data Protection Officer is mandatory where core activities involve processing sensitive data, data of legally incapacitated persons, financial data, or data destined for cross-border transfer.

Personal data may not be transferred outside Jordan to jurisdictions offering a lower level of protection than the PDPL, with exceptions for judicial cooperation, criminal investigations, or explicit informed consent. Fines range from JOD 1,000 to JOD 10,000, doubled for repeat violations; courts may additionally order database deletion or data destruction.